Archive for the ‘Zeus’ Category

Microsoft battles Zeus ID theft botnet

April 3rd, 2012 No comments

Microsoft, in collaboration with the financial services industry, successfully executed a coordinated global action against the Zeus botnet. Zeus is a type of malware that can monitor your online activity and record your keystrokes to commit identity theft.

Learn more about the botnet takedown.

If you think that your computer might be infected with the Zeus botnet, we recommend you:

  • Run the Microsoft Safety Scanner
    The Microsoft Safety Scanner is a free service that helps you identify and remove both worms and viruses to improve PC performance.

For more information, see the Microsoft Virus and Security Solution Center

MSRT October ’11: EyeStye

October 13th, 2011 No comments

This month, the Malicious Software Removal Tool (MSRT) targets two families: Win32/EyeStye and Win32/Poison.

EyeStye (aka ‘SpyEye’) is a family of trojans that steals information, targeting authentication data used for online banking such as passwords and digital certificates. The method it employs is called “form grabbing” which involves the interception of webform data submitted to the host through the client’s browser. By intercepting this data, authentication information can be stolen, and web content presented to the user can be altered to the malware author’s preference. In one recent EyeStye variant (for example SHA1 e36287d81770d583679be28d9a229f8363ab4cde) we came across, we observed that the following browsers were targeted, indicating that the malware authors are leaving few stones unturned: Internet Explorer, Mozilla, Chrome and Opera.

The malware file contains obfuscated code, while the payload is injected into running processes. It also employs user-mode rootkit protection in an effort to prevent itself from being seen via Windows Explorer or the Command Prompt. This may be intended to make detection and remediation challenging for antivirus engines. As this bot is kit-based, the file names and mutexes it creates are variable, which makes identification (based on these factors) difficult.

Towards the end of 2010, the release of EyeStye kit 1.3.X included a feature to avoid detection by Trusteer’s Rapport, a feature also offered by Zeus (Zbot). This release also removed a feature to kill Zeus if it was detected running on the affected machine, leading some to suggest that the two bots were being merged. However, by that time the Zeus code was already publicly available, which lead us to believe that those rumors were speculative in nature. We continue to monitor both of these bots for evidence of such a merger.

As with much of the malware we see today, EyeStye is often spammed out to users or posted on open forums enticing users to click on a link, employing one of the increasingly common social engineering techniques. An example of such a spam email can be seen below: This spam mail was being posted in an open BSD forum; clicking on the link leads to a download of a file named “VIEW_EVENT_DOC.PIF”, which we detect as Win32/EyeStye (SHA1 df8a8483515dd0db3494d796ede33fddb369df10).


For more information on this malware family, please refer to Win32/EyeStye.


— Jaime Wong, MMPC

The Zbot battle: Microsoft turns up the heat

February 10th, 2011 Comments off

are networks of compromised computers controlled by cybercriminals. Botnets can
send out spam, spread malicious software, steal passwords, and more.

Zbot (also known
as the “Zeus Botnet”) has been responsible for stealing passwords and other
financial information from infected computers worldwide.

Today, Microsoft
published a special edition of the Security Intelligence Report that details ongoing
success in the battle against Zbot.

Download the Zbot Analysis paper.

For more detailed
information on battling botnets, see the Featured Intelligence section of the Security Intelligence Report

Protect yourself against botnets

your computer with Microsoft Security Essentials Software

Microsoft Security Essentials is the no-cost, high-quality service that helps protect
against botnets and other malicious software.

If you think your
computer is already infected by a botnet, try the following: