Kimberly wrote:Which is easy ... don't allow Windows Explorer to access internet
72 D8 42 AC B0 EA 0B 24 58 5B B1 E2 20 74 3B 0A 50 D9 AB 0E 8E CC E6 32 4E CF A8 CD 2B 26 54 67 5A DF BE AD 36 3E AA 56 B3 FA 8C 5D 1A 06 B8 FF 90 1D 28 38 4A A9 96 A3 10 BC 0C 83 D5 86 85 19 2C 7C 44 34 80 D6 66 FD 60 B7 D4 9E C2 A2 55 E3 78 DC 30 DD 6D 22 7A A0 7E 77 25 41 8B 75 C0 63 01 13 73 08 AE 5F 52 CE F0 6E 53 9A A1 16 F7 9D 4D E9 5C 43 C8 CA 7D 1B 2D 35 A5 98 2E 03 D1 27 84 12 B2 6F C7 57 C6 59 39 C1 14 C5 FE 05 23 18 37 00 C4 F6 45 09 71 11 CB 31 F1 DA C3 70 B4 76 17 4B BB 9F 15 BA 89 40 51 7B BD 5E 1E 21 E0 6A 94 95 D7 92 D3 BF 8D DB 68 E7 EB EE A6 04 49 EC 1F 46 B5 48 A4 99 0D 2A B6 4C 3A 82 9C C9 A7 81 1C F4 D0 29 3F E1 69 2F ED 9B 88 33 8F 64 3C 0F 6B F3 61 62 3D FC 07 7F 93 E5 E8 E4 D2 47 02 EF 97 B9 65 F9 79 4F 6C 91 87 AF F5 FB F2 8A F8 DE
unixfreaxjp wrote:Kimberly wrote:Which is easy ... don't allow Windows Explorer to access internet
In this case, I must disagree to this WRONG fact.
Why? Even connected into internet the GMO's DGA will be rapidly requested, this works to the sample which its hashes I mentioned and announced. It has the special purpose which I posted in details here: http://blog.malwaremustdie.org/2014/03/ ... rooks.html
In addition, for the sake of good research in fighting malware, I'd say, instead to burp a quick commenting in a someone's serious research posts, one should investigate things deeper before stated something unless that will be only pointing into a wrong information. I reversed & tested all stuff all over again (and again) to proof my own statement above. I challenge anyone that can proof me otherwise by the verdicted sample's hash investigated and posted.
On April 8, our monitoring system found that the version number included in the encrypted TCP packet has been updated to 0x3B.
Apart from its original functions of banking information stealing, process injection, and so on, the new binary would also drop a rootkit driver file into the %SYSTEM32%\drivers folder. The rootkit basically hides the P2P Zeus and prevents the deletion of its binary and its autorun registry entries.
I am sorry, I made mistake! This variant is not for Zbot thread. I know how this works but I don't know what is this (T T)
Pls kindly help to move to proper threat topic
Users browsing this forum: Google [Bot] and 11 guests