ZeuS is a well-known banking Trojan horse program, also known as crimeware. This trojan steals data from infected computers via web browsers and protected storage. Once infected, the computer sends the stolen data to a bot command and control (C&C) server, where the data is stored.
The US FBI, Secret Service, and various NY agencies have issued a joint Cyber-Security Advisory warning of the threat posed by the Zeus botnet specifically and wire fraud risks from keylogger trojans in general. Zeus combines keylogger capabilities with man-in-the-middle (or man-in-the-brower) style attacks to steal online banking credentials.
It does the following tasks on your computer:
- Steals data submitted in HTTP forms
- Steals account credentials stored in the Windows Protected Storage
- Steals client-side X.509 public key infrastructure (PKI) certificates
- Steals FTP and POP account credentials
- Steals/deletes HTTP and Flash cookies
- Modifies the HTML pages of target websites for information stealing purposes
- Redirects victims from target web pages to attacker controlled ones
- Takes screen shots and scrapes HTML from target sites
- Searches for and uploads files from the infected computer
- Modifies the local hosts file (%systemroot%\system32\drivers\etc\hosts)
- Downloads and executes arbitrary programs
- Deletes crucial registry keys, rendering the computer unable to boot into Windows
Zeus installs a rootkit component to remain hidden on infected systems. Typically, Zeus also disables antivirus and security software in a further effort to avoid detection. To bypass firewalls and to remain active on infected systems, Zeus injects itself in the address space of other running processes. The new Zbot variant appeared to spread by “patching” files to turn them into malware downloaders. TSPY_ZBOT.BYZ specifically decrypts a code in memory that targets and patches .EXE files, turning them into a downloader detected as PE_LICAT.A. which is very dangerous.
0 comments:
Post a Comment