[unixfreaxjp]

Here's "a way" to stop/block/track/nailing Gameover: http://blog.malwaremustdie.org/2014/03/ ... rooks.html
Positively PoC and confirmed. Let's hammer this weak point together, and please write more posts of this threat.
let's see they are suffering the strike back from engineers, security and researchers community.

[unixfreaxjp]

Which is easy ... don't allow Windows Explorer to access internet ;)

In this case, I must disagree to this WRONG fact.
Why? Even connected into internet the GMO's DGA will be rapidly requested, this works to the sample which its hashes I mentioned and announced. It has the special purpose which I posted in details here: http://blog.malwaremustdie.org/2014/03/ ... rooks.html

In addition, for the sake of good research in fighting malware, I'd say, instead to burp a quick commenting in a someone's serious research posts, one should investigate things deeper before stated something unless that will be only pointing into a wrong information. I reversed & tested all stuff all over again (and again) to proof my own statement above. I challenge anyone that can proof me otherwise by the verdicted sample's hash investigated and posted.

@unixfreaxjp

[Kimberly]

I don't know why I have to justify myself. If I have spare time I'll make a video of what I'm saying.

"The binary starts by sending out a request to Google, probably to test the internet connectivity of the computer. Next, a series of hardcoded peers are contacted to obtain its configuration file, updates and an active list of peers. If none of the peers can be reached, GameOver falls back to a Domain Generation Algorithm (DGA) that creates around 1000 pseudorandom domains per day."

http://stopmalvertising.com/spam-scams/ ... eover.html

Block with decent firewall and you'll only get DGA.

[Xylitol]

https://zeustracker.abuse.ch/monitor.ph ... ugu.gov.tr
https://www.virustotal.com/en/file/924c ... 396346350/

Code: Select all

72 D8 42 AC B0 EA 0B 24 58 5B B1 E2 20 74 3B 0A 50 D9 AB 0E 8E CC E6 32 4E CF A8 CD 2B 26 54 67 5A DF BE AD 36 3E AA 56 B3 FA 8C 5D 1A 06 B8 FF 90 1D 28 38 4A A9 96 A3 10 BC 0C 83 D5 86 85 19 2C 7C 44 34 80 D6 66 FD 60 B7 D4 9E C2 A2 55 E3 78 DC 30 DD 6D 22 7A A0 7E 77 25 41 8B 75 C0 63 01 13 73 08 AE 5F 52 CE F0 6E 53 9A A1 16 F7 9D 4D E9 5C 43 C8 CA 7D 1B 2D 35 A5 98 2E 03 D1 27 84 12 B2 6F C7 57 C6 59 39 C1 14 C5 FE 05 23 18 37 00 C4 F6 45 09 71 11 CB 31 F1 DA C3 70 B4 76 17 4B BB 9F 15 BA 89 40 51 7B BD 5E 1E 21 E0 6A 94 95 D7 92 D3 BF 8D DB 68 E7 EB EE A6 04 49 EC 1F 46 B5 48 A4 99 0D 2A B6 4C 3A 82 9C C9 A7 81 1C F4 D0 29 3F E1 69 2F ED 9B 88 33 8F 64 3C 0F 6B F3 61 62 3D FC 07 7F 93 E5 E8 E4 D2 47 02 EF 97 B9 65 F9 79 4F 6C 91 87 AF F5 FB F2 8A F8 DE

[Kimberly]

Which is easy ... don't allow Windows Explorer to access internet ;)

In this case, I must disagree to this WRONG fact.
Why? Even connected into internet the GMO's DGA will be rapidly requested, this works to the sample which its hashes I mentioned and announced. It has the special purpose which I posted in details here: http://blog.malwaremustdie.org/2014/03/ ... rooks.html

In addition, for the sake of good research in fighting malware, I'd say, instead to burp a quick commenting in a someone's serious research posts, one should investigate things deeper before stated something unless that will be only pointing into a wrong information. I reversed & tested all stuff all over again (and again) to proof my own statement above. I challenge anyone that can proof me otherwise by the verdicted sample's hash investigated and posted.

@unixfreaxjp

ZeuS GameOver
https://www.virustotal.com/en/file/b748 ... /analysis/

Andromeda
https://www.virustotal.com/en/file/138f ... /analysis/
https://www.virustotal.com/en/file/81f3 ... /analysis/

FYI, I've added a video that shows that by not allowing Windows Explorer straight away to access internet you can FORCE GameOver to start using the DGA instead of the hardcoded peers. So tell me again that I am wrong ...
http://stopmalvertising.com/spam-scams/ ... ktail.html

[Xylitol]

CyberCrime & Doing Time: Zeus Criminals charged in Omaha, Nebraska ~ http://garwarner.blogspot.fr/2014/04/ze ... raska.html

[Xylitol]

Comodo AV Labs Identifies Dangerous Zeus Banking Trojan Variant ~ https://blogs.comodo.com/e-commerce/com ... us-trojan/

[Mad_Dud]

According to Fortinet - P2P Zeus Performs Critical Update

On April 8, our monitoring system found that the version number included in the encrypted TCP packet has been updated to 0x3B.

Apart from its original functions of banking information stealing, process injection, and so on, the new binary would also drop a rootkit driver file into the %SYSTEM32%\drivers folder. The rootkit basically hides the P2P Zeus and prevents the deletion of its binary and its autorun registry entries.

[patriq]

Pulled some fresh samples from a machine on 16 July 2014.

MBAM detected the following:

Code: Select all

C:\Users\user\AppData\Local\gemnoss.dll (Trojan.LVBP.ED) 
C:\Users\user\AppData\Local\Temp\UpdateFlashPlayer_6645eca2.exe (Spyware.Zbot.MSXGen) 
C:\Users\user\AppData\Local\Temp\UpdateFlashPlayer_78592a43.exe (Spyware.Zbot.MSXGen) 
C:\Users\user\AppData\Local\Temp\~tmf2127146759064854445.tmp (Trojan.Kelihos) 
C:\Users\user\AppData\Local\Temp\~tmf3312036165669406964.tmp (Trojan.Kelihos) 
C:\Users\user\AppData\Local\Temp\~tmf5105604272230926991.tmp (Trojan.Kelihos)
C:\Users\user\AppData\Roaming\Geevyq\akewd.exe (Spyware.Zbot.VXGen) 

Even after removing these and cleaning up autoruns, the malware would return. I assume its rootkit-ed, but I cant find the rootkit driver file..I'm not that skilled so I only used GMER, but it finds nothing.

The ZeuS samples spawned an Adobe Flash update install which was legit as far as I can see.. sooo, I guess thanks for that..?

Also, my VirtualBox Win7 install has "GuestAdditions" and no anti-VM patching. I would have thought the malware looked for that and wont run..

ZbotMSX.png (181.17 KiB) Viewed 622 times

Anyway, samples are attached.

[unixfreaxjp]

@Xylit0l @EP_X0FF
I am sorry, I made mistake! This variant is not for Zbot thread. I know how this works but I don't know what is this (T T)
Pls kindly help to move to proper threat topic

Few hours ago this campaign via spam was spotted:

The attachment (downloader part): https://www.virustotal.com/en/file/595b ... /analysis/
It downloads the set: https://www.virustotal.com/en/file/d45e ... 410358503/
Details distribution and CNC information I wrote in VT & the pictures, pls bear the hurry pace...