Introduction: Recently security researchers has found a smallest stealer Trojan that targets certain Financial Institutions through process injection and then injecting web inject module into the browsers, specifically in Net banking pages, similar to Zeus/SpyEye. The samples I have used to describe Tinba is from Contagio (Thank you Mila). Technical Details: The size of the Tinba files are between 19 KB to 20 KB. The sample was not packed, however looking at the sample in PEID revealed, the compiler
I am blogging this post after 2 years of break. I should definitely say that my knowledge level has broadened in-terms of Security. I should thank my colleagues and Managers. In my free time at home I monitor certain websites to understand various Malware families and specifically Bots, stealers, crimewares, etc. One of such website is Malware Domain List (MDL) and I should definitely appreciate MDL for sharing such malicious domains which helps Security vendors, researchers, beginners, and others. This
INTRODUCTION: I guess the Title would say what this post will contain. This post explains how an Exploit code embedded in PDF uses a Vulnerability and installs a Zeus Trojan in a victims machine and what banks the Trojan targets to steal user credential. THE FLOW: In the above Diagram, the user is either Social Engineered or visits malicious website and happen to view a malicious PDF doc which contains the exploit code. Based on the version of Adobe Reader used by the user,
Traversing or Reversing a DLL is ever challenging (For Beginners and Intermediates). If a DLL comes with an EXE, its EXE’s job to load the DLL in the memory. But what if you get just a DLL alone to reverse. It’s cool rite ;-) Here I am going to Traverse a Financial Crimeware Trojan in the form of DLL. Step 1: Lets see the strings to guess what the DLL behaviour is. haa.. Don't see readable strings ? So it should be a packed file. Next step is to identify which packer. Step 2: To
Here I am going to ‘Traverse’ a Financial Crimeware which uses a simple Proxy technique. Intension of this analysis is to share my analysis for the beginners. But what is Financial Crimeware? The Malware or an Exploit are made to steal financial information such as Bank account number, password, credit card number, etc with an intension of making unauthorized transactions using the stolen information. This Crimeware is packed using UPX packer so I did not have much challenge in unpacking.
Introduction: Zeus is a well known Trojan which steals Bank user credentials, passwords, Transaction Authentication Number, etc intercepting a fake form by injecting the HTML code when visiting the Targeted Financial websites. The target websites are downloaded from the C&C server as encrypted config file. But how do we find the targets by decrypting this config file? Let’s see how. Traversing svchost.exe: Zeus on execution injects its code in the address space of services.exe, svchost.exe