investigate and protect firefox users from Zues/Zeus, Zbot, WSNPOEM, NTOS malware attacks

NEW
Unassigned

Status

()

Firefox
Security
8 years ago
3 years ago

People

(Reporter: chris hofmann, Unassigned)

Tracking

(Blocks: 1 bug, {user-doc-needed})

3.5 Branch
x86
Windows XP
user-doc-needed
Points:
---
Dependency tree / graph

Firefox Tracking Flags

(Not tracked)

Details

Attachments

(1 attachment)

(Reporter)

Description

8 years ago
This recently released trusteer report claims Zues is the most common form of financial malware attacks on browser users.

http://www.businesswire.com/portal/site/google/?ndmViewId=news_view&newsId=20090916005509&newsLang=en

Zues root kits appear to be for sale for $700 a copy
http://ddanchev.blogspot.com/2008/04/crimeware-in-middle-zeus.html

and strangely they come with an end-user agreement
http://news.digitaltrends.com/news-article/16537/zeus-malware-has-end-user-agreement

Behaviors/features of the malware include

-listening in on the submission of forms in the browser, 
-the ability to take screenshots of a victim's machine, 
-control the machine remotely 
-add additional content to web pages 
-steal passwords that have been stored by the browser or popular programs

I took a quick look for instances of  Zues, Zbot, WSNPOEM, NTOS in crash signatures but nothing has turned up yet.   cww, we should also sample module lists from a collection of crash reports to see if we can find instances of these dll's or any others assoicated with this malware running on firefrox users machines.
(Reporter)

Comment 1

8 years ago
possible user doc needed if we can learn more about if, and how, this is attacking firefox and methods to remove.
Keywords: user-doc-needed

Comment 3

8 years ago
I have no hits for Zues, Zbot, WSNPOEM, NTOS, Zeus in module lists of 50K crash reports.  http://ddanchev.blogspot.com/2008/04/crimeware-in-middle-zeus.html suggests it has an arbitrary file size and probably an arbitrary file name.  I also don't know if it loads in the browser or at the OS level.
(Reporter)

Comment 4

8 years ago
I'm not sure I know what the .dll names look like yet.  more research needed on that.  In this first round it sounds like the likely candidates such as Zues.dll, Zbot.dll, WSNPOEM.dll, NTOS.dll aren't turning up.   We need some more research to figure out other possible names of .dll's that might get loaded or how the malware attacks the browser.

not sure I have cycles for that right now, but I wanted to get this bug on file for follow up.  if anyone wants to pitch in with more research from symantec, or the other virus info sites on how this thing works, the profile of what it looks like on your system, or what other specific behaviors might be involved.
Summary: investigate and protect firefox users from Zues, Zbot, WSNPOEM, NTOS malware attacks → investigate and protect firefox users from Zues/Zeus, Zbot, WSNPOEM, NTOS malware attacks
(Reporter)

Comment 5

8 years ago
this page offers up some .dll/exe names

http://www.spywareremove.com/removeTrojanZbot.html

msrcek32.exe
%SYSTEMROOT%\system32\sdra64.exe
sdra64.exe
twex.exe
%SYSTEMROOT%\system32\hqdh60cr.exe
%SYSTEMROOT%\system32\tgl676s3.exe
%SYSTEMROOT%\system32\0n2gah0g.exe

twex.exe
%SYSTEMROOT%\system32\sdra64.exe
%SYSTEMROOT%\system32\hqdh60cr.exe
%SYSTEMROOT%\system32\tgl676s3.exe
%SYSTEMROOT%\system32\0n2gah0g.exe

65791.exe
(Reporter)

Comment 6

8 years ago
not seeing any of those showing up in spot checks of signatures and module data
(Reporter)

Comment 7

8 years ago
another round of reporting on trusteer research.  As far as I can tell no other AV company has confirmed this outbreak.

IT PRO
New Zeus trojan targets Firefox online banking users
IT PRO
Previous versions of the malware were unable to bypass the security used by Mozilla's browser. The Trusteer Rapport service had detected the ...
See all stories on this topic
http://www.itpro.co.uk/622609/new-zeus-trojan-targets-firefox-online-banking-users


New Zeus version targeting Firefox users for bank fraud
Secure Computing
In an email sent to SCMagazineUS.com, a spokesperson at Mozilla said that Zeus is not exploiting a vulnerability within Firefox, but is installed once a ...
http://www.securecomputing.net.au/News/172756,new-zeus-version-targeting-firefox-users-for-bank-fraud.aspx

See all stories on this topic Bank theft Trojan aims at Firefox users
Techworld.com
By John E. Dunn | Techworld The world's most feared banking Trojan, Zeus, is going after Mozilla Firefox users for the first time, security company Trusteer ...
http://news.techworld.com/security/3221233/bank-theft-trojan-aims-at-firefox-users/?intcmp=nws-hm-l

See also
http://www.securitywatch.co.uk/2010/04/12/trusteer-warns-of-pdf-malware-attacks/


one good defense for this is blocking suggested in bug 548002

I'm checking crash data and it does look like an increase in x86dll.dll crashes which has been associated with other forms of malware, but I'm not sure how this correlates to general user growth or other factors.
Depends on: 548002
(Reporter)

Comment 8

8 years ago
Created attachment 440802 [details]
 year to date x86dll crash volume

we were at around 200 crashes per day at the beginning of the year, and now around 800.

definite uptick in x86dll crash volume starting around the beinging of march, jump on march 15, and continued steady increase since then.
(Reporter)

Updated

8 years ago
OS: Mac OS X → Windows XP
(Reporter)

Comment 9

8 years ago
that chart in comment 8 might not be and accurate refelction of malware problems.  the query also picked up signatures that looked like  scxpx86.dll which is the symantec IPS Script Engine DLL or possible malware that replaces it.

distribution of *x86dll.dll crashes for yesterday looks like.

signature list
 789 Scxpx86.dll@0x47629
  17 Scxpx86.dll@0x46ff9
   6 Scxpx86.dll@0x53797
   6 Scxpx86.dll@0x46f49
   4 70E274C8.x86.dll@0x2ae9
   2 Scxpx86.dll@0x5e011
   2 Scxpx86.dll@0x3ef42
   1 memcpy | @0xe62366 | @0xe62775 | CE5A7A00.x86.dll@0x28a3
   1 Scxpx86.dll@0x6f1fd
   1 Scxpx86.dll@0x1b307
   1 Scxpx86.dll@0x12450
   1 Scxpx86.dll@0x11181
   1 897CB85C.x86.dll@0x2f64
   1 054266B9.x86.dll@0x4182
(Reporter)

Comment 10

8 years ago
more on the Scxpx86.dll issues over in Bug 516112
See Also: → bug 517203
You need to log in before you can comment on or make changes to this bug.