SPAM frauds, fakes, and other MALWARE deliveries - archive

Zeus campaign targeting gov't dept's...

FYI...

Zeus Campaign Targeted Government Departments
- http://securitylabs.websense.com/content/Alerts/3546.aspx?cmpid=slalert
02.08.2010 - "Websense... has discovered a new Zeus campaign (a banking data stealing Trojan) which is now targeting government departments. Our research shows that the campaign has especially targeted workers from government and military departments in the UK and US: we found most victims' email addresses end with .gov... thousands of emails which pretend to be from the National Intelligence Council. The email subjects include:
"National Intelligence Council"
"RE: National Intelligence Council"
"Report of the National Intelligence Council"
The spoofed emails lure victims to download a document about the "2020 project"; this is actually a Zeus bot. The Web sites which host the bot look very trustworthy: one of them is a compromised organization Web site and the other is located on a popular file hosting service. The bot has rootkit capabilities and connects to C&C servers at update*snip* .com and pack*snip* .com to report back on a successful infection and to download some archives with DLLs, it also modifies the hosts file to prevent updates from popular anti-virus vendors... the anti-virus detection rate for this bot is currently at 26/40*."
* http://www.virustotal.com/analisis/...e610f56b01cd36a18db67d8a0c81c434c4-1265615954
File 2020.exe_ received on 2010.02.08 07:59:14 (UTC)
Result: 26/40 (65.00%)
(Screenshots available at the Websense URL above.)

- http://www.krebsonsecurity.com/2010/02/zeus-attack-spoofs-nsa-targets-gov-and-mil/
February 6, 2010 - "... The scam e-mails may seem legitimate because the name of the booby-trapped file mimics a legitimate 2020 Project report*** published by the NIC, which has a stated goal of providing US policymakers “with a view of how the world developments could evolve, identifying opportunities and potentially negative developments that might warrant policy action.” Only 16 of the 39 anti-virus scanners used by Virustotal.com detect the file** as malicious, and those that do mostly label it as a variant of the Zeus/Zbot Trojan..."
** http://www.virustotal.com/analisis/...2dbdf03d5d7c0d7f00883afcb6a7e2f610-1265331501
File 2020.zip.txt received on 2010.02.05 00:58:21 (UTC)
Result: 16/39 (41.03%)
*** http://www.dni.gov/nic/NIC_2020_project.html

- http://www.threatexpert.com/report.aspx?md5=3cfc97f88e7b24d3ceecd4ba7054e138
7 February 2010

- http://www.m86security.com/labs/i/Inside-a-Pushdo-Zeus-Campaign,trace.1233~.asp
February 7, 2010 M86 Security - "... another Zeus campaign that we observed last week..."

:fear::mad:
 
Last edited:
Zeus targeted attacks continue...

FYI...

Zeus targeted attacks continue
- http://securitylabs.websense.com/content/Alerts/3550.aspx?
02.11.2010 - "Websense... has discovered a follow up attack on Zeus campaign targeting government departments. Its research shows that once again the campaign is targeting workers from government and military departments globally... The Websense ThreatSeeker Network has seen thousands of emails pretending to be from a reputable figure within the Central Intelligence Agency... The email subject is:
"Russian spear phishing attack against .mil and .gov employees"...
The spoofed emails capitalize on the last Zeus attack, and claim that installing the Windows update via the links provided will aid protection against Zeus attacks. The binary file downloaded from these links is identified as a Zeus bot and holds 35% AV detection rate*. Once again URLs in the email messages lead to a malicious file hosted on a compromised host, and also on a popular file hosting service. Once installed, the bot has identical functionality to the one mentioned in the previous alert. After The Zeus Rootkit component is installed the C&C server at update[removed].com is contacted to download an encrypted configuration file. Another data stealing component gets downloaded and installed from the same C&C in the shape of a Win32 Perl script compiled with Perl2Exe - this data-stealing component has only a 5% AV detection rate**. Then the bot starts to connect with a credential-based FTP server at pack[removed].com to upload stolen data. The Zeus bot is normally designed to steal banking credentials; however it has also been seen in targeted attacks to steal other sensitive data..."
* http://www.virustotal.com/analisis/...c9e1e55b15669658f9218d246d49e8c476-1265856371
File KB823988.exe received on 2010.02.11 02:46:11 (UTC)
Result: 14/41 (34.15%)
** http://www.virustotal.com/analisis/...865e4f943fbb4ea4e2f6c2c9b98eb43723-1265905508
File stat.exe received on 2010.02.11 16:25:08 (UTC)
Result: 2/41 (4.88%)

(Screenshots available at the Websense URL above.)

:fear::mad::fear:
 
Spammers already using Google Buzz

FYI...

Spammers already using Google Buzz
- http://securitylabs.websense.com/content/Alerts/3551.aspx?
02.11.2010 - "... Today we saw the first spam using Google Buzz to spread a message about smoking.. The spammer is already following 237 people, and we can only imagine that he or she has sent similar messages to all of them. This particular message leads to a site hosted on a free Web hosting service talking about how to quit smoking. When Twitter was launched, it took a while before it was used to send spam and other malicious messages. In this case, it only took two days. It's clear that the bad guys have learned from their experience using social networks to distribute these type of messages. We hope that Google is geared up for dealing with the volume of spam it's bound to see on the new service. Until then, we advise users to be careful, as usual, when clicking on unknown links."
(Screenshot available at the URL above.)

The Buzz is getting LOUDER
- http://www.sophos.com/blogs/sophoslabs/post/8641
February 11, 2010

- http://www.eset.com/threat-center/blog/2010/02/12/is-gmail-spyware
February 12, 2010 - "... If you have a Gmail account and don’t want to broadcast to the world who you chat with and email the most, then when you log into Gmail, immediate scroll to the bottom of the page and turn off Buzz..."

:fear::fear:
 
Last edited:
IRS themed Zeus exploits...

FYI...

IRS themed Zeus exploits...
- http://ddanchev.blogspot.com/2010/02/irsphotoarchive-themed-zeusclient-side.html
February 15, 2010 - "As anticipated, the botnet masters behind the systematically rotated campaigns dissected in previous posts, kick off the week with multiple campaigns parked on the newly introduced fast-fluxed domains. In a typical multitasking fashion, two campaigns are currently active on different sub domains introduced at the typosquatted fast-flux ones, impersonating the U.S IRS with "Unreported/Underreported Income (Fraud Application) theme", as well as a variation of the already profiled PhotoArchive campaign, using a well known "You don't have the latest version of Macromedia Flash Player" error message... researchers from M86 Security* gained access to the web malware exploitation kit..."
(More detail at the URL above.)

* http://www.m86security.com/trace/traceitem.asp?article=1233
February 7, 2010 - "... It has been up and running and serving exploits for nearly a day. In this time almost 40,000 unique users have been exposed to these exploits, and the Zeus file has been downloaded over 5000 times..."

:fear::mad:
 
The Wizard of Buzz

FYI...

The Wizard of Buzz
- http://securitylabs.websense.com/content/Blogs/3553.aspx
02.16.2010 - "Buzz is just a new wizard in the kingdom of Google. However, it is not hard to foresee through the crystal ball that Dorothy's journey along the yellow brick road will be full of constant attacks from the Witch of malware and her spamming monkeys. The biggest problem with Google Buzz is privacy. You can read lots of blogs and articles on this already, and this blog does not intend to examine this subject. It's enough to know that with Buzz, it is too easy to follow and read other people's messages... What is worrying for us is that it's now much easier to spread spam and malicious messages than before, thanks to this super-network. Google has reacted to these issues quickly and has changed the default settings of its social network. Unfortunately there is no change for existing users, so if you have already subscribed, you still need to tweak the settings for yourself to make it secure..."

- http://www.eset.com/threat-center/blog/2010/02/12/is-gmail-spyware
February 12, 2010 - "... If you have a Gmail account and don’t want to broadcast to the world who you chat with and email the most, then when you log into Gmail, immediate scroll to the bottom of the page and turn off Buzz..."

- http://www.pcworld.com/article/189388/why_google_has_become_microsofts_evil_twin.html

- http://www.f-secure.com/weblog/archives/00001886.html
February 18, 2010 - "... You don't get to use free services and expect to get absolute privacy. Either you offer up some of your information for enhanced services, or you don't. Remember, Google isn't your friend. It's a business..."

:fear:
 
Last edited:
Zeus dubbed 'Kneber'...

FYI...

Symantec ThreatCon...
- http://www.changedetection.com/log/symantec/threatconlearn_log.html
... changes: 2010-02-19 05:28 "... Symantec is aware of several reports of a strain of Zeus dubbed 'Kneber'. The Zeus exploit toolkit is often used in campaigns that have no specific target. The goal is often to infect as many systems as possible. This strain is reported to harvest personal information from the victim that attackers can use for financial gain. Customers are advised to ensure that antivirus products are up to date. Symantec detects this threat as Trojan.Zbot.
Trojan.Zbot
http://securityresponse.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99
Zeus Toolkits...
> http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits
August 25, 2009

- http://blog.threatfire.com/2010/02/a-zbot-botnet-dubbed-kneber.html
February 18, 2010

- http://www.netwitness.com/resources/pressreleases/feb182010.aspx
February 18, 2010

- http://www.f-secure.com/weblog/archives/00001887.html
February 19, 2010

- http://www.krebsonsecurity.com/2010/02/zeus-a-virus-known-as-botnet/
February 19, 2010

:fear:
 
Last edited:
Zeus exploit svr morphs in the Wild

FYI...

Zeus exploit svr morphs in the Wild...
- http://ddanchev.blogspot.com/2010/02/irsphotoarchive-themed-zeusclient-side.html
UPDATED: Saturday, February 20, 2010 - "The client-side exploit serving iFrame directory has been changed to 91.201.196.101 /usasp11/in.php, with another typosquatted portfolio of domains currently being spamvertised.

Detection rates: update.exe - Trojan.Zbot - Result: 25/40 (62.5%) (phones back to trollar.ru /cnf/trl.jpg - 109.95.114.133 - Email: bernardo_pr @inbox .ru ); file.exe - Trojan.Spy.ZBot.12544.1 - Result: 26/41 (63.42%); ie.js - JS:CVE-2008-0015-G - Result: 14/40 (35%); ie2.js - Exploit:JS/CVE-2008-0015 - Result: 17/40 (42.5%); nowTrue.swf - Trojan.SWF.Dropper.E - Result: 24/41 (58.54%); pdf.pdf - Exploit.JS.Pdfka.bln - Result: 11/41 (26.83%); swf.swf - SWF/Exploit.Agent.BS - Result: 8/40 (20%)..."

(More detail at the ddanchev URL above.)

:fear::mad:
 
Last edited:
Twitter Worm making the rounds

FYI...

New Twitter Worm making the rounds
- http://blog.trendmicro.com/twitter-worm/
Feb. 24, 2010 - "A new Twitter worm is making the rounds. If you receive a direct message from a “friend” that contains the following message:
“This you????”
It is likely malicious. Clicking the link, http: //twitter.login.{BLOCKED}home.org/login/, will -redirect- you to a sub page of the said domain. You will then be prompted to log in to your Twitter account... Once you log in, your credentials will be stolen and all of your followers will receive a direct message from you with a link to the same site, allowing the worm to further propagate. Doubtlessly, at some point in the future, the cybercriminals behind this attack will use the same stolen credentials to send out other malicious content from a huge number of compromised Twitter accounts. So remember, think before you click!..."

(Screenshots available at the URL above.)

- http://www.f-secure.com/weblog/archives/00001893.html
February 25, 2010 - "... phrases such as "This you??" or "LOL is this you" are linking victims towards a Twitter login phishing page. If the bait is taken and victim enters their password, Twitter's infamous "fail whale" is displayed and the user is returned to their account. They might not even realize that their account details have been compromised..."

- http://sunbeltblog.blogspot.com/2010/02/twitter-search-is-finding-rogues-thanks.html
February 25, 2010

:fear::mad:
 
Last edited:
More-Zeus-client-side-exploits-serving-iFrame ...in the Wild...

FYI...

More-Zeus-client-side-exploits-serving-iFrame ...in the Wild...
- http://ddanchev.blogspot.com/2010/02/irsphotoarchive-themed-zeusclient-side.html
SECOND UPDATE for Wednesday, February 24, 2010 - Another portfolio of new domains is being spamvertised, using the old PhotoArchive theme. The client-side exploits serving iFrame directory has been changed to 91.201.196.101 /usasp33/in.php currently serving CVE-2007-5659; CVE-2008-2992;CVE-2008-0015; CVE-2009-0927 and CVE-2009-4324.
Sample detection rates: update.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%); file.exe - Trojan-Spy.Win32.Zbot.gen - Result: 10/42 (23.81%). Samples phone back to the same C&C where samples from previous campaigns were also phoning back to - trollar.ru /cnf/trl.jpg..."

(More detail at the URL above.)

- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2007-5659
"... Multiple buffer overflows in Adobe Reader and Acrobat 8.1.1 and earlier allow remote attackers to execute arbitrary code via a PDF file..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-2992
"... Stack-based buffer overflow in Adobe Acrobat and Reader 8.1.2 and earlier allows remote attackers to execute arbitrary code via a PDF file..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2008-0015
"... MS09-032... MS09-037..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-0927
"... Stack-based buffer overflow in Adobe Reader and Adobe Acrobat 9 before 9.1, 8 before 8.1.3 , and 7 before 7.1.1 allows remote attackers to execute arbitrary code..."
- http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2009-4324
"... Use-after-free vulnerability in the Doc.media.newPlayer method in Multimedia.api in Adobe Reader and Acrobat 9.x before 9.3, and 8.x before 8.2 on Windows and Mac OS X, allows remote attackers to execute arbitrary code..."

- http://blog.trendmicro.com/whats-the-juice-on-zeus/
Mar. 4, 2010 - "... ZeuS has been entrenched in the cybercriminal business for a long time now and has continuously evolved and improved. Given the vast number of toolkit versions readily available in the underground, the features ZeuS possesses to thwart both antivirus and other security solutions, as well as efforts by the security industry, ZeuS will continue to be used by cybercriminals to steal personal information and even people’s identities..."

:mad::fear::mad:
 
Last edited:
Rogue Facebook app propagates via users

FYI...

Rogue Facebook app propagates via users
- http://securitylabs.websense.com/content/Blogs/3563.aspx
02.26.2010 - "The latest scam targeted at Facebook users hit the public today. The rogue app, which comes in many variants of "Who is checking your profile?", has improved its technique beyond the previous attacks we've seen. Rather than spreading a single app that Facebook can easily block, it tricks users into propagating the exploit by creating a brand new Facebook application that hands over the controls to the bad guys. The attack starts with a friend, whom you trust, posting a link on your wall, asking you who is checking your profile. It also entices you by telling you that your friend is viewing your profile. The draw itself has been around for a long time, and the idea of being able to tell which users have looked at your profile is an attractive proposition. But Facebook policy and the API itself prevent this capability, which means that all applications that promise this feature are bogus... The most important thing for Facebook users to remember is that clicking “Allow” authorizes an application, and by doing so you are giving it the proverbial “keys to the kingdom.” Do not add any applications that you do not trust..."

(More detail and screenshots at the Websense URL above.)

:fear::mad:
 
Blackhat SEO PDF - Chile and Hawaii disasters

FYI...

Blackhat SEO PDF - Chile and Hawaii disasters
- http://securitylabs.websense.com/content/Alerts/3568.aspx?
02.28.2010 - "Over 13% of all searches on Google* looking for popular and trending topics will lead to malicious links and searching for the latest news on the earthquake in Chile and the tsunami hitting Hawaii are no exception. Both are now used to lure people into downloading fake antivirus products. Usually the links in the search results look like ordinary links pointing to regular web pages. This time the bad guys have changed tactics to make their search results look even more convincing, by tricking Google into thinking it's a PDF file... Google tells you the file format is PDF and not HTML. That's not true, it is infact a regular HTML page that when visited will redirect the user to a page that looks like this - just another rogue AV fake scanning page. This one, just like the majority or rogue AV sites we have seen this week, is in the .IN TLD which is the top-level domain for India. By making the search result look like a PDF it gives the link more authenticity. Perhaps it's a research paper or at least a more well written article. The likelihood that a user will click on these type of links is probably higher than if it were just another random web link... The Rogue AV file itself is currently detected by 26.20%** of the antivirus engines used by VirusTotal..."
* http://preview.tinyurl.com/yzv4nze

(Screenshots available at the Websense URL aabove.)

** http://www.virustotal.com/analisis/...bc130f62812d6261833b073a23240260c8-1267321093
File packupdate_build6_287.exe received on 2010.02.28 01:38:13 (UTC)
Result: 11/41 (26.83%)

:fear::mad:
 
ESET stats on infections

FYI...

ESET statistics on infections
- http://www.eset.com/threat-center/blog/2010/03/02/more-statistics-on-infections
March 2, 2010 - "... the statistics we are seeing in through our online scanner logs are consistent with our observation from last September. We are seeing an average of 3 different malware families per infected computer. This means that on average, when a computer is infected, we find three different malware families installed on it... The average of different malware families per infected hosts in the United States is close to the global average. On the other hand, this number reaches 4.5 in China where it has one of the highest values. This indicates that malware operations are not conducted the same way around the world. We usually see less bank information stealers in Asia but more online game password stealers. Online game password stealers are usually installed by other malware families and don’t propagate by themselves, explaining why we see an higher average in China than in the United States. On a daily basis, ESET is collecting more than 200,000 new and unique binary malicious files..."
___
... which translates to over 73 million new malware items for 2010, a record rate by any standard.

:fear:
 
Last edited:
Huge update: malicious advertising domains

FYI...

Huge update: malicious advertising domains...
- http://www.malwaredomains.com/wordpress/?p=870
March 5, 2010 - "We are adding the malicious domains being served up at ad banner networks based on the listings at malwaredomainlist and trojaned binaries. Most of these malicious ad banners serve up fake antivirus scareware. There are also few phishing and zeus domains in this update..."

- http://www.malwaredomains.com/wordpress/?p=864
March 4, 2010 - "From SANS*: Block google-analitics (dot) net and salefale (dot) com ASAP. Sites will be added on the next update..."
* http://isc.sans.org/diary.html?storyid=8350

- http://www.malwaredomains.com/wordpress/?page_id=2
"The DNS-BH project creates and maintains a listing of domains that are known to be used to propagate malware and spyware. This project creates the Bind and Windows zone files required to serve fake replies to localhost for any requests to these, thus preventing many spyware installs and reporting. This list is also available in AdBlock and ISA Format..."

:fear::fear:
 
Last edited:
USB battery charger software allows remote system access...

FYI...

Energizer DUO USB Battery Charger Software Allows Remote System Access
- http://www.us-cert.gov/current/#engergizer_duo_usb_battery_charger
March 8, 2010 - "US-CERT is aware of a backdoor in the software for the Energizer DUO USB battery charger. This backdoor may allow a remote attacker to list directories, send and receive files, and execute programs on an affected system... US-CERT encourages users and administrators to review Vulnerability Note VU#154421* and apply the recommended solutions."
* http://www.kb.cert.org/vuls/id/154421

- http://www.symantec.com/connect/blogs/back-door-found-energizer-duo-usb-battery-charger-software
March 5, 2010

- http://secunia.com/advisories/38894/
Release Date: 2010-03-08
Criticality level: Highly critical
Impact: System access
Where: From remote
Solution Status: Unpatched
Solution: Uninstall the software and remove "Arucer.dll" from the Windows system32 directory.
Original Advisory: VU#154421:
http://www.kb.cert.org/vuls/id/154421

- http://phx.corporate-ir.net/phoenix.zhtml?c=124138&p=irol-newsArticle_print&ID=1399675&highlight=
March 5, 2010 - "... Energizer has discontinued sale of this product and has removed the site to download the software..."

:fear::mad:
 
Last edited:
Hacks steal $120M+ in 3 months: FDIC

FYI...

Hacks steal $120M+ in 3 months: FDIC
- http://www.computerworld.com/s/article/9167598/FDIC_Hackers_took_more_than_120M_in_three_months?
March 8, 2010 - "Ongoing computer scams targeting small businesses cost U.S. companies $25 million in the third quarter of 2009, according to the (FDIC). Online banking fraud involving the electronic transfer of funds has been on the rise since 2007 and rose to over $120 million in the third quarter of 2009, according to estimates presented Friday at the RSA Conference in San Francisco, by David Nelson, an examination specialist with the FDIC. The FDIC receives a variety of confidential reports from financial institutions, which allow it to generate the estimates, Nelson said. Almost all of the incidents reported to the FDIC "related to malware on online banking customers' PCs," he said. Typically a victim is tricked into visiting a malicious Web site or downloading a Trojan horse program that gives hackers access to their banking passwords. Money is then transferred out of the account using the Automated Clearing House (ACH) system that banks use to process payments between institutions. Even though banks now force customers to use several forms of authentication, hackers are still stealing money. "Online banking customers are getting too reliant on authentication and on practicing layers of controls," Nelson said... Commercial deposit accounts do not receive the reimbursement protection that consumer accounts have, so a lot of small businesses and nonprofits have suffered some relatively large losses," Nelson said. "In the third quarter of 2009, small businesses suffered $25 million in losses due to online ACH and wire transfer fraud." That's led to some nasty legal disputes, where customers say the banks should have stopped payments, and the banks argue that the customers should have protected their own computers from infection. Often small businesses do not have the controls in place to prevent unauthorized ACH payments, even when their banks make them available, Nelson said. "Hackers are definitely targeting higher-balance accounts and they're looking for small businesses where controls might not be very good." The FDIC's estimates are "reasonable," but they illustrate a problem that is becoming too expensive for banks and businesses, said Avivah Litan, an analyst with Gartner. She said that attacks that install a password-stealing botnet program, known as Zeus, have increased so far in 2010, so those losses may be even higher this year."

:fear::mad:
 
Last edited:
iPad giveaway gives users identities away

FYI...

iPad giveaway gives users identities away
- http://blog.trendmicro.com/ipad-giveaway-gives-users’-identities-away/
Mar 9, 2010 - "... spammed messages that promise free iPads to lure unwitting users into their scams. In one such spam sample, recipients are being invited to test the iPad at no cost by simply applying to be part of a “word-of-mouth” marketing campaign. They may not have to shell out a single cent but the price they have to pay will be their identities... The spammed messages instruct users to reply to the email with their personal information, which spammers could easily use for further malicious activities... This recent spam run is no different from how cybercriminals leveraged the iPad launch in January, which led to a FAKEAV variant. Users should thus continue exercising caution in opening email messages from unknown senders. It is also important to be cautious in conducting Web searches on hot topics such as the iPad, as these are often used for blackhat search engine optimization (SEO) attacks... Apple does not own any iPad-related domain names so users should really pay close attention to URLs before they click."

(Screenshots available at the URL above.)

:fear::mad::fear:
 
Last edited:
IC3 2009 Internet Crime Annual Report

FYI...

IC3 2009 Internet Crime Annual Report
- http://www.ic3.gov/media/2010/100312.aspx
March 12, 2010 - "... Online crime complaints increased substantially once again last year, according to the report. The IC3 received a total of 336,655 complaints, a 22.3 percent increase from 2008. The total loss linked to online fraud was $559.7 million; this is up from $265 million in 2008... Although the complaints consisted of a variety of fraud types, advanced fee scams that fraudulently used the FBI's name ranked number one (16.6 percent). Non-delivery of merchandise and/or payment was the second most reported offense (11.9 percent)... The report is posted in its entirety on the IC3 website*. The Internet Crime Complaint Center (IC3) is a joint operation between the FBI and the National White Collar Crime Center (NW3C). IC3 receives, develops, and refers criminal complaints regarding the rapidly expanding arena of cyber crime. The IC3 gives the victims of cyber crime a convenient and easy-to-use reporting mechanism utilized to alert authorities of suspected criminal or civil violations..."
* http://www.ic3.gov/media/annualreports.aspx

[ Replace the word “complaints” with “citizen-reported-criminal-activity”… ‘do same in the actual report itself. ]

- http://www.eset.com/blog/2010/03/17/were-not-talking-peanuts-here
March 17, 2010 - "... these figures relate only to the USA. Multiply those amounts many times over to give you some idea of the size of the losses on a global basis. The amount of money that is lost to global cybercrime activities is massive... because the size of the problem is often not understood, it seems to slip under the radar and often isn’t even considered a serious problem... The drug trade problem has plenty of awareness in the public eye and plenty of focus from law enforcement. Yet in fact the global cybercrime trade makes more money these days than the global drug trade..."

:fear::mad::fear:
 
Last edited:
ZeuS detection on your PC...

FYI...

ZeuS detection on your PC...
- http://www.secureworks.com/research/threats/zeus/
March 11, 2010 - "... How to detect the ZeuS Banking Trojan on your computer
Computers infected with this version of ZeuS will have the following files and folders installed. The location depends on whether the victim has Administrator rights. The files will most likely have the HIDDEN attribute set to hide them from casual inspection...
sdra64.exe (malware)
user.ds (encrypted stolen data file)
user.ds.lll (temporary file for stolen data)
local.ds (encrypted configuration file)
The sdra64.exe program uses process injection to hide its presence in the list of running processes. Upon startup, it will inject code into winlogon.exe (if Administrator rights available) or explorer.exe (for non-Administrators) and exit. The injected code infects other processes to perform its data theft capabilities..."

(More detail available at the URL above.)

:mad::mad:
 
You must log in or register to reply here.
Back
Top