Monday, March 30, 2009

Financial institutions targeted by the botnet Zeus. Part two

The structure consists of Zeus in php modules from which it controls and executes all the fraudulent and harmful for which it was conceived. For example, it is very common to find files of type s.php, sS.php, x.php or similar which would command control (C & C) of the bot.

Once infected, Zeus download an encrypted file type. Bin (usually cfg.bin) which is the file that specifies the configuration with a set of instructions that indicate the type of information to be collected and where to send.

When this file is decrypted, we can see shaping and financial institutions which carry out constant monitoring Zeus from the zombie.

In this way, when the user accesses certain forms Zeus intercepts the browser interaction in capturing all the information you need to realize their botmaster fraud.

The list of entities that are in the sights of Zeus is really long, but some of them are:

myspace.com
gruposantander.es
vr-networld-ebanking.de
finanzportal.fiducia.de
bankofamerica.com
bbva.es
bancaja.es
olb2.nationet.com
online.lloydstsb.co.uk
pastornetempresas.bancopastor.es
bancopopular.es
ebay.com
us.hsbc.com
e-gold.com
online.wellsfargo.com
wellsfargo.com
paypal.com
usbank.com
citizensbankonline.com
onlinebanking.nationalcity.com
suntrust.com
53.com
web.da-us.citibank.com
bancaonline.openbank.es
extranet.banesto.es
empresas.gruposantander.es
bbvanetoffice.com
bancajaproximaempresas.com
citibank.de
probanking.procreditbank.bg
ibank.internationalbanking.barclays.com
online-offshore.lloydstsb.com
dab-bank.com
hsbc.co.uk
bancoherrero.com
intelvia.cajamurcia.es
caixasabadell.net
areasegura.banif.es
privati.internetbanking.bancaintesa.it
iwbank.it
cardsonline-consumer.com
money.yandex.ru
e-gold.com
paypal.com

These strategies represent malicious threats and make it clear that while email is still a channel used for the propagation of malware today is who works as an Internet-based attacks through various mass crimeware.

Related Information
Financial institutions targeted by the botnet Zeus. Part one - Spanish version
Zeus botnet. Mass propagation of trojan. Part two - Spanish version
Zeus botnet. Mass propagation of trojan. Part one - Spanish version


No comments: