ZEUS has been around in various generations for a few years now. Here is link to an article from 2007 when a ZEUS Trojan infiltrated several prominent us organizations ZEUS infects US organizations.

ZEUS is easily and commonly dropped by an exploit and is also carried via social engineering techniques exploiting job sites and the like. The ZEUS Trojan, or the ZEUS Banking Trojan can also be referred to by security firms as WSNPOEM and Gorhax.

Outwardly, a ZEUS infected PC will show no obvious signs of infection. The ZEUS Banking Trojan is capable of rifling your Internet cache for stored login and password credentials, it can also eavesdrop on keystrokes and screen contents and can even modify a web page with form injection to capture additional fields - just in case what the criminals want to steal isn't already on the page.

As a recent hyped article claimed ZEUS frequently bypasses popular antivirus and internet security suites. The criminals are careful to infect just a few PCs with each copy of the Trojan, thereby avoiding detection by honepots/nets and subsequent researcher attention in security labs. By the time each copy of a ZEUS Trojan is identified by security researchers it's job is done and a new fresh version will be dispatched to takeover its role.

No one has an accurate account of the real numbers of ZEUS infections, but it must run to millions of PCs worldwide. We uncovered a cache of stolen information captured by a ZEUS Trojan earlier this year. This data came from 160,000 PCs infected by ZEUS Trojans. During the six weeks of tracking this crop of infections it reached a peak of 20,000 new PC infections per day.

Now for some tell tale signs of ZEUS. Using this information you will be able to check your PC for signs of infection by ZEUS. You may also use this information to help you remove the ZEUS Trojan, or at least disable it.

The ZEUS Trojan will commonly use names like NTOS.EXE, LD08.EXE, LD12.EXE, PP06.EXE, PP08.EXE, SRA64.EXE, LDnn.EXE and PPnn.EXE etc, so search your PCs for files with names like this. The ZEUS Trojan will typically be between 40KBytes and 150Kbytes in size.

Also look for a folder with the name WSNPOEM, this is also a common sign of infection for the ZEUS Trojan.

Finally, check the Registry looking for RUN keys referencing any of these names.

Do not assume because your antivirus or internet security suite does not show any signs of infection that your PC does not have the ZEUS Trojan infection.

]]>

ZEUS has been around in various generations for a few years now. Here is link to an article from 2007 when a ZEUS Trojan infiltrated several prominent us organizations ZEUS infects US organizations.

ZEUS is easily and commonly dropped by an exploit and is also carried via social engineering techniques exploiting job sites and the like. The ZEUS Trojan, or the ZEUS Banking Trojan can also be referred to by security firms as WSNPOEM and Gorhax.

Outwardly, a ZEUS infected PC will show no obvious signs of infection. The ZEUS Banking Trojan is capable of rifling your Internet cache for stored login and password credentials, it can also eavesdrop on keystrokes and screen contents and can even modify a web page with form injection to capture additional fields - just in case what the criminals want to steal isn't already on the page.

As a recent hyped article claimed ZEUS frequently bypasses popular antivirus and internet security suites. The criminals are careful to infect just a few PCs with each copy of the Trojan, thereby avoiding detection by honepots/nets and subsequent researcher attention in security labs. By the time each copy of a ZEUS Trojan is identified by security researchers it's job is done and a new fresh version will be dispatched to takeover its role.

No one has an accurate account of the real numbers of ZEUS infections, but it must run to millions of PCs worldwide. We uncovered a cache of stolen information captured by a ZEUS Trojan earlier this year. This data came from 160,000 PCs infected by ZEUS Trojans. During the six weeks of tracking this crop of infections it reached a peak of 20,000 new PC infections per day.

Now for some tell tale signs of ZEUS. Using this information you will be able to check your PC for signs of infection by ZEUS. You may also use this information to help you remove the ZEUS Trojan, or at least disable it.

The ZEUS Trojan will commonly use names like NTOS.EXE, LD08.EXE, LD12.EXE, PP06.EXE, PP08.EXE, SRA64.EXE, LDnn.EXE and PPnn.EXE etc, so search your PCs for files with names like this. The ZEUS Trojan will typically be between 40KBytes and 150Kbytes in size.

Also look for a folder with the name WSNPOEM, this is also a common sign of infection for the ZEUS Trojan.

Finally, check the Registry looking for RUN keys referencing any of these names.

Do not assume because your antivirus or internet security suite does not show any signs of infection that your PC does not have the ZEUS Trojan infection.

Thought I'd get this out via the blog to get maximum attention. Prevx is looking to hire a Mac OSX developer to develop a cloud AV client. Should have experience in C/C++ for system level development as well as being able to develop GUI's. If this sounds of interest to you drop a mail to weblog@prevx.com.]]>

Thought I'd get this out via the blog to get maximum attention. Prevx is looking to hire a Mac OSX developer to develop a cloud AV client. Should have experience in C/C++ for system level development as well as being able to develop GUI's. If this sounds of interest to you drop a mail to weblog@prevx.com.

As you might know if you have been following our blog, last month we blogged about a FTP password stealer that’s spreading in the wild here.

This infector managed to steal many credentials of many large companies, a total of nearly 90,000 logins were found. We worked with local and international law enforcement to get that site shut down and inform as many victims as we could.

Yesterday while roaming the dark depths of the web, Mike "Rambo" Johnson, one of our malware hunting rockstars, managed to find the latest incarnation of this threat.

On this occasion there is not much difference, it’s an entirely new list of domains containing yet again, a bunch of new "big names" which we are in the process of notifying. Overnight the number of stolen credentials went from 624 to 4338.

The infection begins when visiting what appears to be a harmless website hxxp://-lena-kolesnikova.com/ (NSFW!)

Two separate scripts are all this particular url has to offer, there is no legitimate material to be found, unfortunately.

Most of these sites that have been injected, contain what’s called a rotator, where it rotates malware packs purchased by people who want their malware spread.

When we say "Injected" what we mean is that the ftp credentials has been stolen, and an iframe/script has been injected into the html pages of the site

Script 1 failed to execute on this machine as the IP was blocked due to previous visits throughout that day.

Script 2 is where the FtpBot is launched from, this particular Url is also a rotator and will serve up different malware based on geographic, software installed and time of day.

The exploit kit used by this malware is called FSPACK, there are so many of these around these days that the name really has little value.

So let’s move on to the meaty stuff, on successful exploitation, this is what you could expect to see traffic wise on your machine.

This shows how the pack itself fetch's even more malware on top of the already dropped pieces.

Now, it begins checking for commands....

It tries to connect to a admin panel, however it appears that it’s not configured properly by the malware owners, and doesn't seem to be functioning in terms of statistics gathering.

What happens after this process is complete is that the malware installed on victim machine will harvest ftp details, from known ftp clients, (Total commander, CuteFTP, FlashFXP and a few others) that uploads to a list on the server.

The stolen details get sent to a txt file on the server known as list.txt, and the format of the details are "ftp://username:password@ftp.domain.com".

This then gets dished out to infected clients, who then login to the ftp site and inject an iframe/script into the webpage, the goal of this is to then infect more users who visit these sites using the same exploit pack as shown above.

This is usually where we would finish the blog, pat ourselves on the back and think job done, however we managed to find the site that the people who are responsible for these infections are using to monetize it.

In my opinion the way to protect against FTP login stealers like these are as follows:

- Don't use FTP for anything important, use encrypted protocols

- Don't rely on software such as Total Command, FlashFXP, CuteFTP et al to protect your credentials, the methods used to store the passwords are weak

Prevx 3.0 and Prevx 3.0 Enterprise edition both protect against these threats.

Below is some screenshots, comments and translations from Russian to English.

I think the pictures speak for themselves, however badly they are translated. One thing I can say is that their website isn’t very pretty, but I guess they are getting enough customers with even an ugly looking site!

]]>

As you might know if you have been following our blog, last month we blogged about a FTP password stealer that’s spreading in the wild here.

This infector managed to steal many credentials of many large companies, a total of nearly 90,000 logins were found. We worked with local and international law enforcement to get that site shut down and inform as many victims as we could.

Yesterday while roaming the dark depths of the web, Mike "Rambo" Johnson, one of our malware hunting rockstars, managed to find the latest incarnation of this threat.

On this occasion there is not much difference, it’s an entirely new list of domains containing yet again, a bunch of new "big names" which we are in the process of notifying. Overnight the number of stolen credentials went from 624 to 4338.

The infection begins when visiting what appears to be a harmless website hxxp://-lena-kolesnikova.com/ (NSFW!)

Two separate scripts are all this particular url has to offer, there is no legitimate material to be found, unfortunately.

Most of these sites that have been injected, contain what’s called a rotator, where it rotates malware packs purchased by people who want their malware spread.

When we say "Injected" what we mean is that the ftp credentials has been stolen, and an iframe/script has been injected into the html pages of the site

Script 1 failed to execute on this machine as the IP was blocked due to previous visits throughout that day.

Script 2 is where the FtpBot is launched from, this particular Url is also a rotator and will serve up different malware based on geographic, software installed and time of day.

The exploit kit used by this malware is called FSPACK, there are so many of these around these days that the name really has little value.

So let’s move on to the meaty stuff, on successful exploitation, this is what you could expect to see traffic wise on your machine.

This shows how the pack itself fetch's even more malware on top of the already dropped pieces.

Now, it begins checking for commands....

It tries to connect to a admin panel, however it appears that it’s not configured properly by the malware owners, and doesn't seem to be functioning in terms of statistics gathering.

What happens after this process is complete is that the malware installed on victim machine will harvest ftp details, from known ftp clients, (Total commander, CuteFTP, FlashFXP and a few others) that uploads to a list on the server.

The stolen details get sent to a txt file on the server known as list.txt, and the format of the details are "ftp://username:password@ftp.domain.com".

This then gets dished out to infected clients, who then login to the ftp site and inject an iframe/script into the webpage, the goal of this is to then infect more users who visit these sites using the same exploit pack as shown above.

This is usually where we would finish the blog, pat ourselves on the back and think job done, however we managed to find the site that the people who are responsible for these infections are using to monetize it.

In my opinion the way to protect against FTP login stealers like these are as follows:

- Don't use FTP for anything important, use encrypted protocols

- Don't rely on software such as Total Command, FlashFXP, CuteFTP et al to protect your credentials, the methods used to store the passwords are weak

Prevx 3.0 and Prevx 3.0 Enterprise edition both protect against these threats.

Below is some screenshots, comments and translations from Russian to English.

I think the pictures speak for themselves, however badly they are translated. One thing I can say is that their website isn’t very pretty, but I guess they are getting enough customers with even an ugly looking site!

Investigating new and uncommon infection vectors is sometimes enriching and useful for us, allowing us to break from the usual trend of classic piece of malicious softwares which are all but technically advanced.

Everyone in the security industry could see what's happened during last years: an increase of malware volume but a high decrease of their code complexity. Most of malwares have nothing interesting to analyze, they are often variants, or repacked versions of some older variant. This doesn't necessarily mean there aren't anymore non trivial infections, but instead that they are more rare than before.

Everyone who tried to clean an heavily infected PC would admit that sometimes it would be easier to format and reinstall everything than trying to fix up all the running infections. This is where a new kind of security softwares break in.

More and more people are using security softwares which are able to freeze system status and redirects everything that is going to happen on the system to a temporary store. Then, at system restart, every modify to the system is eliminated and the system starts again at the original status when it was freezed by the security software.

This is a fantastic solution for everyone who want to leave one or more PCs available to the people but they want to be sure any damage is done to their systems. Same solution is used for people who want to analyze or test applications but they don't want to install it on the real system.

It's an easy game, where you only have to follow some simple steps: save status of the system,do what you want, restart the system and every modify will be deleted.

It must have been a nightmare for some users when they saw that, even after system restart, a malicious piece of software was still there. Moreover because who use these kind of softwares is convinced that everything is filtered and cleaned at system restart, so they often don't feel they have to use any other way to prevent malware. They just know that even if a malware harvests the system, it will be erased at next system reboot.

There have been a lot of rumors about a new kind of malware who was able to bypass these security softwares, and was able to write directly to the disk so that it could survive at system reboots. Is this true or false? It is sadly true, but this was expected to happen sometimes soon. The problem is located at the design of these softwares and how they are implemented.

When a software tries to read or write a file on the disk, its request pass through a chain of drivers which handle it. Everytime a driver has finished its work, send the request to the next lower driver and so on until the request is satisfied and the software receive all the data it needed.

The request of reading and writing to the disk is firstly handled by a file system driver, which pass it to the disk.sys driver. This last one is used to interface the system with physical hard drives. This is where those security softwares usually sit, filtering out every attempt to write to the disk and redirecting it to a temporary store. It's an effective solution which does indeed do its job.

Two problems now arise. First is that users are believed they can do everything if they are protected by these kind of softwares because at next restart everything is restored to the original clean state. The next logical step to this concept is that they run with admin privileges. Who cares if even a kernel mode rootkit is installed? Everything will be gone if the system is restarted. Wrong

This is a minefield. Even if you run protected by these kind of security softwares, if you run softwares with admin privileges you are giving malwares the key of ring0, the access to kernel mode. Now, in kernel mode, malware and security software are playing with exactly same rules, same advantages and disadvantages.

Disk.sys is not the last driver invoked by an IRP request of reading/writing to the disk. After disk.sys has finished its job, it forward the request to next lower devices until it reaches the atapi.sys driver, which is the real responsible of communicating between the system and physical hard drives.

So, try to guess what would happen if a malware is able to communicate directly to atapi.sys, sending commands directly to this driver without following the usual chain of drivers.

This is what is doing the malware known as SafeSys, which is indeed able to directly overwrite a system file so that at next system restart, even if everything should be theoretically deleted, the malware is still loaded and can do its dirty job.

I won't discuss more in detail what the malware is doing, what I've said should be enough to let people understand that trusting to only one security software doesn't really help you preventing infections. ]]>

Investigating new and uncommon infection vectors is sometimes enriching and useful for us, allowing us to break from the usual trend of classic piece of malicious softwares which are all but technically advanced.

Everyone in the security industry could see what's happened during last years: an increase of malware volume but a high decrease of their code complexity. Most of malwares have nothing interesting to analyze, they are often variants, or repacked versions of some older variant. This doesn't necessarily mean there aren't anymore non trivial infections, but instead that they are more rare than before.

Everyone who tried to clean an heavily infected PC would admit that sometimes it would be easier to format and reinstall everything than trying to fix up all the running infections. This is where a new kind of security softwares break in.

More and more people are using security softwares which are able to freeze system status and redirects everything that is going to happen on the system to a temporary store. Then, at system restart, every modify to the system is eliminated and the system starts again at the original status when it was freezed by the security software.

This is a fantastic solution for everyone who want to leave one or more PCs available to the people but they want to be sure any damage is done to their systems. Same solution is used for people who want to analyze or test applications but they don't want to install it on the real system.

It's an easy game, where you only have to follow some simple steps: save status of the system,do what you want, restart the system and every modify will be deleted.

It must have been a nightmare for some users when they saw that, even after system restart, a malicious piece of software was still there. Moreover because who use these kind of softwares is convinced that everything is filtered and cleaned at system restart, so they often don't feel they have to use any other way to prevent malware. They just know that even if a malware harvests the system, it will be erased at next system reboot.

There have been a lot of rumors about a new kind of malware who was able to bypass these security softwares, and was able to write directly to the disk so that it could survive at system reboots. Is this true or false? It is sadly true, but this was expected to happen sometimes soon. The problem is located at the design of these softwares and how they are implemented.

When a software tries to read or write a file on the disk, its request pass through a chain of drivers which handle it. Everytime a driver has finished its work, send the request to the next lower driver and so on until the request is satisfied and the software receive all the data it needed.

The request of reading and writing to the disk is firstly handled by a file system driver, which pass it to the disk.sys driver. This last one is used to interface the system with physical hard drives. This is where those security softwares usually sit, filtering out every attempt to write to the disk and redirecting it to a temporary store. It's an effective solution which does indeed do its job.

Two problems now arise. First is that users are believed they can do everything if they are protected by these kind of softwares because at next restart everything is restored to the original clean state. The next logical step to this concept is that they run with admin privileges. Who cares if even a kernel mode rootkit is installed? Everything will be gone if the system is restarted. Wrong

This is a minefield. Even if you run protected by these kind of security softwares, if you run softwares with admin privileges you are giving malwares the key of ring0, the access to kernel mode. Now, in kernel mode, malware and security software are playing with exactly same rules, same advantages and disadvantages.

Disk.sys is not the last driver invoked by an IRP request of reading/writing to the disk. After disk.sys has finished its job, it forward the request to next lower devices until it reaches the atapi.sys driver, which is the real responsible of communicating between the system and physical hard drives.

So, try to guess what would happen if a malware is able to communicate directly to atapi.sys, sending commands directly to this driver without following the usual chain of drivers.

This is what is doing the malware known as SafeSys, which is indeed able to directly overwrite a system file so that at next system restart, even if everything should be theoretically deleted, the malware is still loaded and can do its dirty job.

I won't discuss more in detail what the malware is doing, what I've said should be enough to let people understand that trusting to only one security software doesn't really help you preventing infections.