2 Samples of ZeuS gamever (the one discussed in http://www.abuse.ch/?p=3499). Be aware that the unpacked samples have a file size check (like normal ZeuS) and do not run directly! (that is a protection to force ZeuS buyers to use a crypter) Also rename them before executing.
- No VM checks or self protection observed
- Uses P2P, 50 hard-coded IPs
- Falls back to DGA in case p2p fails
- Gets either p2p IP list from server (via DGA) or directly the configuration
- DGA: 1000 possible domains every 7 days, TLDs ru, biz, info, org, net
- Moves itself to a sub-directory in %AppData%, stores config in sub-directory
- Sinkholing is as easy as breaking a candy
For additional info as well as the complete domain list for 2012 and the p2p IP lists PM me. I could also extract the list of banks it attacks, roughly 421 URLs in its configuration.
- No VM checks or self protection observed
- Uses P2P, 50 hard-coded IPs
- Falls back to DGA in case p2p fails
- Gets either p2p IP list from server (via DGA) or directly the configuration
- DGA: 1000 possible domains every 7 days, TLDs ru, biz, info, org, net
- Moves itself to a sub-directory in %AppData%, stores config in sub-directory
- Sinkholing is as easy as breaking a candy
For additional info as well as the complete domain list for 2012 and the p2p IP lists PM me. I could also extract the list of banks it attacks, roughly 421 URLs in its configuration.
Attachments
infected
(811.14 KiB) Downloaded 305 times
(811.14 KiB) Downloaded 305 times