Beta
×

Welcome to the Slashdot Beta site -- learn more here. Use the link in the footer or click here to return to the Classic version of Slashdot.

Thank you!

Before you choose to head back to the Classic look of the site, we'd appreciate it if you share your thoughts on the Beta; your feedback is what drives our ongoing development.

Beta is different and we value you taking the time to try it out. Please take a look at the changes we've made in Beta and  learn more about it. Thanks for reading, and for making the site better!

New Cridex Malware Copies Tactics From GameOver Zeus

samzenpus posted about a month ago | from the imitation-is-the-sincerest-form-of-flattery dept.

Security 18

Trailrunner7 writes The GameOver Zeus malware had a nice run for itself, making untold millions of dollars for its creators. But it was a run that ended with a multi-continent operation from law enforcement and security researchers to disassemble the infrastructure. Now researchers have identified a new variant of the Cridex malware that has adopted some of the techniques that made GOZ so successful in its day.

Researchers at IBM's X-Force research team have seen a new version of Cridex, which is also known as Bugat and Feodo, using some of the same techniques that GOZ used to such good effect. Specifically, the new strain of malware has adopted GOZ's penchant for using HTML injections, and the researchers say the technique is nearly identical to the way that GOZ handled it.

"There are two possible explanations for this. First, someone from the GOZ group could have moved to the Bugat team. This would not be the first time something like this has happened, which we've witnessed in other cases involving Zeus and Citadel; however, it is not very likely in this case since Bugat and GOZ are essentially competitors, while Zeus and Citadel are closely related. The second and more likely explanation is that the Bugat team could have analyzed and perhaps reversed the GOZ malware before copying the HTML injections that made GOZ so highly profitable for its operators," Etay Maor, a senior fraud prevention strategist at IBM, wrote in an analysis of the new malware.

cancel ×

18 comments

Sorry! There are no comments related to the filter you selected.

Of Course IBM Found It (0)

Anonymous Coward | about a month ago | (#47690571)

Of course IBM found this, they have relocated to China where all this shite comes from. I personally wouldn't doubt that eventually they will work with the Chinese government on these sorts of things. A little you wash my back I'll wash yours, and Bob's your uncle, a nice fat contract. Take that for what it's worth from an AC.

Re:Of Course IBM Found It (2, Informative)

Anonymous Coward | about a month ago | (#47690605)

>China where all this shite comes from
Are you kidding ? Botnets and other malware are Made In Russia. Go check the chinese forums, there's nothing. On the other hand you'll find more """hacking""" forums in Russian than English.
The world renowned "chinese hackers" are just due to the chinese government being as subtle as a brick to the face in their online operations.

Re:Of Course IBM Found It (0)

Anonymous Coward | about a month ago | (#47690737)

And you probably have MORE to fear from your own government who now represents itsself and a few corporations rather than the 99%

Re:Of Course IBM Found It (0)

Anonymous Coward | about a month ago | (#47690963)

I live in yurop.
The average Anonymous member knows more about IT than the best of my government.

"There are two possible explanations for this ..." (2)

CaptainDork (3678879) | about a month ago | (#47690683)

... plus a third, in that no lessons were learned from those two.

lol (0)

Anonymous Coward | about a month ago | (#47690685)

And here I though I knew english.

And exactly HOW dangerous is goto again? (0)

Anonymous Coward | about a month ago | (#47690777)

Looks like the djerkoff had it WAY wrong!

how to (0)

Anonymous Coward | about a month ago | (#47690823)

Please post how to make a million us dollars off this program easy step by step please

Re:how to (0)

Anonymous Coward | about a month ago | (#47694223)

1) Troll botnet/malware forums until you contact the creators of this new "Malware"
2) Invest money in said "Malware" team to use their new botnet/Malware whatever
3) ???
4) Profit

Domain Generation Algorithms = dead vs. hosts (-1)

Anonymous Coward | about a month ago | (#47690931)

Zeus variants are too with this data (& security community reports) -> https://zeustracker.abuse.ch/m... [abuse.ch] + this:

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of benefits in link)

Summary:

---

A.) Hosts do more than:

1.) AdBlock ("souled-out" 2 Google/Crippled by default)
2.) Ghostery (Advertiser owned) - "Fox guards henhouse"
3.) Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B.) Hosts add reliability vs. downed/redirected dns (& overcome redirects on sites, /. beta as an example).

C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity/room 4 breakdown,

D.) Hosts files yield more:

1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs Fastflux + dynamic dns botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).

---

* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons = more complex + slow browsers in message passing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray is destroying Adblock.

* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption too + hugely excessive cpu use (4++gb extra in FireFox https://blog.mozilla.org/nneth... [mozilla.org] )

Work w/ a native kernelmode part - hosts files (An integrated part of the ip stack)

APK

P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

U.S. biggest producer of viruses 12.05 (1)

pigsycyberbully (3450203) | about a month ago | (#47691285)

United States 58.4% spam king. China 5.6%. The United States is the leading malware-hosting nation. U.S. hosted 44 percent of all malware. Even the U.S. government is doing it: "After failing to infect targets with malware in spam emails, the U.S. National Security Agency has reportedly turned to Facebook. According to a report by The Intercept, the NSA “disguises itself as a fake Facebook server” to perform “man-in-the-middle” and “man-on-the-side” attacks and spreads malware. The Intercept is the first in a series of publications created by Pierre Omidyar‘s First Look Media." The U.S. has overtaken India and Russia to become the biggest producer of viruses, according to Network Box. The U.S. is now responsible for 12.05 per cent of the world’s viruses, up from 4.03 per cent from August. GCHQ prefers to put child porn on people's computers according to the Guardian newspaper.

Domain Generation Algorithms = dead vs. hosts (-1)

Anonymous Coward | about a month ago | (#47692005)

Zeus variants are too with this data (& security community reports) -> https://zeustracker.abuse.ch/m... [abuse.ch] + this:

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of benefits in link)

Summary:

---

A.) Hosts do more than:

1.) AdBlock ("souled-out" 2 Google/Crippled by default)
2.) Ghostery (Advertiser owned) - "Fox guards henhouse"
3.) Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B.) Hosts add reliability vs. downed/redirected dns (& overcome redirects on sites, /. beta as an example).

C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity/room 4 breakdown,

D.) Hosts files yield more:

1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs Fastflux + dynamic dns botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).

---

* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons = more complex + slow browsers in message passing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray is destroying Adblock.

* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption too + hugely excessive cpu use (4++gb extra in FireFox https://blog.mozilla.org/nneth... [mozilla.org] )

Work w/ a native kernelmode part - hosts files (An integrated part of the ip stack)

APK

P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

Domain Generation Algorithms = dead vs. hosts (-1)

Anonymous Coward | about a month ago | (#47692257)

Zeus variants are too with this data (& security community reports) -> https://zeustracker.abuse.ch/m... [abuse.ch] + this:

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of benefits in link)

Summary:

---

A.) Hosts do more than:

1.) AdBlock ("souled-out" 2 Google/Crippled by default)
2.) Ghostery (Advertiser owned) - "Fox guards henhouse"
3.) Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B.) Hosts add reliability vs. downed/redirected dns (& overcome redirects on sites, /. beta as an example).

C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity/room 4 breakdown,

D.) Hosts files yield more:

1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs Fastflux + dynamic dns botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).

---

* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons = more complex + slow browsers in message passing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray is destroying Adblock.

* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption too + hugely excessive cpu use (4++gb extra in FireFox https://blog.mozilla.org/nneth... [mozilla.org] )

Work w/ a native kernelmode part - hosts files (An integrated part of the ip stack)

APK

P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

Here's the Cridex/Bugat/Feodo tracker list... apk (-1)

Anonymous Coward | about a month ago | (#47692299)

It supplies BOTH the botnet's C&C IP addresses AND host-domain names to add to firewalls rules tables + custom hosts files... enjoy-> https://feodotracker.abuse.ch/ [abuse.ch]

(Gotta love those guys over @ abuse.ch... they're the BEST!)

They're indicative (alongside computer security news sites too of course that expose their excellent research) of what I meant by "security reports" helping in my initial post (that ODDLY keeps getting modded down... oh well - I just repost it along with THIS good news of a source to block this botnet out too, specifically, as to another Zeus variant to shutdown on YOUR end, as an end user or network admin!).

APK

P.S.=> They're another great source to use alongside (yes, shameless plug) my APK Hosts File Engine 9.0++ 32/64-bit & firewalls to stop these suckers from even BEGINNING to get ahold of you as a zombie in a botnet or to rip you off personally... & even *IF* you're infected/infested already? Nice part is, this 'cuts off' the botnet client from "communicating back to HQ" @ all, effectively nullifying it... multiple bonus!

... apk

Domain Generation Algorithms = dead vs. hosts (0)

Anonymous Coward | about a month ago | (#47694323)

Zeus variants are too with this data (& security community reports) -> https://zeustracker.abuse.ch/m... [abuse.ch] + this:

APK Hosts File Engine 9.0++ 32/64-bit:

http://start64.com/index.php?o... [start64.com]

(Details of benefits in link)

Summary:

---

A.) Hosts do more than:

1.) AdBlock ("souled-out" 2 Google/Crippled by default)
2.) Ghostery (Advertiser owned) - "Fox guards henhouse"
3.) Request Policy -> http://yro.slashdot.org/commen... [slashdot.org]

B.) Hosts add reliability vs. downed/redirected dns (& overcome redirects on sites, /. beta as an example).

C.) Hosts secure vs. malicious domains too -> http://tech.slashdot.org/comme... [slashdot.org] w/ less added "moving parts" complexity/room 4 breakdown,

D.) Hosts files yield more:

1.) Speed (adblock & hardcodes fav sites - faster than remote dns)
2.) Security (vs. malicious domains serving malcontent + block spam/phish & trackers)
3.) Reliability (vs. downed or Kaminsky redirect vulnerable dns, 99% = unpatched vs. it & worst @ isp level + weak vs Fastflux + dynamic dns botnets)
4.) Anonymity (vs. dns request logs + dnsbl's).

---

* Hosts do more w/ less (1 file) @ faster levels (ring 0) vs redundant inefficient addons (slowing slower ring 3 browsers) via filtering 4 the IP stack (coded in C, loads w/ os, & 1st net resolver queried w\ 45++ yrs.of optimization).

* Addons = more complex + slow browsers in message passing (use a few concurrently & see) & are nullified by native browser methods - It's how Clarityray is destroying Adblock.

* Addons slowup slower usermode browsers layering on more - & bloat RAM consumption too + hugely excessive cpu use (4++gb extra in FireFox https://blog.mozilla.org/nneth... [mozilla.org] )

Work w/ a native kernelmode part - hosts files (An integrated part of the ip stack)

APK

P.S.=> "The premise is quite simple: Take something designed by nature & reprogram it to make it work for the body rather than against it..." - Dr. Alice Krippen: "I am legend"

...apk

Here's the Cridex/Bugat/Feodo tracker list... apk (0)

Anonymous Coward | about a month ago | (#47694351)

It supplies BOTH the botnet's C&C IP addresses + host-domain names to add to firewalls rules tables + custom hosts files-> https://feodotracker.abuse.ch/ [abuse.ch]

(Gotta love those guys over @ abuse.ch... they're the BEST!)

They're indicative (alongside computer security news sites too of course that expose their excellent research) of what I meant by "security reports" helping in my initial post (that ODDLY keeps getting modded down... oh well - I just repost it along with THIS good news of a source to block this botnet out too, specifically, as to another Zeus variant to shutdown on YOUR end, as an end user or network admin!).

APK

P.S.=> They're another great source to use alongside (yes, shameless plug) my APK Hosts File Engine 9.0++ 32/64-bit & firewalls to stop these suckers from even BEGINNING to get ahold of you as a zombie in a botnet or to rip you off personally... & even *IF* you're infected/infested already? Nice part is, this 'cuts off' the botnet client from "communicating back to HQ" @ all, effectively nullifying it... multiple bonus!

... apk

Re:Here's the Cridex/Bugat/Feodo tracker list... a (0)

Anonymous Coward | about 1 month ago | (#47697791)

I can't block IP addresses in my hosts file, you lose.

YOU can't read (YOU lose)... apk (0)

Anonymous Coward | about 1 month ago | (#47699195)

"It supplies BOTH the botnet's C&C IP addresses + host-domain names to add to firewalls rules tables + custom hosts files-> https://feodotracker.abuse.ch/ [abuse.ch] " - by APK on Monday August 18, 2014 @09:32AM

I noted firewall rules tables here dimwit (get your "hooked on phonics" remedial reading aids out) -> http://it.slashdot.org/comment... [slashdot.org]

* Didn't I? Yes, I did... learn to read, freak. I mean, seriously: YOU have just GOT to be kidding me (or yourself)... or you are massively stupid - take your pick!

APK

P.S.=> See subject-line & "sound it out" IF you *have* to (& apparently, you do, cretin) + I see you've run dry of modpoints to downmod my posts with too (hahaha)...

... apk

Check for New Comments
Slashdot Login

Need an Account?

Forgot your password?

Submission Text Formatting Tips

We support a small subset of HTML, namely these tags:

  • b
  • i
  • p
  • br
  • a
  • ol
  • ul
  • li
  • dl
  • dt
  • dd
  • em
  • strong
  • tt
  • blockquote
  • div
  • quote
  • ecode

"ecode" can be used for code snippets, for example:

<ecode>    while(1) { do_something(); } </ecode>