Video Screencast Help
Search Video Help Close Back
to help

Security Response

Showing posts tagged with Trojan.Zbot
Showing posts in English
A Brief Look at Zeus/Zbot 2.0
Karthik Selvaraj | 03 May 2010 20:35:39 GMT | 0 comments

Zeus/Zbot is one of the most widely known Internet threats today. It’s been around since 2007 and has evolved over time, and is still in a constant state of being developed into a stronger, more prolific Trojan.
 
A few weeks ago we came across a variant of Zbot representing the fact that it has undergone code refactoring and some functional changes in the Trojan's infection technique and behavior. The variant is now known as version 2.0 (named after the Trojan builder kit version).
 
In overview, for the common PC user, new changes mean that:
 

  • Your PC could have multiple infections of Zbot, thereby sending your personal information to multiple Zbot controllers.
  • Zbot is aiming for information from different browsers, including Firefox.
  • Zbot is expanding its ability to run in newer operating systems such as Windows 7.
  • Zbot is in constant development, so it might be around for...
Read more
SpyEye’s "Kill Zeus" Bark is Worse Than its Bite
Peter Coogan | 26 Apr 2010 10:50:59 GMT | 0 comments

In an earlier blog entry we mentioned SpyEye as a new, up-and-coming crimeware toolkit to look out for. In that blog we highlighted the Kill Zeus feature, which had just been added to the SpyEye Trojan builder at that time. We can now substantiate that this Kill Zeus feature does actually work. Well, some of the time. In my opinion the Zeus toolkit creators don’t need to lose any of their precious sleep just yet.

Our analysis has shown that the kill Zeus feature seems to work on a limited number of Zeus samples. In March 2010, Symantec alone counted 9,779 new unique samples of what we call Trojan.Zbot. We estimate that only a small percentage of these samples can be successfully removed by SpyEye’s Kill Zeus feature. The samples we observed it working successfully on are most likely created...

Read more
Zbot Now Using File Infection Techniques
Takayoshi Nakayama | 22 Apr 2010 06:52:24 GMT | 0 comments

It is well known that Trojan.Zbot was created by the ZeuS tool kit, and recently it has added the ability to infect files to its bag of tricks. A recently discovered Trojan.Zbot variant searches for executable files in a predefined place and injects the executable files it finds with 512 bytes of code. It then modifies that program's entry point so that it is at the top of the injected code. The injected code is very simple and performs the following actions:

  • Downloads a file from a URL embedded in the code.
  • Executes the downloaded file.
  • Executes the original code.

Part of the injected code

Even though antivirus products may delete the main component of the Trojan, the code remains in the infected file, enabling the Trojan to download...

Read more
“Kneber” = Zeus
Kevin Haley | 18 Feb 2010 20:57:54 GMT | 0 comments

Recently, Symantec observed some high-profile coverage of a threat being reported as a new type of computer virus known as “Kneber.” In reality Kneber is simply a pseudonym for the Zeus Trojan/botnet. The name Kneber refers to a particular group, or herd, of zombie computers (a.k.a. bots) being controlled by one owner. The actual Trojan itself is the same Trojan.Zbot that also goes by the name Zeus, which has been observed, analyzed, and protected against for some time now.
 
Since Zeus/Zbot toolkits are widely available on the underground economy, it is not uncommon for attackers to create new strains, such as Kneber, of the overall Zeus botnet. Though it is true that this Kneber strain of the overall Zeus botnet is fairly large, it does not involve any new malicious threats. Thus, Symantec customers with up-to-date security software should already be...

Read more
The Pupil Usurps the Master—Not So Fast
Hon Lau | 17 Feb 2010 20:28:00 GMT | 0 comments

Since as far back as I can remember there has always been talk of rivalry and wars between various malware creators. The testosterone-fuelled battles may have even been encouraged by the media running stories of how such-and-such botnet “has X million nodes,” egging the botnet herders to try and outwit and outgrow each other in a competition to grab market share.
 
Take, for example, the Zeus botnet (Trojan.Zbot). This has been around for some time and has now developed into a mature piece of malware that is widely sold and used by wannabe eCriminals to steal information from hapless victims throughout the Internet. The ease of use afforded by the Zeus Trojan builder has helped it achieve its notorious status as one of the most widely seen bots in the world.
 
As with the gold rush in the previous centuries, some people learned that it was...

Read more
SpyEye Bot versus Zeus Bot
Peter Coogan | 04 Feb 2010 18:36:42 GMT | 0 comments

The Zeus crimeware toolkit has been around now for a while and has grown over time to be the most established crimeware toolkit in the underground economy. In late December 2009 a new crimeware toolkit emanating from Russia—known as SpyEye V1.0—started to appear for sale on Russian underground forums. Retailing at $500, it is looking to take a chunk of the Zeus crimeware toolkit market. Symantec detects this threat as Trojan.Spyeye. Since it is relatively new, we are not seeing a lot of SpyEye activity yet. However, given some time and the observed rate of development for this crimeware toolkit, SpyEye could be a future contender for king of the crimeware toolkits.

SpyEyeLogo.JPG...

Read more
Trojan.Hydraq's Backdoor Capabilities
Patrick Fitzgerald | 28 Jan 2010 21:25:51 GMT | 0 comments

At this stage we’ve looked at several features of Hydraq, including its obfuscation techniques and how it remains on an infected system. So, what control does the attacker have over a compromised system?

Backdoor Functionality

The ThreatExpert blog on Hydraq provides a comprehensive list of the features of this backdoor. The full article can be found here. The following list summarizes what this backdoor is capable of:

•    Adjust token privileges.
•    Check status of, control, and end processes and services.
•    Download a remote file, save it as %Temp%\mdm.exe, and then execute it.
•    Create, modify, and delete registry subkeys.
•    Retrieve a list of logical drives.
•    Read, write, execute, copy, change attributes, and...

Read more
Zeus Trojan Catches Swine Flu
Hon Lau | 01 Dec 2009 18:53:34 GMT | 0 comments

Piggybacking (pun intended) on the swine flu pandemic is the Zeus bot crew, whose latest offering comes in the guise of an email purporting to come from the CDC (Center for Disease Control). The email contains a link to a bogus Web page that is made to look like an official CDC page.
 
 image002.png
 
The content of the page asks you to create a profile that will then enable you to get the H1N1 flu vaccine.
 
image003.png
 
 
The subject lines used in the emails are quite variable; for example, the following have been seen:

•        Instructions on creation of your personal Vaccination Profile

•        Governmental registration...

Read more
Zeus' Social Security Statement Spam Campaign
Patrick Fitzgerald | 23 Nov 2009 16:27:01 GMT | 0 comments

Once again Zeus is up to its old tricks with a new twist.  The latest spam run informs users that their latest Social Security statement is available but it may contain errors.  The subject of the mail will be something like “Review annual Social Security statement“ and the body warns of a potential identity theft risk and asks you to review your annual statement at the link they provide.

image1.png
Figure 1. An example of the Spam

If you follow this link you will arrive at the following page:
 
image2.png
...

Read more
This Utility Has Zero Business with Your Mailbox
Mayur Kulkarni | 19 Nov 2009 21:35:04 GMT | 0 comments

We are monitoring new malicious attacks that look similar to the fake "Microsoft Outlook reconfigure" spam campaign messages we have been observing for the last couple of months. That malicious campaign was followed by attacks on social networking sites, transforming from malicious code attacks into URL-based phishing attacks. These new attacks have similar traits, such as the spoofed “From” headers, which aggressively target and baffle enterprise users, and a subject line that is intended to cause panic (for obvious reasons—have a look at the example image below).

thisutility.png

As seen in the message above, the mail attachment is a zipped file named “utility.zip” that extracts an executable detected as Trojan.Dropper by Symantec antivirus. Using...

Read more