A computer malware has been found on Facebook that is smart enough to empty your bank account by taking out money from your contacts.
With the increased activities and the large varieties of different malware hitting the scene of IT industry, the infamous info-stealer ZueS/ZBOT versions are coming forth for vengeance. TrendMicro security network predicts that the old versions and variants or different malware will hit the cybercrime scene with some new and fatal refinements to their artillery. The 1Q has proven this thesis during the present year as we have seen with threats like Andromenda Botnet and CARBERP.
According to the feedback and the data presented by Trend Micro Smart Protection Network, new but old malware threats which have considerably increased over the last few months include ZueS/ZBOT.
The chart suggests that the variants of ZBOT Soared up at the start of February this year and have continued to remain active up this present month. It was at the peak during the midst of the month of May 2013. These classic and improved malware have been formulated to steal from users, data such as online credentials, banking information and credentials and other personal information which should be kept confidential.
The configuration file on being decrypted shows the following information:
Site from where the updated or modified copy of the configuration file can be downloaded.
List containing domain names of websites that are to be monitored.
The site where the data stolen will be sent.
ZBOT (Old Versions vs. New version)
The earlier versions of ZBOT had the feature of creating a folder with the name of %System% folder which stored all the credential and the stolen data along with configuration files. ZBOT versions are designed to alter the host files of Windows which are designed to disable users from gaining access to websites related to security. The strings which are appended with the hosts’ files can be found in the configuration file which is downloaded. The previous versions of ZBOT included TSPY_ZBOT.XMAS and TSPY_ZBOT.SMD.
The current versions of this malware are designed to create two different folders in %Applications Data% folder. ZBOT folder is contained in one of these folders while the other stores encrypted data. An example in this regard is TSPY_ZBOT.BBH.
These current versions of ZBOT malware are normally GameOver Variants or Citadel. The name of the mutex in these versions is generated normally and this was not the case with the earlier versions.
Both the variants mentioned above transmit or remit DNS queries towards random domain names. GameOver Variant in addition, also creates a UDP port which is known to deliver encrypted packets apart from the DNS queries.
How do they Work to Steal Credentials?
ZBOT Malware establishes connection with a remote site for the purpose of downloading its configuration file which is encrypted.
The configuration file on being decrypted shows the following information:
- Site from where the updated or modified copy of the configuration file can be downloaded.
- List containing domain names of websites that are to be monitored.
- The site where the data stolen will be sent.
Source & Images Via: TrendMirco
Add your comments: