The Italian Honey Project

Today, Steven Adair from Shadowserver imformed us about a new piece of malware that looks like a new version of the infamous Storm Worm. Storm was one of the first serious peer-to-peer botnets, it was sending out spam for more than two years until its decline in late 2008. Mark Schloesser, Tillmann Werner, Georg Wicherski, and I did some work on how to take down Storm back then, so the rumors about a new version caught our interest. Mark, Tillmann, and me started to take the sample apart, and it looks very much like Storm indeed. It even uses the same configuration file, stored under C:\WINDOWS\herjek.config (the same filename as used by the last Storm version), but as the command-and-control channel has been replaced with an HTTP based version, there is no peer list included anymmore.

A Breeze of Storm | The Honeynet Project.

Good job guys!

This time, the malware upholds it notorious reputation with a new version related to previous detections TSPY_ZBOT.CRM and TSPY_ZBOT.CQJ.

ZBOT variants steal account credentials when users visit various social networking, online shopping, and bank-related websites. They have rapidly become popular tools for cybercriminals to use, thanks to exceptional information-stealing routines and rootkit capabilities, which allows them to stay stealthy and to affect users’ systems without their knowledge.

via Trend Micro.

Our analysis has shown that the kill Zeus feature seems to work on a limited number of Zeus samples. In March 2010, Symantec alone counted 9,779 new unique samples of what we call Trojan.Zbot. We estimate that only a small percentage of these samples can be successfully removed by SpyEye’s Kill Zeus feature.

via Symantec Connect.

A new version of the data-stealing trojan Zeus is for the first time able to successfully exploit Mozilla's Firefox browser to commit sophisticated online banking fraud, according to security firm Trusteer.

“We expect this new version of Zeus to significantly increase fraud losses, since nearly 30 percent of internet users bank online with Firefox and the infection rate for this piece of malware is growing faster than we have ever seen before,” Amit Klein, CTO of Trusteer and head of the company's research organization, said in a statement.

This variant of the malware is spreading rapidly via compromised websites and in spam messages, Boodaei said.

via  SC Magazine US.

Security experts in Hong Kong last week succeeded in taking down a key component of the Koobface bonnet, only to witness the system popping up in China.

via The Register.

I’m attended to InBot’10 conference for presenting our researches on Dorothy.

My speech is planned for Wednesday 21th @ 16:00 , hope to see you there!

p.s. …hoping that my flight wont be deleted due to the volcanic ash :S

SecureWorks has noted that the latest versions of Zeus include anti-piracy technology that uses a hardware-based licensing system that can only be run on one computer. “Once you run it, you get a code from the specific computer, and then the author gives you a key just for that computer,” SecureWorks wrote. “This is the first time we have seen this level of control for malware.”

Not to be outdone, the SpyEye author now claims his malware builder also includes a hardware lock, using VMProtect, a Russian commercial software protection package.

via SpyEye vs. ZeuS Rivalry — Krebs on Security.