ZeuS...Alive and Well

Despite reports that the ZeuS author is getting out of the scene, hackers will probably use the ZeuS kit for awhile. Without support, ZeuS won't be getting new features like Zitmo to keep up with banking defenses but ZeuS can still be crypted and packed to continue to evade anti-virus and get onto user's PCs. Eventually, we will start seeing more use of SpyEye (will it be ZeuSpy or SpyZeuS) and other banking Trojans to fill the void.

Today I researched a ZeuS infection. The PC made a connection to the C&C server. If you've ever played with this kit, you'll know where the control panel is located.

I won't bruteforce the login so this screen may be all I'll ever see of the control panel. However, there's a couple of other places we can check out that are fairly common to ZeuS kits, if you know where to look.

Because of how the webserver and kit was setup, we are lucky to see the logs that hold the victim's website logins and cookies. I counted over 300 victims that appear to have been compromised in just the past three days.

Here are two of those victim's log files. You'll see info about their computer and the login credentials of their banking sites.

The first fellow had a very weak password while the second fellow had a very strong password. In the end, the account with the strong password was just as vulnerable as the one with the weak password.

Posted on: 11/20/2010