light bulb

Did You Know?



Reply
Highlighted
Posts: 6,812
Topics: 4,587
Kudos: 8,722
Registered: ‎06-12-2013

Zeus variant by-passing security, say researchers

A variant of the data-stealing Zeus Trojan – best known for targeting online banking – is using a new technique to bypass security systems, researchers have found.

By encrypting the executable file, cyber criminals are sneaking GameOver Zeus malware past web filters, network intrusion detection systems and other defences as a non-executable .enc file.

On 1 February 2014, US-based Malcovery Security alerted the security community and law enforcement agencies after its researchers identified the technique and observed its use trending upwards.

The attackers are using email messages that appear to come from HMRC, HSBC and other well-known brands to trick recipients into opening an attached .zip file, according to a Malcovery blog post.

If the attachment is opened, it launches a new version of the application called Upatre, which downloads and decrypts a .enc file, which is GameOver Zeus executable.

“If you are in charge of network security for your enterprise, you may want to check your logs to see how many .enc files have been downloaded recently,” said Gary Warner, CTO of Malcovery.

Before Malcovery raised the alarm, its researchers found none of the 50 security products used by online virus scanning service VirusTotal were blocking GameOver Zeus distributed in this way.

 

Full Article

Sr. Community Leader

Frequent Voice
Posts: 41
Registered: ‎03-04-2013

Re: Zeus variant by-passing security, say researchers

And how would Webroot SecureAnywhere handle this piece of malware? As "unknown" with limited system access?

Retired Webrooter
Posts: 1,288
Registered: ‎03-13-2013

Re: Zeus variant by-passing security, say researchers

Nothing really new its still has to execute. I am going to check out the blog and I`ll report my findings

Retired Webrooter
Posts: 1,288
Registered: ‎03-13-2013

Re: Zeus variant by-passing security, say researchers

[ Edited ]

As expected we have seen this ages ago, but we are not on VT so we werent included in the 50 AV Vendors Smiley Happy

 

Invoice.PDF.exe -seen Jan 27

Employer_Bulletin_Issue_46_79520EEE31.exe -seen Jan 28

PaymentAdvice.exe -seen Jan-27

 

I am not going to go through all of the post but its nothing new really.

Frequent Voice
Posts: 41
Registered: ‎03-04-2013

Re: Zeus variant by-passing security, say researchers

Thanks for checking.
Posts: 4,297
Topics: 2,485
Kudos: 3,494
Blog Posts: 0
Registered: ‎06-02-2014

Re: Zeus variant by-passing security, say researchers

The following article is a update on Zeus variant

 

(Two Gameover Zeus variants targeting Europe and beyond)

 

By: HNS Staff/ Posted on 08.08.2014

 

Bitdefender has identified two Gameover Zeus variants in the wild: one of them generates 1,000 domains per day and the other generates 10,000 per day. The UK is currently the 6th most infected country with 42 unique IPs to date and that there is growth potential with new control domains continuing to be registered.


Following OpenDNS highlighting that Gameover Zeus had started to use Domain Generation Algorithms (DGAs), Bitdefender spotted that the generated domains were only active for one day each. By "sinkholing" a particular domain, the antivirus company has been able to observe the botnet’s structure and activity for the corresponding day.

 

 

Help Net Security/ Full Article Here/ http://www.net-security.org/malware_news.php?id=2833

Community Leader

Posts: 4,297
Topics: 2,485
Kudos: 3,494
Blog Posts: 0
Registered: ‎06-02-2014

Re: Zeus variant by-passing security, say researchers

The following article is a update:

************************************

New Zeus Variant "Sphinx" Offered for Sale.

By Eduard Kovacs on August 26, 2015

 

Sphinx, a new banking Trojan based on the source code of the notorious Zeus malware, is up for sale for $500.

According to its developers, Sphinx operates fully through the Tor anonymity network and is immune to sinkholing, blacklisting, and Abuse.ch’s ZeuS Tracker tool. The creators of Sphinx have told potential customers that they don’t necessarily need bulletproof hosting to operate a botnet, although it’s recommended.

The list of Sphinx’s features includes form grabbing and web injects for Internet Explorer, Firefox and Tor Browser, a keylogger, a certificate grabber, and an FTP and POP3 grabber.

Sphinx is designed to work on Windows Vista and Windows 7 with User Account Control (UAC) enabled, and it works even on user accounts with low privileges, such as the “Guest” account, the developers said.

 

full article

Community Leader