The Italian Honey Project

This month, the criminals behind the reincarnation of Zeus, known as SpyEye, found another way to circumvent the security measures introduced by some online banks. Researchers at financial security firm Trusteer documented a variant of SpyEye that has the ability to infect a computer, steal the victim’s logon credentials, and change the phone number that the bank uses to confirm transactions. It’s the latest update to an attack that, among other tactics, infected the mobile phone to which banks would send text messages to confirm transactions.

“This attack is much stronger than what we had seen before,” says Mickey Boodaei, CEO of Trusteer. attack is

via Banking Trojans Adapting To Cheat Out-of-Band Security – Dark Reading.

Folks,

I’d like to say “Congrats!” to Domenico Chiarito who has just completed his Bachelor studies in “System and Network Security” @ the University of Milan (DTI).

Domenico made his Thesis on the JDrone project. He drastically improved our botnet monitoring software by integrating a relational database  with the existing JDrone components (Client, and Server).

His work could be downloaded here.

Thank you Domenico, the Honeynet.it project was pleased to mentor you during your work, and we really hope that you will continue to help us on such project.

m4rco-

A new version of the Zeus malware has appeared, and this does not seem to be a minor upgrade, but a major custom version of the Trojan, which now sports a P2P capability that does away with the use of the domain-generation algorithm used in earlier versions and instead uses a hardcoded list of IP addresses to provide infected PCs with new software and config files. This is a throwback to the way the malware used to behave, but it comes with a twist: There no longer is a master URL that infected machines contact to get updates, making it much more difficult to track the Trojan’s activities.

[..]

The version of Zeus discovered recently by the Swiss Abuse.ch group implements this strategy through the inclusion of a built-in list of IP addresses that each newly infected PC should try to contact in order to receive instructions and updated configuration files. The new bot does this by sending out UDP packets on a high-numbered port, looking for like-mided peers. If one responds, the new bot will get a new list of IPs of other infected PCs in the botnet. The version of Zeus also can remotely check which version of the malware is running on remote PCs and download an updated version, if necessary, the researchers said in a blog post analyzing the Zeus update.

[..]

“At first glance these are bad news. But fortunately the new mechanism also has benefits: There is just one ZeuS C&C active at the same time, so every time the domain name gets suspended/terminated, the criminals have to push out a new config file.”

via P2P Version of Zeus Botnet Appears | threatpost.

[..] Dmitry Tarakanov, a researcher at Kaspersky Lab who has studied the two families said that there was a code transfer from Zeus to SpyEye in the immediate aftermath of the source code being transferred to the SpyEye author. For example, the SpyEye author grabbed a Zeus feature that allowed the malware to force Web browsers on infected systems to load malicious HTML served by the botnet, even in cases where the host had a recent version of the page in question (say, an electronic banking site) stored locally in its browser cache. “SpyEye could not intercept the cached html-code,” Tarakanov wrote in an e-mail. “So the author of Spyeye had seen that part of the code where Zeus replaces the cache as well and added that part of code into his own source code of SpyEye. [..] “

via SpyEye and Zeus Malware: Married Or Living Separately? | threatpost.

[..]

This new version, which Trend Micro detects as TSPY_ZBOT.SMQH, spread around late September through spam that claimed to be from the Australian Taxation Office (ATO). The spammed messages contained a malicious link that when clicked directed users to a malicious website that served the BlackHole Exploit Kit. The exploit kit, in turn, downloads a variant of the new ZeuS version.

[..]

As we can see, unlike ZeuS 2.3.2.0, which uses Advanced Encryption Standard (AES), the decryption algorithm did not change much compared with the modified ZeuS 2, which uses RC4.

As I mentioned earlier, like LICAT and ZeuS 2.3.2.0, this new variant also seems to be crafted by a private professional gang, probably the same ones who created LICAT or who may be affiliated with them at the very least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.

via Another Modified ZeuS 2 Variant Seen in the Wild.

On September 7, 2011, Trusteer announced they are investigating new financial malware they called Shylock that “uses unique mechanisms not found in other financial malware toolkits, including: an improved method for injecting code into additional browser processes to take control of the victim’s computer; a better evasion technique to prevent malware scanners from detecting its presence; a sophisticated watchdog service that allows it to resist removal attempts and restore operations”

via contagio: Sept 21 Greedy Shylock – financial malware.