Thursday, 11 February 2010

New ZBOT/Zeus Binary Comes with a Hidden Message

Feb10
11:49 pm (UTC-7)   |   by Jonell Baltazar (Advanced Threats Researcher)

Trend Micro advanced threat researchers recently came across a new ZBOT/Zeus binary file detected as TROJ_ZBOT.BTM.
ZBOT/Zeus variants are well-known for stealing banking information from its victims via various social-engineering tactics (e.g., spammed messages, malicious links sent to social-networking site members in the guise of messages, and compromising legitimate sites), as evidenced by the following documented noteworthy occurrences:
Apart from the usual information-stealing tactics ZBOT/Zeus Trojans are known for, however, this new variant came with a hidden message that thanks and taunts some well-known antivirus companies for the help they provide the cybercriminals behind the malware to constantly improve on their craft. The said message, however, will only be visible after the binary file (version 1.3.3.3) unpacks and copies itself onto affected systems’ memory.
Click for larger view
This taunting message shows that cyber criminals have systems that monitor the performance of AV companies in detecting their craft, and they are constantly updating their software to avoid detection.
Trend Micro™ Smart Protection Network™ already protects product users from this threat by blocking user access to the malicious site, http://{BLOCKED}p.com/consc/cons.exe, where the binary file could be downloaded via its Web reputation service and by detecting and preventing the file’s execution on affected systems via its file reputation service.
Non-Trend Micro product users, on the other hand, can also stay protected by using free tools like Web Protection Add-On, which was especially designed to block user access to potentially malicious websites in real-time.

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News