Common Indicators Used to Find Evil

Based on the last few Incident Response engagements I’ve participated in, the most common question I’ve heard is “what are the common indicators you are using to find evil?” This is not a question that has a simple answer. In this blog post, I’ll examine a Blackhole exploit kit session and discuss the various network indicators that analysts should be looking for when identifying host exploitation and associated binaries. The intent here is not to pick apart malware or de-obfuscate JavaScript, but to show how asking simple questions about your network traffic can reveal the bad stuff being missed by your other security products.

Citadel Outgrowing its Zeus Origins

As of April 30th, 2012 the Citadel Trojan was at its fourth upgrade with Version 1.3.4.0 already in the hands of its customers. Citadel’s features, bug fixes and added modules (each priced separately), have long gone beyond what Zeus ever offered as Slavik’s zeal for developing the malware died down when law enforcement got too close for the Trojan creator’s comfort.

By Hook and by Crook – Citadel Trojan Isolates Bots from AV and Security

One of the features included in the initial report and communicated by Citadel’s developers in late February related to a Trojan feature the developers have apparently implemented: DNS Redirection. Per the feature list, the developer claims that unlike other Trojans, Citadel does not modify the “Hosts” file on the infected PC (all too often used for local Pharming), but rather allows the botmaster to block or redirect any URL they wish to prevent the bot from reaching.

Ice IX – Zeus v2.0 Derivative Does Not Cut Any Ice

Since the Zeus source code was leaked, one of the predictions security researchers were convinced of was that independent code writers, wishing to enter cybercrime coder’s world, would be glad to do it by using a ready-made baseline. One such code to have surfaced in underground and hacking forums soon after the code leak was Trojan Ice IX. But is it all what it is cracked up to be?

New Trojan Ice IX Written Over Zeus’ Ruins

Since the most coveted source code of the Zeus Trojan was leaked, one of the predictions security researchers were convinced of was that the exposed code would attract the attention of independent code writers. That day was not late to come as a new commercial Trojan, Ice IX, has arrived.

RSA FraudAction News Flash: Trojan Add-On Forces Zombie PCs into Slavery to Mine Bitcoins

The RSA FraudAction Research Lab recently discovered a novel Trojan feature annexed to SpyEye Trojan variants (v1.03.45) and to Zeus Trojan variants (v2.0.8.9), made to maliciously target the Bitcoin e-currency system. The Trojans are now being used by their operators in a practice designed to leverage the extended botnet in order to mine Bitcoins. This blog elaborates on what Bitcoins are, on the technical aspect of this new Trojan module as well on some of the possible implications this may have for fraudsters, anti-fraud researchers and others in the near future.

SpyEye Botmasters Fight Back – Targeting Swiss Security Site’s SpyEye Tracker

The RSA FraudAction Research Lab recently discovered evidence of cybercriminal attempts to sabotage the Swiss white hat site, abuse.ch through new plug-ins to the latest SpyEye Trojan variants found in the wild. This move is significant in that it shows how fraudsters are eager to damage the non-profit website’s availability and credibility – a sign of the apparent effectiveness of SpyEye Tracker and that it represents more than just a thorn in the side of many Zeus- and SpyEye-toting botmasters.