Malware Domain List

Malware Related => Malicious Domains => Topic started by: Winston Smith on May 21, 2009, 09:38:55 pm

Title: Correction to apparent Gozi (Not ZeuS) dropzone at 91.207.61.44
Post by: Winston Smith on May 21, 2009, 09:38:55 pm
As our most able administrator pointed out, this is Gozi, not ZeuS.

http://www.threatexpert.com/report.aspx?md5=a3092655bb7cb93848b0bfa4add91f3c

It is definitely a calling home to 91.207.61.44,
Title: Re: apparent ZeuS dropzone at 91.207.61.44
Post by: SysAdMini on May 21, 2009, 09:44:12 pm
Do you have more details ? Are you sure about  Zeus ?
I guess it's Gozi as seen is TE report:

http://www.threatexpert.com/report.aspx?md5=a3092655bb7cb93848b0bfa4add91f3c
Title: Correction Re: apparent ZeuS dropzone at 91.207.61.44
Post by: Winston Smith on May 22, 2009, 02:41:43 pm
The behavior was exactly the same as the other confirmed ZeuS infections I'd been tracking. However there are some additional elements now that suggest is might be something else

The machine was reaching out at 20 minute intervals to the drop site and had been doing so for 3 days.

Analysis of the logs on the machine showed the AV software recognized it as a trojan and attempted to clean it, but could not clean or delete, it just gave up, so the trojan may be interferring with the AV.

The trojan was parked in the c:\Windows\ directory, not System32

Infection identified as a JS/Exploit-Iframe (Trojan) parked on a legitimate website.

It also attempted to do a mass mailing of itself off port 25 but was blocked by our rules.

So to answer your question, it probably was not ZeuS, I am dealing with a lot of it right now and this one fit the pattern