SlideShare une entreprise Scribd logo

Kneber Takes The ZBOT/ZeuS Stage

Trend Micro
Trend Micro

TrendLabs examines Kneber's relationship to ZBOT and ZeuS.

TechnologieActualités & Politique
1  sur  2
Télécharger pour lire hors ligne
Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 58 MARCH 1, 2010 Kneber Takes the ZBOT/ZeuS Stage Much to the security experts’ chagrin, Kneber quickly rose to botnet fame in the past few weeks. There was a lot of talk and speculation about the “new” botnet in town, with people clamoring for more information on what seemed to be the malware of the moment. In the end, however, its true identity was revealed—Kneber proved to be not an entirely new botnet but merely a specific ZBOT/ZeuS compromise. In other words, it was merely playing a small part in the already carefully scripted and full-scale production that is ZeuS. The Threat Defined ZeuS: A Bot by Any Other Name This threat goes by different names—ZBOT, WSNPOEM, PRG, TROJ_AGENT, and, more recently, Kneber. At the end of the day though ZeuS remains what may be the most pernicious botnet today. Despite the novelty of the Kneber botnet, in reality, ZeuS has been seen in the wild as early as 2005, its earliest notable use was in 2008, as introduced by the equally infamous Rock Phish Gang who are known for their easy-to-use phishing kits. What was then considered an important development in phishing tactics proved to be just a turning point in ZeuS' plot. By planting a spyware onto users’ systems, cybercriminals made information theft a whole lot easier. The rest, as they say, is history. Since 2007, Trend Micro has been monitoring the ZeuS botnet and ZBOT variants. To date, we have created more than 2,000 ZBOT detections, the number of which continues to grow every day. From the onset, ZBOT Trojans became known as bank-related data stealers, some were even found to use fast-flux botnets, particularly Avalanche, to spread their malicious intent. Earlier variants also led to ZBOT attacks that did not target specific companies. Instead, they were typically deployed via spammed messages that purported to come from legitimate companies. Using a variety of schemes—from digital certificates to bogus balance checker tools and fake Facebook login pages—ZBOT’s primary goal remained the same—stealing online bank account information. This slightly random tactic has been working well so far but ZBOT perpetrators are not resting on their laurels, as they continue to come up with bigger and better schemes as time goes by. A Work in Progress If there is anything that remained constant with ZBOT, it has got to be the consistent enhancements its perpetrators have been making to it over time. The persistence of the cybercriminals behind ZeuS is apparent with the many improvements that ZBOT variants have undergone since its public debut. The fact that the Kneber botnet recently hit 75,000 systems in one blow proves that the minds behind ZBOT have no plans to take a curtain call anytime soon. ZBOT variants usually arrive as compressed files, which makes code analysis and tracing more difficult. Over time, however, they used increasingly complex packers. Their list of targeted entities and monitored sites has likewise substantially grown. In the past, a good majority of the companies in their list were banks. Today, social-networking sites such as Facebook, MySpace, and Orkut have also been Figure 1. A typical ZBOT infection diagram consistently making the cut, along with e-commerce sites like eBay, as evidenced by variants such as TSPY_ZBOT.ILA, TSPY_ZBOT_ILB, and TSPY_ZBOT.ILC. Recent spam runs also showed an increasing diversity in targets. Two notable samples indicate that spammers are becoming bolder and are stepping up to the challenge of finding new ways to top the malware charts via spammed messages supposedly from various companies' IT support personnel that used actual companies’ domain names in the addresses in both the From and To fields and 1 of 2 – WEB THREAT SPOTLIGHT
Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. from the National Intelligence Council (NIC), which primarily targeted people and organizations with .gov and .mil email addresses. To a certain extent, ZBOT is becoming more selective with its audience. Kneber’s Five Minutes of Fame While it has been established that Kneber is no different from the ZeuS botnet that compromised some 100 million IP addresses, there remain questions regarding its true nature such as "Where did the term 'Kneber' come from?" As mentioned in an FAQ page, the name was derived from the email address (HilaryKneber[at]yahoo.com) that figured in this specific ZBOT campaign. What was more notable about the email address, however, was its involvement in a money-mule scam and in several domains that serve as malware vectors. This further proved that Kneber is not a newbie in this Figure 2. A tailor-made ZBOT spam long-running crimeware episode. While Kneber does not exactly bring anything new to the ZBOT/ZeuS story, its stint in the limelight serves as a critical reminder that the data-stealing malware is well and alive. As mentioned in the Trend Micro's The Future of Threats and Threat Technologies: How the Landscape Is Changing report, bots cannot be stopped—at least, not in the foreseeable future. Likewise, cybercrimes will persist, as the underground economy continues to thrive and attract even more criminals. User Risks and Exposure As mentioned earlier, cybercriminals generate a list of bank, financial institution, social-networking, and e- commerce sites from which they try to steal sensitive online banking-related information such as user names and passwords. ZBOT variants then monitor users' browsing activities (both HTTP and HTTPS) using window titles or address bar URLs as attack triggers. This routine risks exposing users' account information, which may then lead to their unauthorized use. They can also be used in money-mule scams. Users should thus note that when it comes to ZBOT, information is "gold." Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect. In this attack, Smart Protection Network™’s email reputation service blocks all related spammed messages from getting into users’ inboxes. Its Web reputation service prevents user access to identified malicious domains and subdomains, including the two URLs ZBOT typically uses to download binary updates or payloads and configuration files. Finally, file reputation service detects and consequently removes malicious files related to all known ZBOT variants. The following posts at the TrendLabs Malware Blog discuss this threat: http://blog.trendmicro.com/rock-phishers-up-the-ante-with-more-digital-certificates/ http://blog.trendmicro.com/phishing-in-the-guise-of-enhancing-security/ http://blog.trendmicro.com/bogus-balance-checker-tool-carries-malware/ http://blog.trendmicro.com/are-you-being-facebook-phished/ http://blog.trendmicro.com/zbot-spam-campaign-continues/ http://blog.trendmicro.com/zbot-variant-spoofs-the-nic-to-spam-other-government-agencies/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ILA http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ILB http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ILC Other related posts are found here: http://about-threats.trendmicro.com/VINFO/RelatedThreats.aspx?id=16&language=en&name=The%20ZeuS,%20ZBOT,%20and%20Kneber%20Connection&tab= malware http://www.networkworld.com/news/2009/102309-avalanche-phishing.html?hpg1=bn http://www.pcworld.com/article/189717/kneber_botnet_attacks_pcs_worldwide_faq.html http://www.krebsonsecurity.com/2010/02/zeus-attack-spoofs-nsa-targets-gov-and-mil http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/wp03_ghosts_090930us__2_.pdf http://blogs.zdnet.com/security/?p=5508 http://ddanchev.blogspot.com/2009/12/celebrity-themed-scareware-campaign_07.html http://countermeasures.trendmicro.eu/kneber-for-sale-or-rent-rooms-to-let-50-cents/ http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/trend_micro_2010_future_threat_report_final.pdf 2 of 2 – WEB THREAT SPOTLIGHT

Recommandé

The Ultimate Marketing Guide to Snapchat
The Ultimate Marketing Guide to SnapchatThe Ultimate Marketing Guide to Snapchat
The Ultimate Marketing Guide to SnapchatRoss Simmonds
 
Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesTrend Micro
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeTrend Micro
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Trend Micro
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Trend Micro
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSTrend Micro
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Trend Micro
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaTrend Micro
 

Recommandé

The Ultimate Marketing Guide to Snapchat
The Ultimate Marketing Guide to SnapchatThe Ultimate Marketing Guide to Snapchat
The Ultimate Marketing Guide to SnapchatRoss Simmonds
 
Industrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesIndustrial Remote Controllers Safety, Security, Vulnerabilities
Industrial Remote Controllers Safety, Security, VulnerabilitiesTrend Micro
 
Investigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeInvestigating Web Defacement Campaigns at Large
Investigating Web Defacement Campaigns at LargeTrend Micro
 
Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Behind the scene of malware operators. Insights and countermeasures. CONFiden...
Behind the scene of malware operators. Insights and countermeasures. CONFiden...Trend Micro
 
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...
Automated Security for the Real-time Enterprise with VMware NSX and Trend Mic...Trend Micro
 
Skip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSSkip the Security Slow Lane with VMware Cloud on AWS
Skip the Security Slow Lane with VMware Cloud on AWSTrend Micro
 
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.
Dark Web Impact on Hidden Services in the Tor-based Criminal Ecosystem Dr.Trend Micro
 
Mobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaMobile Telephony Threats in Asia
Mobile Telephony Threats in AsiaTrend Micro
 
Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep WebTrend Micro
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)Trend Micro
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT frameworkTrend Micro
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsTrend Micro
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksTrend Micro
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Trend Micro
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest TexasTrend Micro
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloudTrend Micro
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011 Trend Micro
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep securityTrend Micro
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeTrend Micro
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceTrend Micro
 
PC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromisePC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromiseTrend Micro
 
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashWeb Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashTrend Micro
 
FIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsFIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsTrend Micro
 
The Heart of KOOBFACE
The Heart of KOOBFACEThe Heart of KOOBFACE
The Heart of KOOBFACETrend Micro
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 

Contenu connexe

Plus de Trend Micro

Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep WebTrend Micro
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)Trend Micro
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT frameworkTrend Micro
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsTrend Micro
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryTrend Micro
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksTrend Micro
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Trend Micro
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest TexasTrend Micro
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloudTrend Micro
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesTrend Micro
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011 Trend Micro
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep securityTrend Micro
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryTrend Micro
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionTrend Micro
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeTrend Micro
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceTrend Micro
 
PC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromisePC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromiseTrend Micro
 
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashWeb Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashTrend Micro
 
FIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsFIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsTrend Micro
 
The Heart of KOOBFACE
The Heart of KOOBFACEThe Heart of KOOBFACE
The Heart of KOOBFACETrend Micro
 

Plus de Trend Micro (20)

Cybercrime In The Deep Web
Cybercrime In The Deep WebCybercrime In The Deep Web
Cybercrime In The Deep Web
 
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
AIS Exposed: New vulnerabilities and attacks. (HITB AMS 2014)
 
HBR APT framework
HBR APT frameworkHBR APT framework
HBR APT framework
 
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking SystemsCaptain, Where Is Your Ship – Compromising Vessel Tracking Systems
Captain, Where Is Your Ship – Compromising Vessel Tracking Systems
 
Countering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep DiscoveryCountering the Advanced Persistent Threat Challenge with Deep Discovery
Countering the Advanced Persistent Threat Challenge with Deep Discovery
 
The Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted AttacksThe Custom Defense Against Targeted Attacks
The Custom Defense Against Targeted Attacks
 
Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012Where to Store the Cloud Encryption Keys - InterOp 2012
Where to Store the Cloud Encryption Keys - InterOp 2012
 
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas[Case Study ~ 2011] Baptist Hospitals of Southest Texas
[Case Study ~ 2011] Baptist Hospitals of Southest Texas
 
Who owns security in the cloud
Who owns security in the cloudWho owns security in the cloud
Who owns security in the cloud
 
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security TechniquesEncryption in the Public Cloud: 16 Bits of Advice for Security Techniques
Encryption in the Public Cloud: 16 Bits of Advice for Security Techniques
 
Threat predictions 2011
Threat predictions 2011 Threat predictions 2011
Threat predictions 2011
 
Trend micro deep security
Trend micro deep securityTrend micro deep security
Trend micro deep security
 
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare deliveryAssuring regulatory compliance, ePHI protection, and secure healthcare delivery
Assuring regulatory compliance, ePHI protection, and secure healthcare delivery
 
Solutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryptionSolutions for privacy, disclosure and encryption
Solutions for privacy, disclosure and encryption
 
Security Best Practices for Health Information Exchange
Security Best Practices for Health Information ExchangeSecurity Best Practices for Health Information Exchange
Security Best Practices for Health Information Exchange
 
Solutions for PCI DSS Compliance
Solutions for PCI DSS ComplianceSolutions for PCI DSS Compliance
Solutions for PCI DSS Compliance
 
PC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To CompromisePC Maker's Support Page Succumbs To Compromise
PC Maker's Support Page Succumbs To Compromise
 
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a FlashWeb Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
Web Threat Spotlight Issue 66: Zero-Day Adobe Flash Player Exploits in a Flash
 
FIFA Spam Targets Football Fanatics
FIFA Spam Targets Football FanaticsFIFA Spam Targets Football Fanatics
FIFA Spam Targets Football Fanatics
 
The Heart of KOOBFACE
The Heart of KOOBFACEThe Heart of KOOBFACE
The Heart of KOOBFACE
 

Dernier

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfOverkill Security
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDropbox
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsNanddeep Nachan
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Zilliz
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusZilliz
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...Zilliz
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodJuan lago vázquez
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native ApplicationsWSO2
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 

Dernier (20)

Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Ransomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdfRansomware_Q4_2023. The report. [EN].pdf
Ransomware_Q4_2023. The report. [EN].pdf
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
DBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor PresentationDBX First Quarter 2024 Investor Presentation
DBX First Quarter 2024 Investor Presentation
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Exploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with MilvusExploring Multimodal Embeddings with Milvus
Exploring Multimodal Embeddings with Milvus
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 

Kneber Takes The ZBOT/ZeuS Stage

  • 1. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. ISSUE NO. 58 MARCH 1, 2010 Kneber Takes the ZBOT/ZeuS Stage Much to the security experts’ chagrin, Kneber quickly rose to botnet fame in the past few weeks. There was a lot of talk and speculation about the “new” botnet in town, with people clamoring for more information on what seemed to be the malware of the moment. In the end, however, its true identity was revealed—Kneber proved to be not an entirely new botnet but merely a specific ZBOT/ZeuS compromise. In other words, it was merely playing a small part in the already carefully scripted and full-scale production that is ZeuS. The Threat Defined ZeuS: A Bot by Any Other Name This threat goes by different names—ZBOT, WSNPOEM, PRG, TROJ_AGENT, and, more recently, Kneber. At the end of the day though ZeuS remains what may be the most pernicious botnet today. Despite the novelty of the Kneber botnet, in reality, ZeuS has been seen in the wild as early as 2005, its earliest notable use was in 2008, as introduced by the equally infamous Rock Phish Gang who are known for their easy-to-use phishing kits. What was then considered an important development in phishing tactics proved to be just a turning point in ZeuS' plot. By planting a spyware onto users’ systems, cybercriminals made information theft a whole lot easier. The rest, as they say, is history. Since 2007, Trend Micro has been monitoring the ZeuS botnet and ZBOT variants. To date, we have created more than 2,000 ZBOT detections, the number of which continues to grow every day. From the onset, ZBOT Trojans became known as bank-related data stealers, some were even found to use fast-flux botnets, particularly Avalanche, to spread their malicious intent. Earlier variants also led to ZBOT attacks that did not target specific companies. Instead, they were typically deployed via spammed messages that purported to come from legitimate companies. Using a variety of schemes—from digital certificates to bogus balance checker tools and fake Facebook login pages—ZBOT’s primary goal remained the same—stealing online bank account information. This slightly random tactic has been working well so far but ZBOT perpetrators are not resting on their laurels, as they continue to come up with bigger and better schemes as time goes by. A Work in Progress If there is anything that remained constant with ZBOT, it has got to be the consistent enhancements its perpetrators have been making to it over time. The persistence of the cybercriminals behind ZeuS is apparent with the many improvements that ZBOT variants have undergone since its public debut. The fact that the Kneber botnet recently hit 75,000 systems in one blow proves that the minds behind ZBOT have no plans to take a curtain call anytime soon. ZBOT variants usually arrive as compressed files, which makes code analysis and tracing more difficult. Over time, however, they used increasingly complex packers. Their list of targeted entities and monitored sites has likewise substantially grown. In the past, a good majority of the companies in their list were banks. Today, social-networking sites such as Facebook, MySpace, and Orkut have also been Figure 1. A typical ZBOT infection diagram consistently making the cut, along with e-commerce sites like eBay, as evidenced by variants such as TSPY_ZBOT.ILA, TSPY_ZBOT_ILB, and TSPY_ZBOT.ILC. Recent spam runs also showed an increasing diversity in targets. Two notable samples indicate that spammers are becoming bolder and are stepping up to the challenge of finding new ways to top the malware charts via spammed messages supposedly from various companies' IT support personnel that used actual companies’ domain names in the addresses in both the From and To fields and 1 of 2 – WEB THREAT SPOTLIGHT
  • 2. Web Threat Spotlight A Web threat is any threat that uses the Internet to facilitate cybercrime. from the National Intelligence Council (NIC), which primarily targeted people and organizations with .gov and .mil email addresses. To a certain extent, ZBOT is becoming more selective with its audience. Kneber’s Five Minutes of Fame While it has been established that Kneber is no different from the ZeuS botnet that compromised some 100 million IP addresses, there remain questions regarding its true nature such as "Where did the term 'Kneber' come from?" As mentioned in an FAQ page, the name was derived from the email address (HilaryKneber[at]yahoo.com) that figured in this specific ZBOT campaign. What was more notable about the email address, however, was its involvement in a money-mule scam and in several domains that serve as malware vectors. This further proved that Kneber is not a newbie in this Figure 2. A tailor-made ZBOT spam long-running crimeware episode. While Kneber does not exactly bring anything new to the ZBOT/ZeuS story, its stint in the limelight serves as a critical reminder that the data-stealing malware is well and alive. As mentioned in the Trend Micro's The Future of Threats and Threat Technologies: How the Landscape Is Changing report, bots cannot be stopped—at least, not in the foreseeable future. Likewise, cybercrimes will persist, as the underground economy continues to thrive and attract even more criminals. User Risks and Exposure As mentioned earlier, cybercriminals generate a list of bank, financial institution, social-networking, and e- commerce sites from which they try to steal sensitive online banking-related information such as user names and passwords. ZBOT variants then monitor users' browsing activities (both HTTP and HTTPS) using window titles or address bar URLs as attack triggers. This routine risks exposing users' account information, which may then lead to their unauthorized use. They can also be used in money-mule scams. Users should thus note that when it comes to ZBOT, information is "gold." Trend Micro Solutions and Recommendations Trend Micro™ Smart Protection Network™ delivers security infrastructure that is smarter than conventional approaches. Leveraged across Trend Micro’s solutions and services, Smart Protection Network™ combines unique in-the-cloud reputation technologies with patent-pending threat correlation technology to immediately and automatically protect your information wherever you connect. In this attack, Smart Protection Network™’s email reputation service blocks all related spammed messages from getting into users’ inboxes. Its Web reputation service prevents user access to identified malicious domains and subdomains, including the two URLs ZBOT typically uses to download binary updates or payloads and configuration files. Finally, file reputation service detects and consequently removes malicious files related to all known ZBOT variants. The following posts at the TrendLabs Malware Blog discuss this threat: http://blog.trendmicro.com/rock-phishers-up-the-ante-with-more-digital-certificates/ http://blog.trendmicro.com/phishing-in-the-guise-of-enhancing-security/ http://blog.trendmicro.com/bogus-balance-checker-tool-carries-malware/ http://blog.trendmicro.com/are-you-being-facebook-phished/ http://blog.trendmicro.com/zbot-spam-campaign-continues/ http://blog.trendmicro.com/zbot-variant-spoofs-the-nic-to-spam-other-government-agencies/ The virus reports are found here: http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ILA http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ILB http://threatinfo.trendmicro.com/vinfo/grayware/ve_graywareDetails.asp?GNAME=TSPY_ZBOT.ILC Other related posts are found here: http://about-threats.trendmicro.com/VINFO/RelatedThreats.aspx?id=16&language=en&name=The%20ZeuS,%20ZBOT,%20and%20Kneber%20Connection&tab= malware http://www.networkworld.com/news/2009/102309-avalanche-phishing.html?hpg1=bn http://www.pcworld.com/article/189717/kneber_botnet_attacks_pcs_worldwide_faq.html http://www.krebsonsecurity.com/2010/02/zeus-attack-spoofs-nsa-targets-gov-and-mil http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/wp03_ghosts_090930us__2_.pdf http://blogs.zdnet.com/security/?p=5508 http://ddanchev.blogspot.com/2009/12/celebrity-themed-scareware-campaign_07.html http://countermeasures.trendmicro.eu/kneber-for-sale-or-rent-rooms-to-let-50-cents/ http://us.trendmicro.com/imperia/md/content/us/trendwatch/researchandanalysis/trend_micro_2010_future_threat_report_final.pdf 2 of 2 – WEB THREAT SPOTLIGHT