Malware Domain List

Malware Related => Tools of the trade / Internet News => Topic started by: SysAdMini on October 07, 2010, 08:58:44 am

Title: Licat/Murofet/Zeus 2.1
Post by: SysAdMini on October 07, 2010, 08:58:44 am
http://blog.trendmicro.com/file-infector-uses-domain-generation-technique-like-downadconficker/
Title: Re: File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
Post by: SysAdMini on October 08, 2010, 04:15:54 pm
Links Between PE_LICAT and ZeuS Confirmed
http://blog.trendmicro.com/links-between-pe_licat-and-zeus-confirmed/
Title: Re: File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
Post by: SysAdMini on October 12, 2010, 03:34:48 pm
ZeuS Ups the Ante with LICAT
http://blog.trendmicro.com/links-between-pe_licat-and-zeus-confirmed/
Title: Re: File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
Post by: SysAdMini on October 15, 2010, 03:59:35 am
Domain Name Generator for Murofet
http://blog.threatexpert.com/2010/10/domain-name-generator-for-murofet.html
Title: Re: File Infector Uses Domain Generation Technique Like DOWNAD/Conficker
Post by: SysAdMini on October 18, 2010, 04:56:43 pm
How Trojan.Zbot.B!inf Uses Crypto API
http://www.symantec.com/connect/blogs/how-trojanzbotbinf-uses-crypto-api
Title: Re: Licat/Murofet/Zeus 2.1
Post by: SysAdMini on October 18, 2010, 08:08:57 pm
Murofet: Domain Generation ala Conficker
http://community.websense.com/blogs/securitylabs/archive/2010/10/14/murofet-domain-generation-ala-conficker.aspx
Title: Re: Licat/Murofet/Zeus 2.1
Post by: SysAdMini on October 20, 2010, 05:11:28 pm
New capabilities of Zeus 2.1
http://www.net-security.org/malware_news.php?id=1501
Quote
New capabilities in Zeus 2.1 include:

URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeus's configuration to define targets. For example, Zeus can now target all URLs that start with “https” and then zero in on those that contain specific digits and keywords. Earlier Zeus versions had a primitive regular expression implementation which provided very little flexibility in specifying target URLs.

The injection mechanism (Zeus’s main “work horse”) now uses sophisticated regular expressions based on PCRE as well, which helps avoid detection. It can target individual web pages with elaborate injections, while not injecting into other pages. This surgical injection method creates more convincing pages and can target more banks using a single attack.

Zeus now has a fine-grained "grabbing" mechanism, again based on PCRE, which can extract very specific areas of the page (e.g. the account balance) and report them to the C&C host. The grab mechanism provides an efficient way of collecting user data (such as account balance), as opposed to the cumbersome and wasteful way (supported by earlier Zeus variants) of having to copy the full page.

As other researchers have already pointed out Zeus 2.1 completely changed the way it communicated with its Command &Control (C&C) servers with a daily list of hundreds of C&C hostnames, through which it cycles trying to find a live one which is a considerable improvement over the previous scheme.

Zeus has added a 1024-bit RSA public key, which will probably be used for one-way encryption of data and authenticating the C&C server to Zeus clients.
Title: Re: Licat/Murofet/Zeus 2.1
Post by: SysAdMini on November 21, 2011, 06:55:27 pm
Murofet v2.0 (ZeuS P2P)
http://securityblog.s21sec.com/2011/11/murofet-v20-zeus-p2p.html