Author Topic: Correction to apparent Gozi (Not ZeuS) dropzone at 91.207.61.44  (Read 4305 times)

0 Members and 1 Guest are viewing this topic.

May 21, 2009, 09:38:55 pm
Read 4305 times

Winston Smith

  • Jr. Member

  • Offline
  • **

  • 10
As our most able administrator pointed out, this is Gozi, not ZeuS.

http://www.threatexpert.com/report.aspx?md5=a3092655bb7cb93848b0bfa4add91f3c

It is definitely a calling home to 91.207.61.44,

May 21, 2009, 09:44:12 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3335
Do you have more details ? Are you sure about  Zeus ?
I guess it's Gozi as seen is TE report:

http://www.threatexpert.com/report.aspx?md5=a3092655bb7cb93848b0bfa4add91f3c
Ruining the bad guy's day

May 22, 2009, 02:41:43 pm
Reply #2

Winston Smith

  • Jr. Member

  • Offline
  • **

  • 10
The behavior was exactly the same as the other confirmed ZeuS infections I'd been tracking. However there are some additional elements now that suggest is might be something else

The machine was reaching out at 20 minute intervals to the drop site and had been doing so for 3 days.

Analysis of the logs on the machine showed the AV software recognized it as a trojan and attempted to clean it, but could not clean or delete, it just gave up, so the trojan may be interferring with the AV.

The trojan was parked in the c:\Windows\ directory, not System32

Infection identified as a JS/Exploit-Iframe (Trojan) parked on a legitimate website.

It also attempted to do a mass mailing of itself off port 25 but was blocked by our rules.

So to answer your question, it probably was not ZeuS, I am dealing with a lot of it right now and this one fit the pattern