Zeus

In November 2010, Panin allegedly received the source code and rights to sell Zeus from Evginy Bogachev, a/k/a Slavik, and incorporated many components of Zeus into SpyEye.

According to data recorded by Abuse.ch, some of the domains Microsoft seized appear to belong to legitimate businesses whose sites were compromised and used to host components of the malware infrastructure.

There is evidence he also was using his own botnet kit or at least taking a fee to set up instances of it on behalf of buyers. In late 2009, security researchers had tracked dozens of Zeus control servers

This report takes a look at Avalanche’s evolution, examining how these e-criminals have incorporated interrelated methods—including phishing, malware, botnets, and spam—into their work.

These lures took victims to “drive-by download” sites, where the criminals infected vulnerable machines.

"Avalanche" is the name given to the world's most prolific phishing gang and to the infrastructure it uses to host phishing sites. And this is the group that has shifted additional resources to the creation of spoof sites and spam lures that distributed the very latest, most malignant Zeus variants.

The businesses were hit with the Zeus Trojan embedded in the phishing emails.

Avalanche sent false alerts/updates purporting to be from popular social networking sites, and lures that offered popular software upgrades, and fake downloadable forms from tax authorities.

Use of URL-shortening services (such as bit.ly and tinyurl.com) by phishers may be a growing trend. URL shorteners can be useful for launching social engineering attacks via services such as Twitter.

These days it seems more often involved in sending emails that try to trick recipients into opening malware-laden attachments, most often variants of the ZeuS and SpyEye trojans.

The malware operates via a browser extension in Firefox or via a Browser Helper Object in Microsoft Corp.'s Internet Explorer.

the government believes is responsible for building and distributing the ZeuS banking Trojan . Bogachev is thought to be a core architect of ZeuS, a malware strain that has been used to steal hundreds of millions of dollars from bank accounts

By patching the memory tables or injecting directly into memory, this technique can be used by malware authors to bypass Windows UAC (User Account Control).

Specifically, Harderman says he wants to turn the guts of the Trojan into a rootkit, and to build additional functionality on top, in the form of modular plug-ins.

To keep them under the antivirus radar, Nigerian actors techniques use "crypters" - software tools designed to encrypt, obfuscate, and modify malware.

GOZ, however, utilizes a P2P network of infected hosts to communicate and distribute data, and employs encryption to evade detection.

The criminals posed as employees of the business, moving thousands of dollars to overseas locations.

the government believes is responsible for building and distributing the ZeuS banking Trojan . Bogachev is thought to be a core architect of ZeuS, a malware strain that has been used to steal hundreds of millions of dollars from bank accounts

SpyEye made headlines this year when investigators discovered it automatically searched for and removed ZeuS from infected PCs before installing itself.

infected tens of millions of computers, harvested huge volumes of sensitive financial data

Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard

others used it just as a piece of malware to log information that ZeuS collected from victims from either the keystroke logging, or the built-in POST data logging, which worked for both HTTP and HTTPS websites

In 2007 the first large scale attacks took place, that used the ZeuS bank attack configuration called “webinjects”... While ZeuS is a versatile malware kit... its key strength is in browser manipulation through the use of its dynamic configuration.

Information stealers seem to be the preferred type of malware to help in their fraudulent email attacks... The attacker can pilfer data about the targets and use it to create efficient messages for diverting transactions or asking money to be sent to fraudsters' account.

According to its ad, the malware could self-propagate to other computers once it infected a victim, could steal banking credentials, and could carry out DDOS attacks.

infected tens of millions of computers, harvested huge volumes of sensitive financial data

Trojans like ZeuS and SpyEye have the built-in ability to keep logs of every keystroke a victim types on his or her keyboard

others used it just as a piece of malware to log information that ZeuS collected from victims from either the keystroke logging, or the built-in POST data logging, which worked for both HTTP and HTTPS websites

In 2007 the first large scale attacks took place, that used the ZeuS bank attack configuration called “webinjects”... While ZeuS is a versatile malware kit... its key strength is in browser manipulation through the use of its dynamic configuration.

Scripts can be injected via a variety of methods, including cross-site scripting, man-in-the-browser, man-in-the-middle, or a compromise of the remote website.

Zeus distribution also relies on the registration of domain names for spamming, drive-by-download sites, and Zeus command-and-control domains.

The peer-to-peer layer merely functioned as a reliable and robust communication mechanism, and a way to hide the next layers of the infrastructure in order to become more resistant to takedown activity.

Whit this so-called initial access, even more dangerous software can then be installed.

bot_bc_add vnc <ip> <port> ... Most of these commands are used... to... connect to the victim’s desktop... One specific plugin that was seen, was a VNC component before the plugin VNC was actually built into the malware itself.

Scammers running business email compromise (BEC) fraud have grown in number, attack more often, and turn to remote access trojans as the preferred malware type to accompany their raids.

the ZeuS author declined to help them keep it undetectable by commercial antivirus tools... he refuses to write bypass of [anti-malware] scans