Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Trojan.Zbot
Showing posts in English
Cracking into the New P2P Variant of Zeusbot/Spyeye
Andrea Lelli | 28 Nov 2011 16:23:32 GMT | 0 comments

Recently, Symantec observed a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)

To overcome these limitations the attackers have now decided to use...

Read more
Using Spam in Targeted Attacks
Peter Coogan | 06 Jul 2011 17:23:34 GMT | 0 comments

The terms targeted attack, spear phishing, and advanced persistent threat (APT) get bandied around in the media a lot these days. With the spate of recent headlines concerning companies being hacked, every company is on its guard to prevent becoming the next victim—and big headline. One of the major problems associated with targeted attacks is identifying whether or not your company is the actual target of any malware found and not just a random victim of a malware gang. There are several ways to try to do this, such as attempting to find the initial source of infection and analyzing the malware itself. However, attackers are clever and deception is part of their game.

If an attacker’s malware is discovered at any point during the initial stage of a targeted attack, the best-case...

Read more
How Safe is Your Password?
Amanda Grady | 02 Jun 2011 17:29:02 GMT | 0 comments

I received reports this week of emails that reference transactions of which the recipients have no knowledge. The  email includes a link for more detail, which then attempts to download a ZIP attachment. Nothing new here; most savvy users would know better than to open an attachment in an unsolicited email.

The interesting thing about this email, however, is that it includes a password previously used by the recipient. Seeing private data in an email like this would definitely raise suspicions that the sender has some kind of connection to the recipient, or worse, has comprised their account details. The ultimate goal for the sender is that the user’s curiosity would be piqued sufficiently to open the attachment which would, of course, deliver the inevitable malware payload.

Symantec detects the file as Trojan.Zbot, also called Zeus, which is a Trojan horse that...

Read more
12 Million Exploit Attacks Originating from the CO.CC Domain
Peter Coogan | 15 Mar 2011 21:57:43 GMT | 0 comments

Symantec’s telemetry has shown over 12 million Intrusion Prevention Signature (IPS) hits on sub domains of the ‘CO.CC’ domain in the last six months. Anyone somewhat familiar with the top-level domain-naming hierarchy might be lead to believe that CO.CC is actually an official second-level domain similar to CO.UK; this, however, is not the case. .CC is the Internet country code top-level domain (ccTLD) for Cocos (Keeling) Islands...

Read more
Banking by Proxy with Trojan.Tatanarg
Hon Lau | 02 Mar 2011 02:26:59 GMT | 0 comments

Banking Trojans are nothing new. They have been around for many years, considering detections such as the Infostealer.Bancos family date back to 2003. As more and more people moved to perform banking transactions online, Bancos created a huge and lucrative target for would be criminals to exploit.

Traditionally, banking Trojans typically just captured data traffic exchanged between the user and the online banking website. The captured information included the authentication information, which is collected and sent to the attacker by the Trojan for their use or to sell on to other parties for a profit. For as long as there has been banking Trojans, there has been a cat and mouse game between the banks and the criminals as each side respond to each other’s move to thwart the actions of the other. More sophisticated banking Trojans employ a man-in-the-browser (MITB) method...

Read more
Mergers and Acquisitions in the Malware Space
Hon Lau | 26 Oct 2010 15:56:59 GMT | 0 comments

 

Things are starting to get a little tougher in the botnet world. This year we have witnessed many shutdowns of major botnets and their owners arrested. We have also seen money mules arrested and - more importantly - arrests for the creators of the Trojan creation kits (Mariposa Butterfly toolkit). Clearly everybody in the botnet food chain is beginning to feel pressure these days and as in any business, tough times often trigger the consolidation of operators in the competitive landscape. According to an interesting report by Brian Krebs a couple of days ago, he noted that the Zeus (Zbot) toolkit creator has left (or perhaps sold) his business and the creators of the SpyEye toolkit have now...
Read more
Evolution of Zeus Botnet
Shunichi Imano | 22 Oct 2010 10:30:02 GMT | 0 comments

Zbot, otherwise known as the Zeus botnet, has been around for a quite a while and has been called the "King of Bots"; it has infected millions of computers worldwide. The Zbot construction kit is on-sale and widely available in the underground community. Other botnet kits are also being sold and are challenging Zbot peddlers. This means that the Zbot authors have no choice but to update the construction kits to accommodate the needs of their criminal client base to stay ahead of their rivals and hold on to the title of the King of the Bots, the result of which appears to be samples discovered recently that Symantec detects as Trojan.Zbot.B and Trojan.Zbot.B!inf.

...
Read more
How Trojan.Zbot.B!inf Uses Crypto API
Kazumasa Itabashi | 18 Oct 2010 16:17:41 GMT | 0 comments

Trojan.Zbot.B!inf, which was discovered on October 1st, has functionality to update Trojan.Zbot by using Windows Crypto API. Crypto API is a set of functions that uses PKI bundled with Windows and has been used by several malicious programs in the past. This Trojan horse uses Crypto API to create a URL to download files.

The following figure uses RSA as a cryptographic service provider (CSP) to calculate MD5 hash values. The hash values are calculated by using the compromised computer’s time as a base value.

After the created hash value is extracted with the CryptGetHashParam function, it's converted to a ASCII character string and adds that character sting to a top level domain - .biz, .info, .org, .com, .net – to create a DNS name.

The following URLs are an example of the...

Read more
Zeus Explosion Leads to More Arrests
Peter Coogan | 04 Oct 2010 07:13:51 GMT | 0 comments

The Zeus Trojan is back in the media spotlight once more, and for good reason. Last week the FBI’s  Operation Trident Breach made worldwide headlines with over 100 arrests related to organized cybercrime operation activities  in the US, UK, and the Ukraine. The arrests relate to Cybercriminals and  money mules involved in stealing up to $70m from bank accounts through the use of the Zeus crimeware toolkit. The operation initiated by the FBI involved unprecedented partnerships between international law enforcement, such as the Netherlands Police Agency, the Security Service of Ukraine (...

Read more
Spam Carrying Malicious Infostealer
Samir_Patil | 13 Aug 2010 15:56:06 GMT | 0 comments

Symantec Security Response is currently monitoring a wave of email spam that contains a threat detected by Symantec as Trojan.Zbot. This Trojan arrives as a .zip attachment in an email that purports to contain a legitimate attachment, such as a birthday invitation, photos, or resume. However, the attached zipped executable file is a malicious threat. The attachment file size is 119 KB and can have a pseudo-random file name such as “lance armstrong.zip,” “NH ESS Access Guidelines (2).zip,” “pricing.zip,” “invitation.zip,” “Resume.zip,” “Allhotels.zip,” "ARICertificate-C4H736 + FVM4X48.zip," or "Inv 2985 Cool Cash App.zip."

This Trojan has primarily been designed to steal confidential information, such as online credentials or banking details, but it can be customized to gather any sort of...

Read more