Geodo infostealer gets help from worm


Userlevel 7
Author/ Zeljka Zorz HNS Managing Editor
 
The distribution potential of the infamous Cridex infostealer (also known as Feodo or Bugat) just went up a notch, as a new version of the malware works in conjunction with a worm that sends out emails with a link to download a zip file containing the trojan.

http://www.net-security.org/images/articles/malware.jpg
Initially distributed via removable drives, as a file dropped by other malware or as a file downloaded unknowingly by users when visiting malicious sites, the threat is now delivered directly to users via their inboxes.
 
Help Net Security/ Full Read Here/ http://www.net-security.org/malware_news.php?id=2799

4 replies

Userlevel 7
By/ Kelly Jackson Higgins  Posted on 7/1/2014
 
Cridex -- a.k.a. Feodo and Bugat -- now has a more streamlined and automated way of infecting victims and stealing their information.
A new version of an infamous banking worm comes with built-in stolen email account and server credentials for automatic email worm attacks to continue its spread.
The so-called Cridex data-stealing malware, a.k.a. Feodo and Bugat, now has a more streamlined and automated way of infecting victims, researchers at Seculert found. Once it's on a victim's machine, the new variant, dubbed Geodo by Seculert, downloads a second piece of malware that communicates with a command-and-control server. That second piece of malware is a worm that has 50,000 stolen SMTP email account credentials, including those of the associated SMTP servers.
 
 
DarkReading/full read here/ http://www.darkreading.com/vulnerabilities---threats/infamous-banking-malware-adds-email-sending-feature/d/d-id/1279062?
 
 
 
Userlevel 7
By John Leyden, 2 Jul 2014
 
Cybercrooks have put together a botnet client which bundles in worm-like functionality that gives it the potential to spread quickly.
Seculert warns that the latest version of the Cridex (AKA Geodo) information stealing Trojan includes a self-spreading infection method.
 Infected PCs in the botnet download a secondary strain of malware – an email worm – from the botnet's command and control servers. That worm pushes out an email with links to download a zip file containing the primary Cridex Trojan.
 
The Register/ Full Read Here/ http://www.theregister.co.uk/2014/07/02/cridex_trojan_email_worm_hybrid/
 
 
Userlevel 7
By Eduard Kovacs on July 02, 2014 New Version of Cridex Malware Combines Data Stealer and Email Worm
A new version of the data-stealing malware Cridex (Feodo/Bugat) has been found to rely on a worm in order to spread from one computer to another.
Researchers from threat protection firm Seculert analyzed the self-spreading infection system used by the Trojan dubbed "Geodo." Once it infects a system, the threat downloads a second piece of malware, a worm, that starts communicating with a command and control (C&C) server from which it gets the information needed for the distribution process.
The C&C provides the worm with a list of 50,000 stolen Simple Mail Transfer Protocol (SMTP) account credentials, along with the details of the SMTP servers. The malware also receives email body text, email subject lines, "from" addresses, and a list of 20 email addresses to which messages are sent using the stolen SMTP credentials. After the malicious emails are sent to the batch of 20 addresses, the process is repeated for another 20 targets.
 
SecurityWeek/ Full Read Here/ http://www.securityweek.com/new-cridex-malware-uses-self-spreading-infection-mechanism
Userlevel 7
Badge +62

New Cridex Banking Trojan variant Surfaces with Self-Spreading Functionality

Wednesday, July 02, 2014 Wang Wei
[img]https://uploads-us-west-2.insided.com/webroot-en/attachment/12068i8367352E232DC45B.png[/img]
 
In an effort to infect large number of people, cybercriminals have developed a new malicious software program that contains functionality to spread itself quickly. Geodo, a new version of the infamous Cridex (also known as Feodo or Bugat) banking information stealing Trojan works in conjunction with a worm that sends out emails automatically to continue its self-spreading infection method, effectively turning each infected Windows system in the botnet for infecting new targets, Seculert warned. The Infected Windows systems in the botnet network download and install an additional piece of malware (i.e. an email worm) from the Botnet's command and control servers, provided with approximately 50,000 stolen SMTP account credentials including those of the associated SMTP servers. Full Article

Reply