The Italian Honeynet Project

Folks,

We would like to hope you all a nice summer holidays !

We will back at work on September  releasing new updates about our current projects .

See you there!

Security researchers warn that multiple recent Zbot variants are using a forged digital signature in an attempt to bypass antivurs detection. Ironically the digital signature was copied from a ZeuS removal tool developed by Kaspersky Lab.

[..]

There have been isolated cases of digitally-signed malware before, but the practice never really took off, primarily because malware authors believed the effort doesn’t justify the benefits.

[..]

via Zbot Authors Forge Kaspersky Digital Signature – Copy it from ZeuZ removal tool – Softpedia.

Trusteer, the leading provider of secure browsing services, today announced that it has uncovered a large Zeus version 2 botnet being used to conduct financial fraud in the UK which is operated and controlled from Eastern Europe. The botnet appears to be controlling more than 100,000 infected computers, 98% of which are UK Internet users.

via Trusteer: Trusteer uncovers Zeus botnet that plunders over 100,000 UK Internet user credentials.

According to a newly published report by AVG, upon obtaining access to a mini ZeuS botnet dubbed Mumba, part of Avalanche group’s online operations, they found 60GB of stolen data such as, accounting details for social networking sites, banking accounts, credit card numbers and intercepted emails.

via Researchers peek inside a mini ZeuS botnet, find 60GB of stolen data | ZDNet.

Three-month-long investigation by CTU uncovers inner workings of Russian check counterfeiting operation. SecureWorks has notified and is working with law enforcement on this scam. SecureWorks has protections in place for both the Zeus and the Gozi Trojans which are utilized in this scam.

via Big Boss Check Counterfeiting Ring – Research – SecureWorks.

SecureWorks researchers uncovered the complicated operation in April when it discovered a unique variant of the well-known Zeus Trojan that targets Windows-based PCs. In addition to stealing login credentials, the Trojan established a virtual private network VPN connection from the infected computer to a remote server using the PPTP Point-to-Point Tunneling Protocol functionality in Windows and listened to a random TCP Transmission Control Protocol port in order to serve as a SOCKS proxy.

via Check counterfeiting using botnets and money mules | InSecurity Complex – CNET News.

Slovenian police have arrested four suspects over allegations that they developed the Mariposa botnet malware.

The arrests follow a joint investigation between the FBI and Slovenian police and come after the earlier arrest of three suspects in Spain, who are charged with distributing Mariposa and using it to hack into online bank accounts.

via Mariposa botnet suspects quizzed in Slovenia • The Register.

Trojan horses that were planted onto the victims’ computers would generate a fake error message and request that the victim re-enter the authorization code. This way, amounts up to €4,000 were transferred to money mules and thence to Eastern Europe.

via Slashdot Your Rights Online Story | Online Banking Trojan Stole Money From Belgians.

Brazilian Banker is a financial Trojan that targets consumers of Brazilian-based banks and other banks in Latin America. The Lab recently traced a social network profile that contained encrypted instructions for a variant of the Brazilian banker Trojan

via Speaking of Security… | Blog Entry: RSA FraudAction Research Lab | Cy: 1684.

After google groups and twitter , here is another example about how a social network  (probably Facebook)  is being (mis)used by bot headers for issuing commands to their zombies.

Initially, the Black Energy bot was created with the aim of conducting DDoS attacks, but with the implementation of plugins in the bot’s second version, the potential of this malware family has become virtually unlimited.

via Inside the Black Energy 2 Botnet | threatpost.

A very detailed analysis of the BE v2 bot.  Is interesting to see how the data are encrypted using the RC4 algorithm.