Video Screencast Help
Security Response
Showing posts tagged with Trojan.Zbot
Showing posts in English
Peter Coogan | 20 Apr 2012 23:09:08 GMT

Ransomware is a threat that continues to grow in popularity with cybercriminals due to its success rate and monetary potential. In past blogs such as Rampant Ransomware we have discussed some different Ransomware variants and techniques. Now we have encountered yet another new variant identified as Trojan.Ransomlock.K.

While finding a new Ransomware variant is no real surprise, during analysis we found an active command-and-control (C&C) server login used by the threat.

Figure 1. Silence Locker Control Panel login

After further analysis and research we then identified a control panel...

Symantec Security Response | 01 Mar 2012 18:52:09 GMT

In 2011, dozens of Anonymous members who participated in distributed denial-of-service (DDoS) attacks in support of Anonymous hacktivism causes were arrested. In these DDoS attacks, supporters using the Low Orbit Ion Cannon denial-of-service (DoS) tool would voluntarily include their computer in a botnet for attacks in support of Anonymous. In the wake Anonymous member arrests this week, it is worth highlighting how Anonymous supporters have been deceived into installing Zeus botnet clients purportedly for the purpose of DoS attacks. The Zeus client does perform DoS attacks, but it doesn’t stop there. It also steals the users' online banking credentials, webmail credentials, and cookies.

The deception of Anonymous supporters began on January 20, 2012, the day of the FBI Megaupload raid. An attacker took a popular PasteBin guide, used by Anonymous members for downloading...

Fred Gutierrez | 27 Feb 2012 16:27:12 GMT

We are currently tracking a banking Trojan called Trojan.Neloweg. Looking at early infection numbers, we noticed that a small number of users were compromised in the UK and the Netherlands.

Digging into the threat, we saw that the login credentials of these users (including banking credentials) may have been stolen.  A partial list of affected bank pages can be seen below.

In order to see where other infections were occurring, we took a more global look at the infection numbers. Apparently the threat has been localized to Europe.

Trojan.Neloweg operates similar to another banking Trojan known as...

Andrea Lelli | 28 Nov 2011 16:23:32 GMT

Recently, Symantec observed a modified variant of Zeusbot/Spyeye which uses peer-to-peer (P2P) architecture to communicate. The original Zeusbot communicated directly with its C&C server to download configuration data and upload stolen information. This was a major point of failure for the bot because the C&C server could be blocked or taken down, and the attacker would lose control of the botnet. The bot did have a fallback strategy: if the C&C server was down it generated pseudo-random domain names to contact. The attacker could of course predict those domain names and register one in order to gain back control of the bot, but the solution was not very efficient. (Terminology note: although we use the term “C&C” for the main server controlled by the attackers, this server is not a typical C&C in its functionalities, but is mainly a collector of information from the drones.)

To overcome these limitations the attackers have now decided to use...

Peter Coogan | 06 Jul 2011 17:23:34 GMT

The terms targeted attack, spear phishing, and advanced persistent threat (APT) get bandied around in the media a lot these days. With the spate of recent headlines concerning companies being hacked, every company is on its guard to prevent becoming the next victim—and big headline. One of the major problems associated with targeted attacks is identifying whether or not your company is the actual target of any malware found and not just a random victim of a malware gang. There are several ways to try to do this, such as attempting to find the initial source of infection and analyzing the malware itself. However, attackers are clever and deception is part of their game.

If an attacker’s malware is discovered at any point during the initial...

Amanda Grady | 02 Jun 2011 17:29:02 GMT

I received reports this week of emails that reference transactions of which the recipients have no knowledge. The  email includes a link for more detail, which then attempts to download a ZIP attachment. Nothing new here; most savvy users would know better than to open an attachment in an unsolicited email.

The interesting thing about this email, however, is that it includes a password previously used by the recipient. Seeing private data in an email like this would definitely raise suspicions that the sender has some kind of connection to the recipient, or worse, has comprised their account details. The ultimate goal for the sender is that the user’s curiosity would be piqued sufficiently to open the attachment which would, of course, deliver the inevitable malware payload.

Symantec detects the file as Trojan.Zbot, also called Zeus, which is a Trojan horse that...

Peter Coogan | 15 Mar 2011 21:57:43 GMT

Symantec’s telemetry has shown over 12 million Intrusion Prevention Signature (IPS) hits on sub domains of the ‘CO.CC’ domain in the last six months. Anyone somewhat familiar with the top-level domain-naming hierarchy might be lead to believe that CO.CC is actually an official second-level domain similar to CO.UK; this, however, is not the case. .CC is the Internet country code top-level domain (...

Hon Lau | 02 Mar 2011 02:26:59 GMT

Banking Trojans are nothing new. They have been around for many years, considering detections such as the Infostealer.Bancos family date back to 2003. As more and more people moved to perform banking transactions online, Bancos created a huge and lucrative target for would be criminals to exploit.

Traditionally, banking Trojans typically just captured data traffic exchanged between the user and the online banking website. The captured information included the authentication information, which is collected and sent to the attacker by the Trojan for their use or to sell on to other parties for a profit. For as long as there has been banking Trojans, there has been a cat and mouse game between the banks and the criminals as each side respond to each other’s move to thwart the actions of the other. More sophisticated banking Trojans employ a man-in-the-browser (MITB) method...

Hon Lau | 26 Oct 2010 15:56:59 GMT
Things are starting to get a little tougher in the botnet world. This year we have witnessed many shutdowns of major botnets and their owners arrested. We have also seen money mules arrested and - more importantly - arrests for the creators of the Trojan creation kits (Mariposa Butterfly toolkit). Clearly everybody in the botnet food chain is beginning to feel pressure these days and as in any business, tough times often trigger the consolidation of operators in the competitive landscape. According to an interesting report by Brian Krebs a couple of days ago, he noted that the Zeus (Zbot) toolkit creator has left (or perhaps sold) his business and the creators of the SpyEye toolkit have...
Shunichi Imano | 22 Oct 2010 10:30:02 GMT

Zbot, otherwise known as the Zeus botnet, has been around for a quite a while and has been called the "King of Bots"; it has infected millions of computers worldwide. The Zbot construction kit is on-sale and widely available in the underground community. Other botnet kits are also being sold and are challenging Zbot peddlers. This means that the Zbot authors have no choice but to update the construction kits to accommodate the needs of their criminal client base to stay ahead of their rivals and hold on to the title of the King of the Bots, the result of which appears to be samples discovered recently that Symantec detects as Trojan.Zbot.B and Trojan.Zbot.B!inf.