Video Screencast Help

Security Response

Showing posts tagged with Trojan.Zbot
Showing posts in English
Satnam Narang | 09 Jan 2013 18:52:48 GMT

Contributor: Jeet Morparia

Online dating is big business. In 2012, 40 million people visited or used an online dating site in the United States. According to some statistics, the online dating industry is worth over $1 billion dollars. Others say it is worth over $3 billion globally. The fact is that online dating is a lucrative industry, so it should come as no surprise that it is also on the radar for cybercriminals.

Figure 1. Downloader.Ponik spam campaign world map

One of the most recent malicious spam campaigns we...

Symantec Security Response | 04 Dec 2012 02:12:57 GMT

­Throughout history, philosophers and scientists have pondered the question of which came first: the chicken or the egg. Over the last week, Security Response has seen an increase in the number of W32.Changeup detections. We know that Changeup can download a bevy of other threats onto a compromised computer. But an unanswered question is how does W32.Changeup compromise a computer in the first place?

While other vend­­­­ors have indicated the latest round of Changeup has spread through social networking websites, Symantec Security Response has managed to identify one source of the worm.

In recent malicious spam claiming to contain a secure message from banking...

Satnam Narang | 21 Jul 2012 01:41:03 GMT

Contributor: Jeet Morparia

Over the last few weeks, there have been reports of various websites that have had their databases breached and customer data stolen by attackers through various means. A lot of the focus has been on how password dumps have been appearing online. There has always been the concern that attackers who obtain access to customer information would leverage the information in a malicious campaign.

A few days ago, MapleSoft, makers of mathematical and analytical software such as Maple, reported that they have been investigating a database breach. The breach resulted in the attackers obtaining customer information such as email addresses, first and last names, as well as company and institution names. MapleSoft states that no financial information was compromised in this breach.

Unlike previous database breaches, where password hashes were dumped onto the Web, the attackers in this breach decided to up the stakes. MapleSoft customers...

Anoirel Issa | 03 Jul 2012 16:09:29 GMT

A couple of months ago, Microsoft took out some Trojan.Zbot servers across the world. The impact was short-lived. Even though for a span of about two weeks, we saw virtually no Trojan.Zbot activity, relentless Trojan.Zbot activity has resumed—with some added new social-engineering techniques as well as some new techniques to help Trojan.Zbot avoid antivirus detection.

The following is an example of a recent Trojan.Zbot variant released on June 14, 2012, that implements a new anti-emulation technique in order to avoid detection.

Figure 1. Anti-emulation technique to avoid detection

Prior to executing its malicious code, the Trojan checks whether it is being executed for analysis in an emulated environment before deciding to execute or to abort its malicious...

Stephen Doherty | 01 Jun 2012 21:35:11 GMT

There was a recent report on the Opera forums that users were encountering strange certificate behavior when visiting particular services over secured network connections, specifically HTTPS. This occurred while using online banking, webmail services, and social networking sites. Upon further investigation, we discovered a Trojan was intercepting the HTTPS connections, namely Trojan.Tatanarg.B.

Trojan.Tatanarg.B works by installing a proxy in the browser to intercept HTTPS connections by providing its own self-signed certificate to users, in effect revealing all the encrypted traffic between the user and the secure service. The Trojan specifically targets Firefox,...

Peter Coogan | 20 Apr 2012 23:09:08 GMT

Ransomware is a threat that continues to grow in popularity with cybercriminals due to its success rate and monetary potential. In past blogs such as Rampant Ransomware we have discussed some different Ransomware variants and techniques. Now we have encountered yet another new variant identified as Trojan.Ransomlock.K.

While finding a new Ransomware variant is no real surprise, during analysis we found an active command-and-control (C&C) server login used by the threat.

Figure 1. Silence Locker Control Panel login

After further analysis and research we then identified a control panel...

Symantec Security Response | 01 Mar 2012 18:52:09 GMT

In 2011, dozens of Anonymous members who participated in distributed denial-of-service (DDoS) attacks in support of Anonymous hacktivism causes were arrested. In these DDoS attacks, supporters using the Low Orbit Ion Cannon denial-of-service (DoS) tool would voluntarily include their computer in a botnet for attacks in support of Anonymous. In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users' online banking credentials, webmail credentials, and cookies.

The deception of Anonymous supporters began on January 20, 2012, the day of the FBI Megaupload raid. An attacker took a popular PasteBin guide, used by Anonymous members for downloading...

Fred Gutierrez | 27 Feb 2012 16:27:12 GMT

We are currently tracking a banking Trojan called Trojan.Neloweg. Looking at early infection numbers, we noticed that a small number of users were compromised in the UK and the Netherlands.

Digging into the threat, we saw that the login credentials of these users (including banking credentials) may have been stolen.  A partial list of affected bank pages can be seen below.

In order to see where other infections were occurring, we took a more global look at the infection numbers. Apparently the threat has been localized to Europe.

Trojan.Neloweg operates similar to another banking Trojan known as...

Andrea Lelli | 28 Nov 2011 16:23:32 GMT

Recently, Symantec observed a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)

To overcome these limitations the attackers have now decided to use...

Peter Coogan | 06 Jul 2011 17:23:34 GMT

The terms targeted attack, spear phishing, and advanced persistent threat (APT) get bandied around in the media a lot these days. With the spate of recent headlines concerning companies being hacked, every company is on its guard to prevent becoming the next victim—and big headline. One of the major problems associated with targeted attacks is identifying whether or not your company is the actual target of any malware found and not just a random victim of a malware gang. There are several ways to try to do this, such as attempting to find the initial source of infection and analyzing the malware itself. However, attackers are clever and deception is part of their game.

If an attacker’s malware is discovered at any point during the initial...