Posts Tagged ‘Zeus botnet’

Zeus Trojan HorseEvolution of Zeus Botnet Part 3

Evolution of Zeus Botnet Part 2 Here

Zeus, version 3 – Gameover

In the version of Zeus 2.1 was an attempt to get away from the hard-coded command center and move to a more protected from the actions of the anti-virus companies control system (using DGA). As it turned out, the creators of Zeus continued his studies in the field.

In October 2011, Roman Huessy, creator ZeusTracker, exploring the latest version received Zeus, noted the presence of a strange UDP-traffic. Further analysis showed that the new version of Zeus had several IP-addresses in the configuration block, and computers with these IP answered infected system. Within 24 hours it was revealed about 100,000 unique IP addresses, which is related to a new version. Most of the infected computers were located in India, Italy and the U.S..

Since it was found that Zeus started using P2P update mechanism itself and its data blocks configuration. Because of the use of the name gameover.php script when handling command center for this version of the name used Gameover Zeus. This is a rather symbolic – as can be seen, the ‘game’ with Zeus has ended. (more…)

Evolution of Zeus Botnet Part 2

Posted: December 17, 2012 in Articles
Tags:

Part 1 here

Zeus Trojan HorseEvolution of Zeus Botnet Part 2

Zeus, version 2.1

At the same time, researchers from the company RSA discovered some facts that raise doubts about the words Slavik goes out of business. In August 2010, that is two months before the “official” announcement of the cessation of work on the Zeus, was discovered a botnet that was created with bot Zeus, who had version 2.1.0.10. The investigation revealed that a set of specified version was not sold on the ‘black market’. Subsequent detection of this type of boat experts believe RSA is that this modification owned one person (or group of persons) – in contrast to the previous incidents configuration file bot version 2.1.0.10 did not undergo significant changes over time (previously, each operator of a botnet based Zeus used his unique configuration file).

A key feature of Zeus 2.1.0.10 was the change in the scheme due to the management server. Now the server addresses are not hard coded in the configuration file. The address list was formed by DGA (Domain Generation Algorithm – generation algorithm domain names). Previously, this technique often used in such samples VPO as Bobax, Kraken, Sinowal (aka Torpig), Srizbi and Conficker. Addresses generated by Zeus sought their command server. To protect against interception of management involves checking the digital signature file to be loaded during its renovation (just using Windows Crypto API). To do this in the code Zeus attended public key RSA 1024 bits. (more…)

Zeus Trojan HorseEvolution of Zeus Botnet Part I

Botnet Zeus, perhaps one of the most famous representatives of malware. Zeus started back in 2007 (or 2006) years. Many people mistakenly believe that Zeus – just another Trojan, but it is not. In fact, Zeus is an example of so-called crimeware – software intended to violate any law.

In this case, the main purpose of crimeware Zeus – stealing credentials used for financial transactions. According to analysts, it is responsible for 90% of bank fraud in the world.

Another misconception is the assertion of the existence of a huge botnet Zeus. In reality, Zeus is the basis of a very large number – probably hundreds – of different botnets, and they are all controlled by different gangs of cyber criminals. The creators of Zeus just sell it to interested parties, as they are already using it form their own botnets. Thus, the right to speak not of the botnet Zeus, but of botnets created by Zeus. To track information about team Zeus servers in February 2009, Roman Hussy, a Swiss expert on computer security, created a website ZeusTracker. (more…)

Zeus botnet Eurograbber

Zeus botnet Eurograbber

The company Check Point, which has a serious authority in the protection of information, published 18-page report on the new botnet called ‘Eurograbber’.

According to the results of the investigation conducted by Check Point and Versafe, since it was first detected in Italy in early 2012, the system Eurograbber stole more than 36 million euros ($ 47 USD million) from the accounts of private and corporate clients in various countries in the eurozone.

Technology steal money from bank accounts Eurograbber built on botnet Zeus – very popular with cybercriminals platform to create branched botnets with centralized management server. Unlike Eurograbber of previously detected malware is its high complexity and risk. The fact that Eurograbber uses special circuitry to bypass two-factor authentication, which is still considered a reliable means of protection: messages with one-time passwords that are sent from the bank to the customer’s mobile phone, intercepted and used by hackers.

Name Eurograbber detected complex viruses gave security experts from companies and Check Point Versafe. For 2012, the virus had spread throughout Europe. According to experts, the operators Eurograbber stole more than 36 million euros, with each victim lost from 500 to 25 000. (more…)