Results for zeus

Threat Research

OffensiveWare: A New Malware-as-a-Service Platform Takes a Fitting Label

In recent years, with the active efforts of law enforcements to takedown infamous Trojan spywares such as Dridex and GameOver Zeus, one could claim that their status as a predominant threat has died down and given way to ransom malware. But this has not not stopped small groups of individuals from trying to keep this lineage of malware alive. The increasing popularity of Malware-as-a-Service (MaaS) platforms has provided a new way for criminals to keep themselves on the malware profit chain by enticing a wider audience with their malicious...

By Joie SalvioOctober 11, 2016

Threat Research

Soraya: the Worst of Both Worlds

This whitepaper is the first of a series of FortiGuard Technical Analyses that go in-depth into the inner workings of malware. In this paper we take a look at the malware known as Soraya. Soraya is unique in that it combines the form-grabbing techniques seen in the ubiquitous Zeus and the memory-parsing techniques seen in Point of Sale (POS) malware such as Dexter and JackPOS. In this report, we join Junior AV Analyst Hong Kei Chan in dissecting Soraya: How Soraya installs itself How Soraya grabs the contents of forms How Soraya parses its target's...

By Richard HendersonJuly 14, 2014

Threat Research

Lite Zeus - A New Zeus Variant

Introduction The Zeus malware, a.k.a. Zbot, is a bot that is capable of stealing private and sensitive information including personal passwords and banking information from infected hosts. Its command-and-control (C&C) server can also control the action of its remote bots by sending various command strings, such as updating malware, executing other malware files, and so on. Recently, we have discovered a new variant of this malware that we are calling Lite Zeus. Aside from being shorter with fewer functionalities, it has several other distinct...

By Kan ChenJune 26, 2014

Threat Research

Dyreza - The Banking Trojan is Back

Researchers recently discovered a new banking trojan that, like the recently fallen Zeus botnet, is also capable of bypassing the Secure Sockets Layer (SSL). Some speculation even suggests that this baddy is filling the empty shoes that Zeus has left behind. Let's take a closer look and figure out how to tell if you're infected. Banking URLs Within the malware code, a list of URLs for banking and other financial institutions can be found. Figure1 shows these strings in the memory. cashproonline.bankofamerica.com businessaccess.citibank.citigroup.com www.bankline.natwest.com www.bankline.rbs.com www.bankline.ulsterbank.ie cashproonline.bankofamerica.com businessaccess.citibank.citigroup.com c1shproonline.bankofamerica.com cashproonline.bankofamerica.com b1sinessaccess.citibank.citigroup.com www.b1nkline.natwest.com www.bankline.natwest.com www.b1nkline.rbs.com www.bankline.rbs.com www.b1nkline.ulsterbank.ie www.bankline.ulsterbank.ie Figure...

By Raul AlvarezJune 20, 2014

By Michael PernaJune 07, 2014

Industry Trends

Law Enforcement Agencies Target P2P Zeus Botnet

Earlier this week, the United States Computer Emergency Readiness Team (US-CERT) released an advisory regarding the GameOver Zeus P2P Malware. Along with that advisory was a national press release from the US Department of Justice and the FBI that announced a multi-national effort against the GameOver Zeus botnet. GameOver Zeus, a.ka. P2P Zeus, is a sophisticated type of malware that is used by cybercriminals to steal infected hosts' banking information, install other malware, and perform DDoS attacks and other cybercrime-related activities....

By Margarette JovenJune 06, 2014

Threat Research

Bublik Downloader Evolution

Bublik is a downloader malware that is used mostly for spreading P2P Zbot and other major bots. Over the years that our botnet monitoring system has tracked this bot's activities, we have found that this simple downloader has had at least three major updates that are directed more towards escaping detection from security software. Overview of Bublik Bublik is a simple one-time execution bot; it does not add any autorun registry entries. Once executed, it copies itself to the user's Temporary folder using the name budha.exe. The bot modifies this...

By He XuMay 28, 2014

By Michael PernaApril 26, 2014

Threat Research

P2P Zeus Performs Critical Update

Special Technical Contribution by He Xu, Senior Antivirus Analyst P2P Zeus, a.k.a. Zbot, has evolved into a powerful bot since its discovery in 2007. It is capable of stealing infected hosts' banking information, installation of other malware, and other cybercrime-related behavior. Currently, P2P Zeus supports both the UDP and TCP protocols for its various communication tasks including peer list exchange, command-and-control (C&C) server registration, and malware binary updates. Early this month, our Fortinet botnet monitoring system found...

By Kan ChenApril 20, 2014

Industry Trends

Same Zeus, Different Features

[ This article originally appeared in Virus Bulletin ](http://www.virusbtn.com/virusbulletin/archive/2013/10/vb201310-Zeus)We have seen hundreds, if not thousands, of variations of Zeus in the wild. The main goal of the malware does not vary, yet different functionalities have been added to its different iterations over time. This article discusses some of Zbot's functionalities in detail, such as: dropping a copy of itself and its components using random fi lenames, generating the registry key and some of its mutexes, and injecting codes with...

By Raul AlvarezDecember 09, 2013