The Security Pub

Random Thoughts About Security

Category Archives: Virus

ZBot Removal Tool

ZBot (also known as Zeus, ZeusBot or WSNPoem, Gorhax and Kneber) is a Trojan created to steal sensitive information from compromised computers.  Zbot focuses mainly on online backing information, that unsuspected users would enter in to access the financial organizations website, however it also monitoring system information to obtain additional authentication credentials.  Some of the newer variants are doing even more now.  They are gathering visited website history and other data the user enters in online, while at the same time it is taking screen shots.

To help with this BitDefender has created a ZBot Removal Tool which checks users’ computers, detects and eliminates most of the ZBot variants spotted in the wild.

Conficker and Taterf will be with us for a while

conficker_mini_computer_USA Today’s Byron Acohido is reporting that the Conficker and Taterf worms continue to spread. Conficker is building a botnet, propagating through network shares and devices that use USB ports. Taterf, the product of a malware tool kit, is aimed at stealing log-in information from on-line games. The malicious operators sell the log-in information to others who steal compromised gamers’ accounts for virtual goods which can be sold to other gamers.

Standard precautions can prevent the two from infecting machines: running a good anti-malware application and keeping current with updates and patches. Turning off the “autorun” feature in Windows also can stop the propagation through USB ports.

USA Today quoted Sunbelt Chief Technology Officer Eric Sites in the story. He told them “The sad fact is worms and viruses would be wiped out if everyone used best security practices.”

Read the article

Zeus Trojan being spread through an IRS Scam

There is another  Internal Revenue Service (IRS) scam spreading across the internet and landing in users mailboxes.  However this scam is different than the one that is in the wild during tax season.  What makes this campaign particularly ugly is that the malware that accompanies the fake IRS messages is a variant of the hard-to-detect Zeus Trojan. This software hacks into bank accounts and drains them of money as part of a widespread financial fraud scheme.

Here are some tips to help identify the scam:

  • All IRS web page addresses begin with http://www.irs.gov. Phishing/Scam emails will have an address other than that, an example might be http://ww4.irs.com. You can mouse over the link and see what it leads to, but whatever you do, don’t click on it!
  • Do not follow unsolicited web links in email messages.  Clicking a link in a phishing/scam email typically takes you to a fake website.  The phishing site is designed to look just like the company’s real website.
  • If you receive a suspicious email we recommend you simply delete it or contact system support or a security administrator.
  • Look for signs of security. Real corporate websites use secure, encrypted web pages any time their customers are asked to send personal and financial information over the internet.
    • Look for https:// in the web address. The “s” stands for “secure”.
    • Also, look for a locked padlock icon in the lower part of your browser window. The locked padlock icon indicates the site is encrypted, which means your data is protected when you send it over the Internet. If you don’t see these signs, then the site could be a scam.
    • Most phishing/scams there will be typos in the message.
    • Look at the copyright in the bottom of the message if it states “Internal Revenue Service U.S.A.” this is clearly incorrect, because “U.S.A.” is not printed at the end of government correspondence for any agency.

These spam emails contain a subject line of “Notice of Underreported Income.”

If users follow a link in the spam or open an attachment they get infected with the Zeus Trojan.

CERT advisory here.

IRS SPAM

What ever happened to the Conficker worm?

The Conficker worm is still lurking around the internet four months after nothing on the 1st of April; it has still infiltrated millions of Windows machines & continues to update itself.  What is Conficker waiting for? The recent attacks on Twitter & Facebook earlier this month have raised researchers concerns that Conficker may be controlled by a foreign intelligence or military agency.

Read the original storey in The New York Times.