Open Bug 517203 Opened 11 years ago Updated 5 years ago

investigate and protect firefox users from Zues/Zeus, Zbot, WSNPOEM, NTOS malware attacks

Categories

(Firefox :: Security, defect)

3.5 Branch
x86
Windows XP
defect
Not set

Tracking

()

People

(Reporter: chofmann, Unassigned)

References

(Blocks 1 open bug)

Details

(Keywords: user-doc-needed)

Attachments

(1 file)

This recently released trusteer report claims Zues is the most common form of financial malware attacks on browser users.

http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090916005509&newsLang=en

Zues root kits appear to be for sale for $700 a copy
http://ddanchev.blogspot.com/2008/04/crimeware-in-middle-zeus.html

and strangely they come with an end-user agreement
http://news.digitaltrends.com/news-article/16537/zeus-malware-has-end-user-agreement

Behaviors/features of the malware include

-listening in on the submission of forms in the browser, 
-the ability to take screenshots of a victim's machine, 
-control the machine remotely 
-add additional content to web pages 
-steal passwords that have been stored by the browser or popular programs

I took a quick look for instances of  Zues, Zbot, WSNPOEM, NTOS in crash signatures but nothing has turned up yet.   cww, we should also sample module lists from a collection of crash reports to see if we can find instances of these dll's or any others assoicated with this malware running on firefrox users machines.
possible user doc needed if we can learn more about if, and how, this is attacking firefox and methods to remove.
Keywords: user-doc-needed
I have no hits for Zues, Zbot, WSNPOEM, NTOS, Zeus in module lists of 50K crash reports.  http://ddanchev.blogspot.com/2008/04/crimeware-in-middle-zeus.html suggests it has an arbitrary file size and probably an arbitrary file name.  I also don't know if it loads in the browser or at the OS level.
I'm not sure I know what the .dll names look like yet.  more research needed on that.  In this first round it sounds like the likely candidates such as Zues.dll, Zbot.dll, WSNPOEM.dll, NTOS.dll aren't turning up.   We need some more research to figure out other possible names of .dll's that might get loaded or how the malware attacks the browser.

not sure I have cycles for that right now, but I wanted to get this bug on file for follow up.  if anyone wants to pitch in with more research from symantec, or the other virus info sites on how this thing works, the profile of what it looks like on your system, or what other specific behaviors might be involved.
Summary: investigate and protect firefox users from Zues, Zbot, WSNPOEM, NTOS malware attacks → investigate and protect firefox users from Zues/Zeus, Zbot, WSNPOEM, NTOS malware attacks
this page offers up some .dll/exe names

http://www.spywareremove.com/removeTrojanZbot.html

msrcek32.exe
%SYSTEMROOT%\system32\sdra64.exe
sdra64.exe
twex.exe
%SYSTEMROOT%\system32\hqdh60cr.exe
%SYSTEMROOT%\system32\tgl676s3.exe
%SYSTEMROOT%\system32\0n2gah0g.exe

twex.exe
%SYSTEMROOT%\system32\sdra64.exe
%SYSTEMROOT%\system32\hqdh60cr.exe
%SYSTEMROOT%\system32\tgl676s3.exe
%SYSTEMROOT%\system32\0n2gah0g.exe

65791.exe
not seeing any of those showing up in spot checks of signatures and module data
another round of reporting on trusteer research.  As far as I can tell no other AV company has confirmed this outbreak.

IT PRO
New Zeus trojan targets Firefox online banking users
IT PRO
Previous versions of the malware were unable to bypass the security used by Mozilla's browser. The Trusteer Rapport service had detected the ...
See all stories on this topic
http://www.itpro.co.uk/622609/new-zeus-trojan-targets-firefox-online-banking-users


New Zeus version targeting Firefox users for bank fraud
Secure Computing
In an email sent to SCMagazineUS.com, a spokesperson at Mozilla said that Zeus is not exploiting a vulnerability within Firefox, but is installed once a ...
http://www.securecomputing.net.au/News/172756,new-zeus-version-targeting-firefox-users-for-bank-fraud.aspx

See all stories on this topic Bank theft Trojan aims at Firefox users
Techworld.com
By John E. Dunn | Techworld The world's most feared banking Trojan, Zeus, is going after Mozilla Firefox users for the first time, security company Trusteer ...
http://news.techworld.com/security/3221233/bank-theft-trojan-aims-at-firefox-users/?intcmp=nws-hm-l

See also
http://www.securitywatch.co.uk/2010/04/12/trusteer-warns-of-pdf-malware-attacks/


one good defense for this is blocking suggested in bug 548002

I'm checking crash data and it does look like an increase in x86dll.dll crashes which has been associated with other forms of malware, but I'm not sure how this correlates to general user growth or other factors.
Depends on: 548002
we were at around 200 crashes per day at the beginning of the year, and now around 800.

definite uptick in x86dll crash volume starting around the beinging of march, jump on march 15, and continued steady increase since then.
OS: Mac OS X → Windows XP
that chart in comment 8 might not be and accurate refelction of malware problems.  the query also picked up signatures that looked like  scxpx86.dll which is the symantec IPS Script Engine DLL or possible malware that replaces it.

distribution of *x86dll.dll crashes for yesterday looks like.

signature list
 789 Scxpx86.dll@0x47629
  17 Scxpx86.dll@0x46ff9
   6 Scxpx86.dll@0x53797
   6 Scxpx86.dll@0x46f49
   4 70E274C8.x86.dll@0x2ae9
   2 Scxpx86.dll@0x5e011
   2 Scxpx86.dll@0x3ef42
   1 memcpy | @0xe62366 | @0xe62775 | CE5A7A00.x86.dll@0x28a3
   1 Scxpx86.dll@0x6f1fd
   1 Scxpx86.dll@0x1b307
   1 Scxpx86.dll@0x12450
   1 Scxpx86.dll@0x11181
   1 897CB85C.x86.dll@0x2f64
   1 054266B9.x86.dll@0x4182
more on the Scxpx86.dll issues over in Bug 516112
See Also: → 517203
You need to log in before you can comment on or make changes to this bug.