In recent years, with the active efforts of law enforcements to takedown infamous Trojan spywares such as Dridex and GameOver Zeus, one could claim that their status as a predominant threat has died down and given way to ransom malware. But this has not not stopped small groups of individuals from trying to keep this lineage of malware alive. The increasing popularity of Malware-as-a-Service (MaaS) platforms has provided a new way for criminals to keep themselves on the malware profit chain by enticing a wider audience with their malicious... [Read More]
by RSS Joie Salvio  |  Oct 11, 2016  |  Filed in: Security Research
This whitepaper is the first of a series of FortiGuard Technical Analyses that go in-depth into the inner workings of malware. In this paper we take a look at the malware known as Soraya. Soraya is unique in that it combines the form-grabbing techniques seen in the ubiquitous Zeus and the memory-parsing techniques seen in Point of Sale (POS) malware such as Dexter and JackPOS. In this report, we join Junior AV Analyst Hong Kei Chan in dissecting Soraya: How Soraya installs itself How Soraya grabs the contents of forms How Soraya parses its target's... [Read More]
by RSS Richard Henderson  |  Jul 14, 2014  |  Filed in: Security Research
Introduction The Zeus malware, a.k.a. Zbot, is a bot that is capable of stealing private and sensitive information including personal passwords and banking information from infected hosts. Its command-and-control (C&C) server can also control the action of its remote bots by sending various command strings, such as updating malware, executing other malware files, and so on. Recently, we have discovered a new variant of this malware that we are calling Lite Zeus. Aside from being shorter with fewer functionalities, it has several other distinct... [Read More]
by RSS Kan Chen  |  Jun 26, 2014  |  Filed in: Security Research
Researchers recently discovered a new banking trojan that, like the recently fallen Zeus botnet, is also capable of bypassing the Secure Sockets Layer (SSL). Some speculation even suggests that this baddy is filling the empty shoes that Zeus has left behind. Let's take a closer look and figure out how to tell if you're infected. Banking URLs Within the malware code, a list of URLs for banking and other financial institutions can be found. Figure1 shows these strings in the memory. cashproonline.bankofamerica.com businessaccess.citibank.citigroup.com www.bankline.natwest.com www.bankline.rbs.com www.bankline.ulsterbank.ie cashproonline.bankofamerica.com businessaccess.citibank.citigroup.com c1shproonline.bankofamerica.com cashproonline.bankofamerica.com b1sinessaccess.citibank.citigroup.com www.b1nkline.natwest.com www.bankline.natwest.com www.b1nkline.rbs.com www.bankline.rbs.com www.b1nkline.ulsterbank.ie www.bankline.ulsterbank.ie Figure... [Read More]
by RSS Raul Alvarez  |  Jun 20, 2014  |  Filed in: Security Research
[Read More]
by RSS Michael Perna  |  Jun 07, 2014  |  Filed in: Industry Trends
Earlier this week, the United States Computer Emergency Readiness Team (US-CERT) released an advisory regarding the GameOver Zeus P2P Malware. Along with that advisory was a national press release from the US Department of Justice and the FBI that announced a multi-national effort against the GameOver Zeus botnet. GameOver Zeus, a.ka. P2P Zeus, is a sophisticated type of malware that is used by cybercriminals to steal infected hosts' banking information, install other malware, and perform DDoS attacks and other cybercrime-related activities.... [Read More]
by RSS Margarette Joven  |  Jun 06, 2014  |  Filed in: Industry Trends
Bublik is a downloader malware that is used mostly for spreading P2P Zbot and other major bots. Over the years that our botnet monitoring system has tracked this bot's activities, we have found that this simple downloader has had at least three major updates that are directed more towards escaping detection from security software. Overview of Bublik Bublik is a simple one-time execution bot; it does not add any autorun registry entries. Once executed, it copies itself to the user's Temporary folder using the name budha.exe. The bot modifies this... [Read More]
by RSS He Xu  |  May 29, 2014  |  Filed in: Security Research
[Read More]
by RSS Michael Perna  |  Apr 26, 2014  |  Filed in: Industry Trends
Special Technical Contribution by He Xu, Senior Antivirus Analyst P2P Zeus, a.k.a. Zbot, has evolved into a powerful bot since its discovery in 2007. It is capable of stealing infected hosts' banking information, installation of other malware, and other cybercrime-related behavior. Currently, P2P Zeus supports both the UDP and TCP protocols for its various communication tasks including peer list exchange, command-and-control (C&C) server registration, and malware binary updates. Early this month, our Fortinet botnet monitoring system found... [Read More]
by RSS Kan Chen  |  Apr 21, 2014  |  Filed in: Security Research
[ This article originally appeared in Virus Bulletin ](http://www.virusbtn.com/virusbulletin/archive/2013/10/vb201310-Zeus)We have seen hundreds, if not thousands, of variations of Zeus in the wild. The main goal of the malware does not vary, yet different functionalities have been added to its different iterations over time. This article discusses some of Zbot's functionalities in detail, such as: dropping a copy of itself and its components using random fi lenames, generating the registry key and some of its mutexes, and injecting codes with... [Read More]
by RSS Raul Alvarez  |  Dec 09, 2013  |  Filed in: Industry Trends