Zeus/Zbot Information and Tracking the Banking Trojan

Zeus is a crimeware kit, which steals credentials for various online services like social networks, online banking accounts, ftp accounts, email accounts and other (phishing). The web admin panel can be bought for $700  and the exe builder for $4000.

The dangerous thing is anyone with resources can use the Zbot builder and package new variants making creating a definition difficult.

Once Zeus is on a system it uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. The collected details are then silently delivered to remote websites, and added into remote databases. The databases are then sold to other criminal elements down the chain who specialize in withdrawing the funds. The money laundering groups anonymously hire physical people to withdraw money from their personal accounts – in the criminal world these people are called “drops”, and their accounts are called “drop accounts”.

The purchased builder is very granular; can you imagine logging in to your online banking website and additional fields appear that seem to blend into the page:

  • Due to security measures, please provide the answers to all the security questions listed below:
  • Your first school
  • Your mother’s maiden name
  • What is the first letter of the name of your high school?
  • What is the first letter of the name of your pet?
  • etc…

Zeus Tracking Project (C&C servers overlayed w/ Google Maps)

Detailed Zeus reverse engineering

Webinar about the bot

Malware Analyzers Part deuce

Several weeks ago I posted about different free malware analyzers (sandbox environments).  I’ve stumbled across another free tool from Mandiant which is their Red Curtain offering. Red Curtain will scan a given local directory or drive and analyze each file assigning it a threat score. It takes into effect whether the file is signed, packing, and the entropy which could be suspicious.

Another plus is the tool can be remotely deployed which is great for LAN & enterprise environments.

*I believe all their tools only run on Windows.