Open Bug 517203 Opened 11 years ago Updated 5 years ago
investigate and protect firefox users from Zues/Zeus, Zbot, WSNPOEM, NTOS malware attacks
This recently released trusteer report claims Zues is the most common form of financial malware attacks on browser users. http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090916005509&newsLang=en Zues root kits appear to be for sale for $700 a copy http://ddanchev.blogspot.com/2008/04/crimeware-in-middle-zeus.html and strangely they come with an end-user agreement http://news.digitaltrends.com/news-article/16537/zeus-malware-has-end-user-agreement Behaviors/features of the malware include -listening in on the submission of forms in the browser, -the ability to take screenshots of a victim's machine, -control the machine remotely -add additional content to web pages -steal passwords that have been stored by the browser or popular programs I took a quick look for instances of Zues, Zbot, WSNPOEM, NTOS in crash signatures but nothing has turned up yet. cww, we should also sample module lists from a collection of crash reports to see if we can find instances of these dll's or any others assoicated with this malware running on firefrox users machines.
possible user doc needed if we can learn more about if, and how, this is attacking firefox and methods to remove.
I have no hits for Zues, Zbot, WSNPOEM, NTOS, Zeus in module lists of 50K crash reports. http://ddanchev.blogspot.com/2008/04/crimeware-in-middle-zeus.html suggests it has an arbitrary file size and probably an arbitrary file name. I also don't know if it loads in the browser or at the OS level.
I'm not sure I know what the .dll names look like yet. more research needed on that. In this first round it sounds like the likely candidates such as Zues.dll, Zbot.dll, WSNPOEM.dll, NTOS.dll aren't turning up. We need some more research to figure out other possible names of .dll's that might get loaded or how the malware attacks the browser. not sure I have cycles for that right now, but I wanted to get this bug on file for follow up. if anyone wants to pitch in with more research from symantec, or the other virus info sites on how this thing works, the profile of what it looks like on your system, or what other specific behaviors might be involved.
Summary: investigate and protect firefox users from Zues, Zbot, WSNPOEM, NTOS malware attacks → investigate and protect firefox users from Zues/Zeus, Zbot, WSNPOEM, NTOS malware attacks
this page offers up some .dll/exe names http://www.spywareremove.com/removeTrojanZbot.html msrcek32.exe %SYSTEMROOT%\system32\sdra64.exe sdra64.exe twex.exe %SYSTEMROOT%\system32\hqdh60cr.exe %SYSTEMROOT%\system32\tgl676s3.exe %SYSTEMROOT%\system32\0n2gah0g.exe twex.exe %SYSTEMROOT%\system32\sdra64.exe %SYSTEMROOT%\system32\hqdh60cr.exe %SYSTEMROOT%\system32\tgl676s3.exe %SYSTEMROOT%\system32\0n2gah0g.exe 65791.exe
not seeing any of those showing up in spot checks of signatures and module data
another round of reporting on trusteer research. As far as I can tell no other AV company has confirmed this outbreak. IT PRO New Zeus trojan targets Firefox online banking users IT PRO Previous versions of the malware were unable to bypass the security used by Mozilla's browser. The Trusteer Rapport service had detected the ... See all stories on this topic http://www.itpro.co.uk/622609/new-zeus-trojan-targets-firefox-online-banking-users New Zeus version targeting Firefox users for bank fraud Secure Computing In an email sent to SCMagazineUS.com, a spokesperson at Mozilla said that Zeus is not exploiting a vulnerability within Firefox, but is installed once a ... http://www.securecomputing.net.au/News/172756,new-zeus-version-targeting-firefox-users-for-bank-fraud.aspx See all stories on this topic Bank theft Trojan aims at Firefox users Techworld.com By John E. Dunn | Techworld The world's most feared banking Trojan, Zeus, is going after Mozilla Firefox users for the first time, security company Trusteer ... http://news.techworld.com/security/3221233/bank-theft-trojan-aims-at-firefox-users/?intcmp=nws-hm-l See also http://www.securitywatch.co.uk/2010/04/12/trusteer-warns-of-pdf-malware-attacks/ one good defense for this is blocking suggested in bug 548002 I'm checking crash data and it does look like an increase in x86dll.dll crashes which has been associated with other forms of malware, but I'm not sure how this correlates to general user growth or other factors.
Depends on: 548002
we were at around 200 crashes per day at the beginning of the year, and now around 800. definite uptick in x86dll crash volume starting around the beinging of march, jump on march 15, and continued steady increase since then.
that chart in comment 8 might not be and accurate refelction of malware problems. the query also picked up signatures that looked like scxpx86.dll which is the symantec IPS Script Engine DLL or possible malware that replaces it. distribution of *x86dll.dll crashes for yesterday looks like. signature list 789 Scxpx86.dll@0x47629 17 Scxpx86.dll@0x46ff9 6 Scxpx86.dll@0x53797 6 Scxpx86.dll@0x46f49 4 70E274C8.x86.dll@0x2ae9 2 Scxpx86.dll@0x5e011 2 Scxpx86.dll@0x3ef42 1 memcpy | @0xe62366 | @0xe62775 | CE5A7A00.x86.dll@0x28a3 1 Scxpx86.dll@0x6f1fd 1 Scxpx86.dll@0x1b307 1 Scxpx86.dll@0x12450 1 Scxpx86.dll@0x11181 1 897CB85C.x86.dll@0x2f64 1 054266B9.x86.dll@0x4182
You need to log in before you can comment on or make changes to this bug.