Playing cops & robbers with banks & browsers

From Botnets.fr
Revision as of 11:19, 20 October 2012 by Eric.freyssinet (talk | contribs) (Remplacement du texte — « Zeus » par « ZeuS »)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

(Publication) Google search: [1]

Playing cops & robbers with banks & browsers
Symantec banks and browser.png
Botnet ZeuS
Malware Zbot, Neloweg
Botnet/malware group
Exploit kits
Services
Feature
Distribution vector
Target
Origin
Campaign
Operation/Working group
Vulnerability
CCProtocol
Date 2012 / 27 Feb 2012
Editor/Conference Symantec
Link http://www.symantec.com/connect/blogs/playing-cops-robbers-banks-browsers www.symantec.com (www.symantec.com Archive copy)
Author Fred Gutierrez
Type

Abstract

We are currently tracking a banking Trojan called Trojan.Neloweg. Looking at early infection numbers, we noticed that a small number of users were compromised in the UK and the Netherlands.

Digging into the threat, we saw that the login credentials of these users (including banking credentials) may have been stolen. A partial list of affected bank pages can be seen below. In order to see where other infections were occurring, we took a more global look at the infection numbers. Apparently the threat has been localized to Europe. Trojan.Neloweg operates similar to another banking Trojan known as ZeuS. Like ZeuS, Trojan.Neloweg can detect which site it is on and add custom JavaScript. But while ZeuS uses an included configuration file, Trojan.Neloweg stores this on a malicious webserver. Once a particular banking page has been matched, Trojan.Neloweg will cover part of the page in white, using a hidden DIV tag, and execute custom JavaScript located on the malicious server. We are currently monitoring the threat to see what changes it is making to the banking pages that a compromised users visits. [...] As can be seen from the screenshot above, the browser (Firefox in this instance) can now function like a bot and accept commands.

Bibtex

 @misc{Lua error: Cannot create process: proc_open(/dev/null): failed to open stream: Operation not permitted2012BFR905,
   editor = {Symantec},
   author = {Fred Gutierrez},
   title = {Playing cops & robbers with banks & browsers},
   date = {27},
   month = Feb,
   year = {2012},
   howpublished = {\url{http://www.symantec.com/connect/blogs/playing-cops-robbers-banks-browsers www.symantec.com}},
 }

Retrieved from "https://www.botnets.fr/index.php?title=Playing_cops_%26_robbers_with_banks_%26_browsers&oldid=2010"