Tag Archives: Trojan.Zbot

New reconnaissance threat Trojan.Laziok targets the energy sector

A new information stealer, Trojan.Laziok, acts as a reconnaissance tool allowing attackers to gather information and tailor their attack methods for each compromised computer.Read More

Nueva amenaza apunta al sector energético: Trojan.Laziok

Una nueva amenaza que roba información, denominada Trojan.Laziok, actúa como una herramienta de reconocimiento y permite a los atacantes recopilar información y adaptar sus métodos de ataque a cada computadora comprometida.

Read More

Spin.com visitors served malware instead of music

Compromised site sent visitors to Rig exploit kit to infect them with a range of malware including Infostealer.Dyranges and Trojan.Zbot.

Toolbox_concept.png

On October 27, while tracking exploit kits (EKs) and infected domains, Symantec discovered that the popular music news and reviews website spin.com was redirecting visitors to the Rig exploit kit. This exploit kit was discovered earlier this year and is known to be the successor of another once popular EK, Redkit. The Rig EK takes advantage of vulnerabilities in Internet Explorer, Java, Adobe Flash, and Silverlight and was also one of the EKs associated with the askmen.com compromise back in June.

At the time of writing, the spin.com website was no longer compromised. However, spin.com is a popular site in the US, according to Alexa, so the attackers could have potentially infected a substantial amount of users’ computers with malware during the time the site was compromised. The number of potential victims could grow substantially depending on the length of time the website was redirecting visitors to the EK prior to our discovery. Our data shows that the attack campaign mainly affected spin.com visitors located in the US.

Fig1.png
Figure 1. Symantec telemetry shows visitors based in the US were most affected by spin.com compromise

How the attack worked
The attackers injected an iframe into the spin.com website, which redirected users to the highly obfuscated landing page of the Rig EK.

Fig2_13.png
Figure 2. Injected iframe on compromised spin.com website

When the user arrives on the landing page, the Rig EK checks the user’s computer for driver files associated with particular security software products. To avoid detection, the EK avoids dropping any exploits if the security software driver files are present.

Fig3_0.PNG
Figure 3. Rig EK searches for driver files used by security software products

The EK then looks for particular installed plugins and will attempt to exploit them accordingly. In the recent compromise, the Rig EK took advantage of the following vulnerabilities:

Upon successfully exploiting any of these vulnerabilities, a XOR-encrypted payload is downloaded onto the user’s computer. The Rig EK may then drop a range of malicious payloads such as downloaders and information stealers including banking Trojan Infostealer.Dyranges, and the infamous Trojan.Zbot (Zeus).

Symantec protection
Symantec has detections in place to protect against the Rig EK and the vulnerabilities exploited by it, so customers with updated intrusion prevention and antivirus signatures were protected against this attack. Users should also ensure that they update their software regularly to prevent attackers from exploiting known vulnerabilities. Symantec provides the following comprehensive protection to help users stay protected against the Rig EK and the malware delivered by it in this recent website compromise:

Intrusion prevention

Antivirus

European automobile businesses fall prey to Carbon Grabber

Cybercriminals target automotive companies in the UK, the Netherlands, Germany, and Italy with Infostealer.Retgate.
Read more…

Aprovechan el miedo al virus del Ébola como gancho para distribuir malware

Ebola news is bait for attackers to steal login credentials and install Trojan.Zbot, Trojan.Blueso, W32.Spyrat, and Backdoor.Breut malware.
Read more…

Medo do Ebola é usado como isca que pode levar à infecção por malware

Ebola news is bait for attackers to steal login credentials and install Trojan.Zbot, Trojan.Blueso, W32.Spyrat, and Backdoor.Breut malware.
Read more…

???????? Neverquest ????

      No Comments on ???????? Neverquest ????

Trojan.Snifula は、常に進化を続けており、オンラインバンキングに関する機密情報をさらに多く盗み取るための新機能を備えています。

????????? Gameover Zeus ????????????????

国際的な法執行機関により、金銭詐取を目的としたボットネットや Cryptolocker ランサムウェアネットワークの背後にいる攻撃グループが所有している大規模なインフラが押収されました。