{"id":309485,"date":"2010-02-11T22:38:42","date_gmt":"2010-02-12T03:38:42","guid":{"rendered":"http:\/\/www.szone.us\/f85\/malicious-web-site-malicious-code-zeus-targeted-attacks-continue-39341\/"},"modified":"2010-02-11T22:38:42","modified_gmt":"2010-02-12T03:38:42","slug":"malicious-web-site-malicious-code-zeus-targeted-attacks-continue","status":"publish","type":"post","link":"https:\/\/mereja.media\/index\/309485","title":{"rendered":"Malicious Web Site \/ Malicious Code: Zeus targeted attacks continue"},"content":{"rendered":"<div>02.10.10 04:00 PM<\/p>\n<p>Websense Security Labs? ThreatSeeker? Network has discovered a follow up attack on <a href=\"http:\/\/securitylabs.websense.com\/content\/Alerts\/3546.aspx\" >Zeus campaign targeting government departments<\/a>. Its research shows that once again the campaign is targeting workers from government and military departments globally. <\/p>\n<p> Figure 1 &#8211; Zeus Campaign: <br \/>\n<img decoding=\"async\" src=\"http:\/\/securitylabs.websense.com\/content\/Assets\/AlertMedia\/Zeus_targeted_attacks_continue_1.jpg\" border=\"0\" alt=\"\" \/><\/p>\n<p> The Websense ThreatSeeker Network has seen thousands of emails pretending to be from a reputable figure within the Central Intelligence Agency (see Figure 2). The email subject is: &quot;Russian spear phishing attack against .mil and .gov employees&quot;<\/p>\n<p> Figure 2 &#8211; Content of the email: <br \/>\n<img decoding=\"async\" src=\"http:\/\/securitylabs.websense.com\/content\/Assets\/AlertMedia\/Zeus_targeted_attacks_continue_2.jpg\" border=\"0\" alt=\"\" \/><\/p>\n<p> Jeffery Carr, the spoofed victim himself, has published a comment regarding this attack: <br \/>\n<img decoding=\"async\" src=\"http:\/\/securitylabs.websense.com\/content\/Assets\/AlertMedia\/Zeus_targeted_attacks_continue_3.jpg\" border=\"0\" alt=\"\" \/><\/p>\n<p> The spoofed emails capitalize on the last Zeus attack, and claim that installing the Windows update via the links provided will aid protection against Zeus attacks. The binary file downloaded from these links is identified as a Zeus bot and holds <a href=\"http:\/\/www.virustotal.com\/analisis\/696196fcc2d7803a0ebc4bdca53f03c9e1e55b15669658f9218d246d49e8c476-1265856371\" >35% AV detection rate<\/a>. Once again URLs in the email messages lead to a malicious file hosted on a compromised host, and also on a popular file hosting service. Once installed, the bot has identical functionality to the one mentioned in the previous alert. After The Zeus Rootkit component is installed the C&amp;C server at update[removed].com is contacted to download an encrypted configuration file. Another data stealing component gets downloaded and installed from the same C&amp;C in the shape of a Win32 Perl script compiled with <a href=\"http:\/\/www.indigostar.com\/perl2exe.php\" >Perl2Exe<\/a> &#8211; this data-stealing component has only a <a href=\"http:\/\/www.virustotal.com\/analisis\/1336bca82ba370c8cf0967ed192cb1865e4f943fbb4ea4e2f6c2c9b98eb43723-1265905508\" >5% AV detection rate<\/a>. Then the bot starts to connect with a credential-based FTP server at pack[removed].com to upload stolen data. The Zeus bot is normally designed to steal banking credentials; however it has also been seen in targeted attacks to steal other sensitive data. <\/p>\n<p> Websense\u00ae Messaging and Websense Web Security customers are protected against this attack.<\/p>\n<p><a href=\"http:\/\/securitylabs.websense.com\/content\/Alerts\/3550.aspx\" >http:\/\/securitylabs.websense.com\/con&#8230;erts\/3550.aspx<\/a><\/div>\n","protected":false},"excerpt":{"rendered":"<p>02.10.10 04:00 PM Websense Security Labs? ThreatSeeker? Network has discovered a follow up attack on Zeus campaign targeting government departments. Its research shows that once again the campaign is targeting workers from government and military departments globally. Figure 1 &#8211; Zeus Campaign: The Websense ThreatSeeker Network has seen thousands of emails pretending to be from [&hellip;]<\/p>\n","protected":false},"author":4744,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[7],"tags":[],"class_list":["post-309485","post","type-post","status-publish","format-standard","hentry","category-news"],"_links":{"self":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/309485","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/users\/4744"}],"replies":[{"embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/comments?post=309485"}],"version-history":[{"count":0,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/posts\/309485\/revisions"}],"wp:attachment":[{"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/media?parent=309485"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/categories?post=309485"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/mereja.media\/index\/wp-json\/wp\/v2\/tags?post=309485"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}