Over the Christmas period, we here at Webroot\u00a0 have noticed a large amount of Zeus infections that are spoofing the Bitdefender name.<\/p>\n
While infections spoofing AV companies aren\u2019t unusual, it\u2019s been a while since we have seen such a spike on one particular vendor in such a short time period. Most of the names are slight variations, but the numbers are impressive – Overall, we have seen 40,000 unique MD5`s in the last week alone!<\/span><\/p>\n The infection being dropped is from the Zeus family of infections, which are banking Trojans designed to steal login information when the user logs into their online banking website.<\/p>\n Infection Information:<\/strong><\/p>\n Behaviour:<\/strong><\/p>\n <\/strong>This infection can get onto a user\u2019s PC via a number of different methods, but the most common is through an exploit kit. The commonly used Blackhole exploit kits uses Java Exploits to drop and execute a file.<\/p>\n Unless the user is very alert, they typically won\u2019t even notice they are infected. Once executed, the infection will try a number of methods to make sure it is automatically ran on start-up.<\/p>\n The first is a registry key which points to the infection directly [1] After this, the infection may connect to a remote server and receive updates and it can also download other infections (Cryptolocker\/ICE and other Rogue AV`s)<\/p>\n Due to the large number of variants, I won\u2019t go through all the behaviours, but generally the infection route follows one of the patterns above. This infection can disable the Windows security center or modify the Firewall settings to allow remote access to the PC.<\/p>\n Examples:<\/span><\/p>\n <\/p>\n 222,827<\/p>\n<\/td>\n 181<\/p>\n<\/td>\n<\/tr>\n 215,105<\/p>\n<\/td>\n 105<\/p>\n<\/td>\n<\/tr>\n 216,678<\/p>\n<\/td>\n 231<\/p>\n<\/td>\n<\/tr>\n 217,222<\/p>\n<\/td>\n 174<\/p>\n<\/td>\n<\/tr>\n 218,873<\/p>\n<\/td>\n 134<\/p>\n<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n In total, we have seen over 40k files and this is increasing every hour. Most of the files have a digital vendor that is close to the real version (shown below). As you can see from the screenshot above, a number of the files are pretending to be Java updates.<\/p>\n BitKefender S.R.L.<\/i> with 869 unique MD5`s Removal:<\/strong><\/p>\n Due to the infection route of this particular infection, it is advisable to have the latest version of Java installed and preferably use a modern secure browser with the latest Windows updates installed. The latest build of Firefox disables Java plugins by default, which should help stop this particular attack vector.<\/p>\n As mentioned earlier, this infection has also been seen to be spread by email. It is advisable to use an email provider that has good SPAM filtration. Google and Microsoft mail services are efficient at blocking these emails.<\/p>\n Always be alert to any email attachments, even if they’re from friends\/relatives, and especially executable files that are inside a zip file. Over the Christmas period, we have also noticed a targeted attack from malware authors using well known store names lie Costco, Walmart, etc. in spoof emails.<\/p>\n\n
\nThe second is a fake Security Center update scheduled task [2]
\nThe third\u00a0 is to create a service that auto starts again point to the infection [3]<\/p>\n\n
\n\n
\n MD5<\/b><\/td>\n PATH<\/b><\/td>\n FILE NAME<\/b><\/td>\n FILE SIZE<\/b><\/td>\n<\/tr>\n \n <\/td>\n <\/td>\n <\/td>\n <\/td>\n<\/tr>\n \n 83890496EB018EA524E72CE18CD37209<\/td>\n %appdata%\\ukhecy<\/td>\n REHEI.EXE<\/td>\n 221,334KB<\/td>\n<\/tr>\n \n 70AACDCEC7C9D35393CD9D382C8A0454<\/td>\n %appdata%\\pawary<\/td>\n YVPULUV.EXE<\/td>\n 217,222KB<\/td>\n<\/tr>\n \n ED098AB9A5E13D1B12BE816659C4172C<\/td>\n %appdata%\\qaxuile\\<\/td>\n PAIDP.EXE<\/td>\n 217,222KB<\/td>\n<\/tr>\n \n 79776C5BE35DFC4089312D42EC70F903<\/td>\n %appdata%\\hoydatem\\<\/td>\n SAAFIFV.EXE<\/td>\n 217,222KB<\/td>\n<\/tr>\n \n 25D00FC9F06E1720A7B4E4C9293D32AE<\/td>\n %appdata%\\siuvmyw\\<\/td>\n PYRUOV.EXE<\/td>\n 218,783KB<\/td>\n<\/tr>\n \n 79776C5BE35DFC4089312D42EC70F903<\/td>\n %appdata%\\zoobir\\<\/td>\n EQDUG.EXE<\/td>\n 215,105KB<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n \n\n
\n MD5<\/b><\/td>\n PATH<\/b><\/td>\n FILE NAME<\/b><\/td>\n FILE SIZE<\/b><\/td>\n PC Count<\/b><\/td>\n<\/tr>\n \n <\/td>\n <\/td>\n <\/td>\n <\/td>\n <\/td>\n<\/tr>\n \n A748FEB8EE581E2225CE7F983E364EC0<\/td>\n %temp%<\/td>\n JAVA_UPDATE_71972350.EXE<\/td>\n \n \n \n EC9FC4EE2AA75D0CD6E0490853F27B21<\/td>\n %temp%<\/td>\n JAVA_UPDATE_7bb116be.EXE<\/td>\n \n \n \n DB97134AFFDA00379CAF3FCD00BBFFFF<\/td>\n %temp%<\/td>\n JAVA_UPDATE_93D4FD64.EXE<\/td>\n \n \n \n 4FCD4FD7D3D3A5D24EF663CE3419D7CC<\/td>\n %temp%<\/td>\n JAVA_UPDATE_0EEF9307.EXE<\/td>\n \n \n \n D4BC7886F04574E5628FD6BBFBB01C19<\/td>\n %temp%<\/td>\n JAVA_UPDATE_8C3C4799.EXE<\/td>\n \n \n
\nBitNefender S.R.L.|BitNefender Antivirus Scanner<\/i> with unique 19,305 MD5`s<\/p>\n