[+] Wayc0de's Blog[+]

15/09/11

Doing the Zbot spot; playing gotcha with a botnet

Greetings Internet!
This month (carefully hidden under the Win32/Bamital blanket), employing the old adage 'fight fire with fire', we decided to fight sneakiness with sneakiness and quietly slipped a fairly major Win32/Zbot update into MSRT.

"Zbot" I hear you say? Yes, it's still around and kicking. Despite Win32/Zbot (officially self-titled with the oh-so-ego-inflating 'Zeus' moniker, despite never fathering Hercules bot, nor employing lightning in any way during infection) being rumoured to have merged with Win32/EyeStye (aka SpyEye), we're still seeing both distinct malware families out and about in the wild. Between the two, we're finding that they're responsible for a significant amount of the e-commerce-related fraud happening at any given time.

Of course, since Zbot has been in MSRT since last October, MSRT has been continually updated monthly with all of our related signatures. We believe this tried-and-true method is effective - every month we clean between 60,000 and over 100,000 unique Windows computers:

Month Count
March 103391
April 113814
May 60385
June 83555
July 61323
August 89994

So what's changed? Well, let's just say we felt it was time to turn the screws tighter on Zbot again. Whilst we get to do some pretty in-depth analysis of infections through the telemetry we get back from Microsoft Security Essentials, it's time for us to get a really definitive snapshot of the Zbot infection ecosystem as best we could. I know! Statistics are fun! High five!

Ideally, this information will help us and our partners in law enforcement battle the threat more effectively in the future.

Naturally, once we see how things pan out in MSRT over the next couple of days, I'll update you on how it's all going!

nb : technet

Tidak ada komentar:

Posting Komentar