Video Screencast Help
Protect Your POS Environment Against Retail Data Breaches. Learn More.
Security Response
Showing posts tagged with Trojan.Zbot
Showing posts in English
Kevin Savage | 22 Oct 2013 10:36:43 GMT

While Ransomlock Trojans have plagued the threat landscape over the last few years, we are now seeing cybercriminals increasingly use Ransomcrypt Trojans. The difference between Ransomlock and Ransomcrypt Trojans is that Ransomlock Trojans generally lock computer screens while Ransomcrypt Trojans encrypt (and locks) individual files. Both threats are motivated by monetary gains that cybercriminals make from extorting money from victims.

Recently, a new threat detected by Symantec as Trojan.Cryptolocker has been growing in the wild. Trojan.Cryptolocker encrypts data files, such as images and Microsoft Office documents, and then demands payment through Bitcoin or MoneyPak to decrypt them—all within a countdown time period. This Ransomcrypt Trojan uses strong encryption algorithms which make it almost...

Orla Cox | 06 Jun 2013 14:20:22 GMT

Contributor: Piotr Krysiuk

On June 5, Microsoft announced that they had worked together with members of the financial services industry and the FBI to disrupt the operations of a banking Trojan horse program called Citadel. The takedown operation resulted in over 1,000 Citadel botnets being taken offline.

Citadel is a banking Trojan that has been in existence since 2011. As with most banking Trojans, Citadel is a full crimeware kit, providing the attackers with payload builders, a command and control (C&C) server infrastructure, and configuration scripts to target various banks. Citadel is a descendant of that other behemoth of the financial Trojan world, Trojan.Zbot (Zeus). It came into existence after the Zeus source code was leaked in 2011, with criminal groups taking that code and enhancing it.


Hiroshi Shinotsuka | 22 Feb 2013 11:10:22 GMT

Regular readers of the Symantec blog may sometimes read blogs that mention a fraudulent file that is signed with a valid digital certificate or that an attacker signed their malware with a stolen digital certificate.

You may recall that the creators of Stuxnet, arguably the most notorious malware in history, signed it using the private keys of valid digital certificates of well-known companies.

Digital certificates are significant because a file with a digital certificate can be checked to see who authored it and to make sure it was not altered. Moreover, some versions of Windows display a dialog box when a file that has no digital signature is opened. If an attacker signs malware with the stolen private key from a digital certificate, Windows will execute the file in many cases, except if the file is downloaded from the Internet using a Web browser.

How does an...

Symantec Security Response | 12 Feb 2013 06:05:44 GMT

As we have blogged in the past, Zeus (Trojan.Zbot) and other banking Trojans have been a headache to online banking customers all over the world for years. Certain countries such as Japan have in the past escaped attacks from banking Trojans, perhaps due to the language barrier or some other unknown reason. As the National Police Agency of Japan has reported several times, Japanese online banking customers have now started to fall victim to this type of attack.

Symantec recently came across a new Zeus file targeting five major banks in Japan. Figure 1 shows part of the decrypted configuration...

Satnam Narang | 09 Jan 2013 18:52:48 GMT

Contributor: Jeet Morparia

Online dating is big business. In 2012, 40 million people visited or used an online dating site in the United States. According to some statistics, the online dating industry is worth over $1 billion dollars. Others say it is worth over $3 billion globally. The fact is that online dating is a lucrative industry, so it should come as no surprise that it is also on the radar for cybercriminals.

Figure 1. Downloader.Ponik spam campaign world map

One of the most recent malicious spam campaigns we...

Symantec Security Response | 04 Dec 2012 02:12:57 GMT

­Throughout history, philosophers and scientists have pondered the question of which came first: the chicken or the egg. Over the last week, Security Response has seen an increase in the number of W32.Changeup detections. We know that Changeup can download a bevy of other threats onto a compromised computer. But an unanswered question is how does W32.Changeup compromise a computer in the first place?

While other vend­­­­ors have indicated the latest round of Changeup has spread through social networking websites, Symantec Security Response has managed to identify one source of the worm.

In recent malicious spam claiming to contain a secure message from banking...

Satnam Narang | 21 Jul 2012 01:41:03 GMT

Contributor: Jeet Morparia

Over the last few weeks, there have been reports of various websites that have had their databases breached and customer data stolen by attackers through various means. A lot of the focus has been on how password dumps have been appearing online. There has always been the concern that attackers who obtain access to customer information would leverage the information in a malicious campaign.

A few days ago, MapleSoft, makers of mathematical and analytical software such as Maple, reported that they have been investigating a database breach. The breach resulted in the attackers obtaining customer information such as email addresses, first and last names, as well as company and institution names. MapleSoft states that no financial information was compromised in this breach.

Unlike previous database breaches, where password hashes were dumped onto the Web, the attackers in this breach decided to up the stakes. MapleSoft customers...

Anoirel Issa | 03 Jul 2012 16:09:29 GMT

A couple of months ago, Microsoft took out some Trojan.Zbot servers across the world. The impact was short-lived. Even though for a span of about two weeks, we saw virtually no Trojan.Zbot activity, relentless Trojan.Zbot activity has resumed—with some added new social-engineering techniques as well as some new techniques to help Trojan.Zbot avoid antivirus detection.

The following is an example of a recent Trojan.Zbot variant released on June 14, 2012, that implements a new anti-emulation technique in order to avoid detection.

Figure 1. Anti-emulation technique to avoid detection

Prior to executing its malicious code, the Trojan checks whether it is being executed for analysis in an emulated environment before deciding to execute or to abort its malicious...

Stephen Doherty | 01 Jun 2012 21:35:11 GMT

There was a recent report on the Opera forums that users were encountering strange certificate behavior when visiting particular services over secured network connections, specifically HTTPS. This occurred while using online banking, webmail services, and social networking sites. Upon further investigation, we discovered a Trojan was intercepting the HTTPS connections, namely Trojan.Tatanarg.B.

Trojan.Tatanarg.B works by installing a proxy in the browser to intercept HTTPS connections by providing its own self-signed certificate to users, in effect revealing all the encrypted traffic between the user and the secure service. The Trojan specifically targets Firefox,...

Peter Coogan | 20 Apr 2012 23:09:08 GMT

Ransomware is a threat that continues to grow in popularity with cybercriminals due to its success rate and monetary potential. In past blogs such as Rampant Ransomware we have discussed some different Ransomware variants and techniques. Now we have encountered yet another new variant identified as Trojan.Ransomlock.K.

While finding a new Ransomware variant is no real surprise, during analysis we found an active command-and-control (C&C) server login used by the threat.

Figure 1. Silence Locker Control Panel login

After further analysis and research we then identified a control panel...