Botnet Feature Advancement Zeus !

When you’re building your very own botnet you need to be quite selective about the botnet agent you’re planning on running with. Many of the botnets we encounter operating within enterprise environments today are constructed using commonly available DIY malware construction kits – of which Zeus is the most popular.

Zeus is an interesting DIY malware construction kit. Over the years it has added to its versatility and developed in to an open platform for third-party tool integration – depending upon the type of fraud or cybercrime the botnet master is most interested in. Along the way, many malware developers have tweaked the Zeus kit and offer specialized (and competing) major versions of the DIY suite (for sale). As such, the “Zeus” kit has morphed and isn’t really even a single kit any more. You can find Zeus construction kits retailing between $400-$700 for the latest versions – dropping to “free” within a couple of months as pirated versions start circulating Torrent feeds.

That said, competition between Zeus vendors is fierce – driving new innovation within within this single DIY construction kit.

Take for example the recently posted “for sale” instruction for a new Zeus version over on one of the popular hacking forums – retailing for $700 new…

It’s interesting to note the major changes in the DIY kits changelog –

[Version 1.3.0.0, 20.11.2009]
[*] Interception WinApi by splicing.
[+] Be fully operational in Windows Vista / 7.
[*] Temporarily disable hidden files Trojan.
[*] Removed TAN-grabber.
[-] Fixed duplicate records in nspr4.dll.
[*] Grabbed certificates are now written with the name grabbed_dd_mm_yyy.pfx, and password in UTF-8.
[*] Team getcerts, obtained certificates only from MY-store, and not from all. Since obtaining certificates from all hranilish not make sense.
[*] Changed behavior grabber certificates.
[*] Rewrote FTP/POP3 sniffer, ulucheshno detection logins, made support for IPv6-addresses.
[*] Rewrote the interception of keyboard input, fixed method of working with international characters to.
[-] Corrected a bug in HTTP-fakie, which could lead to deadlock.

I think the most interesting advances are those I’ve bolded above.

Obviously Windows 7 support is going to be pretty import going forward for Zeus-dependent botnet masters, so too is the gabbing of certificates from the victims systems (e.g. SSL/TLS client certificates and corporate VPN access). The fact that the TAN-grabber has been removed is probably more indicative of features no longer required by Zeus “customers” and an effort to keep the Zeus botnet agent down in size.

The most significant addition with this release in my mind is the additional support for IPv6 – particularly as it relates to network sniffing. As enterprise networks (and government networks) take up IPv6 internally, botnet operators need to ensure that they’re also “IPv6 compliant” (which is easy enough if the victim’s operating system is configured to rely upon IPv6), but more critical is the capability to sniff IPv6 network traffic and automatically extract the data most valuable to the botnet operator – rather than having to deal with bulk packet captures.

For those enterprise networks already running IPv6 it’s important that their network administrators and security teams know that botnet masters are already armed with IPv6 capabilities – and are constantly tweaking and enhancing botnet agent capabilities.

One last thing to note though. Just because Zeus is a common botnet malware family, it doesn’t mean that you’re likely to have antivirus detection coverage within typical enterprise networks. Zeus is practically never deployed in its “raw” state – instead, botnet masters typically deploy heavily obfuscated and protected serial variants of the malware – making each victim unique. So don’t be surprised if it evades any host-based detection technologies you may have deployed.

Latest Dridex Banking Trojan? How it Works?

Dridex malware – also known as Bugat and Cridex – is believed to have been created by cyber criminals in Eastern Europe in an effort to harvest online banking details. Even after a high-profile takedown operation in late 2015, the Dridex botnet seems to be active again.

The Dridex virus typically distributes itself through spam messages or emails that include malicious attachments, most often a Microsoft Office file or Word document integrated with malicious macros.

Once the malicious file has been clicked, the macros download and install the main payload of the virus – the trojan program itself – from a hijacked server, which installs and runs on the victim's computer.

The Dridex trojan program then creates a keylogger on the infected machine and manipulates banking websites with the help of transparent redirects and web-injects.

This results in stealing victim's personal data like usernames and passwords, with an ultimate aim to break into bank accounts and siphon off cash.

Hacker replaces Trojan with Anti-virus

However, the recent Hack Surprises: Instead of distributing banking trojan, a portion of the Dridex botnet currently seems to be spreading legitimate copies of the free anti-virus software from Avira, as the company has announced itself.

"The content behind the malware download [link] has been replaced, it is now providing [a legitimate], up-to-date Avira web installer instead of the usual Dridex loader," 

Avira believes that the white hat hacker or hackers may have hacked into a portion of infected web servers using the same flaws the malware authors used and then replaced the malicious code with the Avira installer.

So, once infected, instead of receiving Dridex malware, the victims get a valid, signed copy of Avira antivirus software.

The Simda botnet Botnet that enslaved 770,000 PCs worldwide !

Simda, as the botnet was known, infected an additional 128,000 new computers each month over the past half year, a testament to the stealth of the underlying backdoor trojan and the organization of its creators. The backdoor morphed into a new, undetectable form every few hours, allowing it to stay one step ahead of many antivirus programs. Botnet operators used a variety of methods to infect targets, including exploiting known vulnerabilities in software such as Oracle Java, Adobe Flash, and Microsoft Silverlight. The exploits were stitched into websites by exploiting SQL injection vulnerabilities and exploit kits such as Blackhole and Styx. Other methods included sending spam and other forms of social engineering. Countries most affected by Simda included the US, with 22 percent of the infections, followed by the UK, Turkey with five percent, and Canada and Russia with four percent.

The malware modified the HOSTS file Microsoft Windows machines use to map specific domain names to specific IP addresses. As a result, infected computers that attempted to visit addresses such as connect.facebook.net or google-analytics.com were surreptitiously diverted to servers under the control of the attackers. Often the booby-trapped HOSTS file remains even after the Simda backdoor has been removed. Security researchers advised anyone who may have been infected to inspect their HOSTS file, which is typically located in the directory %SYSTEM32%\drivers\etc\hosts. People who want to discover if they have been infected by Simda can check this page provided by AV provider Kaspersky Lab.

The page is effective as long as a person's IP address hasn't changed from when the infection was detected.
The takedown involved the seizing of 14 command-and-control servers that were located n the Netherlands, US, Luxembourg, Poland, and Russia. The highly coordinated takedown occurred simultaneously all over the world last Thursday and Friday and was organized by the Interpol Global Complex for Innovation in Singapore.

It included officers from the Dutch National High Tech Crime Unit, the US FBI, the Police Grand-Ducale Section Nouvelles Technologies in Luxembourg, and the Russian Ministry of the Interior’s Cybercrime Department “K." INTERPOL also worked with Microsoft, Kaspersky Lab, Trend Micro, and Japan’s Cyber Defense Institute for technical assistance.

Last week's takedown is only the latest international operation to shut down a botnet that indiscriminately menaced huge numbers of people around the world. Last week a separate takedown targeted Beebone, a highly elusive botnet that provided a captive audience of backdoored PCs to criminals who were looking for an easy way to quickly install malware on large numbers of computers. Get Latest Setup and Botnet configuration contact me on skype nitro_9ice or Ymessenger- nitro_ice9 for more insight.