How To Hack Bank Accounts By Using Zeus ~ HACK2WORLD

Algorithm capable of identifying P2P protocols incl. bitcoin, Zeus botnet, Skype...

submitted by GratefulTony to technology [link] [comments]

Proper Care & Feeding of your CryptoLocker Infection: A rundown on what we know.

This article is no longer being maintained, please see the new version here. Thanks.
tl;dr: I hope you have backups. It's legit, it really encrypts. It can jump across mapped network drives and encrypt anything with write access, and infection isn't dependent on being a local admin or UAC state. Most antiviruses do not catch it until the damage is done. The timer is real and your opportunity to pay them goes away when it lapses. You can pay them with a GreenDot MoneyPak or 2 Bitcoins, attempt to restore a previous version using ShadowExplorer, go to a backup, or be SOL.
Vectors: In order of likelihood, the vectors of infection have been:
  • Email attachments: A commonly reported subject is Payroll Report. The attachment, most of the time, is a zip with a PDF inside, which is actually an executable.
  • PCs that are unwitting members of the Zeus botnet have had the virus pushed to them directly.
  • There is currently one report of an infection through Java, using the .jnlp file as a dropper to load the executable.
Variants: The current variant demands $300 via GreenDot MoneyPak or 2 BTC. I will not attempt to thoroughly monitor the price of bitcoins for this thread, use Mt. Gox for the current exchange rate. Currently the MoneyPak is the cheaper option, but last week Bitcoins were. Two variants, including a $100 variant and a $300 that did not offer Bitcoin, are defunct.
Payload: The virus stores a public RSA 2048-bit key in the local registry, and goes to a C&C server for a private key which is never stored. The technical nuts and bolts have been covered by Fabian from Emsisoft here. It will use a mix of RSA 2048-bit and AES 256-bit encryption on files matching these masks:
*.odt, *.ods, *.odp, *.odm, *.odc, *.odb, *.doc, *.docx, *.docm, *.wps, *.xls, *.xlsx, *.xlsm, *.xlsb, *.xlk, *.ppt, *.pptx, *.pptm, *.mdb, *.accdb, *.pst, *.dwg, *.dxf, *.dxg, *.wpd, *.rtf, *.wb2, *.mdf, *.dbf, *.psd, *.pdd, *.eps, *.ai, *.indd, *.cdr, ????????.jpg, ????????.jpe, img_*.jpg, *.dng, *.3fr, *.arw, *.srf, *.sr2, *.bay, *.crw, *.cr2, *.dcr, *.kdc, *.erf, *.mef, *.mrw, *.nef, *.nrw, *.orf, *.raf, *.raw, *.rwl, *.rw2, *.r3d, *.ptx, *.pef, *.srw, *.x3f, *.der, *.cer, *.crt, *.pem, *.pfx, *.p12, *.p7b, *.p7c, *.pdf, *.tif
This list of file masks may be incomplete. Trust this list at your peril. When in doubt, CryptoLocker will show you what files it has encrypted by clicking the relevant link in the virus's message.
It will access mapped network drives that the current user has write access to and encrypt those. It will not attack server shares, only mapped drives. Current reports are unclear as to how much permission is needed for the virus to encrypt a mapped drive, and if you have clarification or can test in a VM please notify me via message.
By the time the notification pops up, it's already encrypted everything. It's silent until the job is done.
Many antiviruses have been reported as not catching the virus until it's too late, including MSE, Trend Micro WFBS, Eset, GFI Vipre, and Kaspersky. They can further complicate matters by reverting registry changes and removing the executables, leaving the files behind without a public or private key. Releasing the files from quarantine does work, as does releasing the registry keys added and downloading another sample of the virus.
Windows XP through 8 have all reported infections.
What's notable about this virus, and this is going to lead to a lot of tough decisions, is that paying them to decrypt the files actually does work, so long as their C&C server is up. They verify the money transfer manually and then push a notification for the infected machine to call home for the private key again, which it uses to decrypt. It takes a long time to decrypt, at the rate of roughly 5GB/hr based on forum reports. The virus uses the registry to maintain a list of files and paths, so not moving the files around is vital to decryption if you are paying them.
Also notable is that the timer it gives you to pay them does appear to be legitimate, as multiple users have reported that once the timer ran out, the program uninstalled itself. Reinfecting the machine does not bring a new timer. I was not able to verify the uninstallation of the program after the timer ran out, it appears to be dependent on internet access.
Due to the nature of the encryption, brute-forcing a decrypt is essentially impossible for now.
Removal: Removing the virus itself is trivial, but no antivirus product (or any product, for that matter), will be able to decrypt the files until the private key is found.
File Recovery: There are only a handful of options for recovering encrypted files, and they all rely on either having System Restore/VSS turned on or having a backup disconnected from the infected machine. Cloud backup solutions without versioning are no good against this as they will commit the encrypted files to the cloud.
I had a Carbonite employee message me regarding my earlier statement that Carbonite is no good against this virus. It turns out that versioning is included in all Carbonite plans and support all agent OSes except Mac OS X which is outside the scope of this thread anyway. They have the ability to do a mass reversion of files, but you must call tech support and upon mentioning CryptoLocker you will be escalated to a tier 3 tech. They do not mention this ability on the site due to the potential for damage a mass reversion could do if done inadvertently. These are my own findings, independent of what the employee told me. Crashplan and other versioning-based backup solutions such as SonicWALL CDP should also work fine provided the backups are running normally.
Using the "Previous Versions" tab of the file properties is a cheap test, and has had mixed results. Using ShadowExplorer on Vista-8 will give you a much easier graphical frontend for restoring large amounts of files at once (though this will not help with mapped drives, you'd need to run it on the server in that case). Undelete software doesn't work as it encrypts the files in place on the hard drive, there is no copying going on. The big takeaway is that cold-storage backups are good, and they will make this whole process laughably easy to resolve.
Prevention: As this post has attracted many home users, I'll put at the top that MalwareBytes Pro, Avast! Free and Avast! Pro (defs 131016-0 16.10.2013 or later) will prevent the virus from running.
For sysadmins in a domain environment, one way to prevent this and many other viruses is to set up software restriction policies (SRPs) to disallow the executing of .exe files from AppData/Roaming. Grinler explains how to set up the policy here.
Visual example. The rule covering %AppData%\*\*.exe is necessary for the current variant. The SRP will apply to domain admins after either the GP timer hits or a reboot, gpupdate /force does not enforce it immediately. There is almost no collateral damage to the SRP. Dropbox and Chrome are not effected. Spotify may be affected, not sure. I don't use it.
Making shares read-only will mitigate the risk of having sensitive data on the server encrypted.
Forecast: The reports of infections have risen from ~1,300 google results for cryptolocker to over 150,000 in a month. This virus is really ugly, really efficient, and really hard to stop until it's too late. It's also very successful in getting people to pay, which funds the creation of a new variant that plugs what few holes have been found. I don't like where this is headed.
Some edits below are now redundant, but many contain useful information.
9/17 EDIT: All 9/17 edits are now covered under Prevention.
10/10 EDIT: Google matches for CryptoLocker are up 40% in the last week, and I'm getting 5-10 new posts a day on this thread, so I thought I'd update it with some interesting finds from fellow Redditors.
  • soulscore reports that setting the BIOS clock back in time added time to his cryptolocker ransom. Confirmed that the timer extends with the machine offline, but that may be cosmetic and I don't like your chances of this actually helping if your timer runs out on the server side.
  • Spinal33 reports that AV companies are catching up with CryptoLocker and are blocking websites that are spawned in the virus's domain generation algorithm. This effectively means that some people are locked out of the ability to even pay the ransom. (Technically they could, but the virus couldn't call home.)
  • Malwarebytes is claiming that MBAM Pro will catch CryptoLocker. If someone wants to test them on it, be my guest. Confirmed
  • CANT_ARGUE_DAT_LOGIC gave some insight on the method the virus uses when choosing what to infect. It simply goes through folders alphabetically and encrypts all files that match the filemasks towards the top of this post. If you are lucky enough to catch it in the act of encrypting and pull the network connection, the CryptoLocker message will pop up immediately and the countdown will begin. Helpful in determining what will need to be taken into account for decryption.
EDIT 2: We had a customer that ignored our warning email get infected so I will have my hands on an infected PC today, hope to have some useful info to bring back.
10/10 MEGA EDIT: I now have an active CryptoLocker specimen on my bench. I want to run down some things I've found:
  • On WinXP at least, the nested SRP rule is necessary to prevent infection. The path rule needs to be %AppData%\*\*.exe
  • An alternate link to the virus sample is http://gktibioivpqbot.net/1002.exe
  • Once the program runs it spawns two more executables with random names in %userprofile%. Adding a SRP to cover %userprofile%\*.exe may be desired, though this will prevent GoToMyPC from running at a bare minimum.
  • This user was a local administrator, and CryptoLocker was able to encrypt files in other user's directories, though it did not spawn the executables anywhere but the user that triggered the infection. When logged in under a different account there is no indication that a timer is running.
  • The environment has server shares but no mapped drives and the shared data was not touched, even though a desktop shortcut would've taken the virus to a share. I suspect that will be covered in the next iteration.
  • The list of masks above does not appear to be totally complete. PDF files were encrypted and were not originally part of the set of file masks. That is the only exception I noticed, everything else follows the list. Conveniently (/s), CryptoLocker has a button you can click that shows the list of files it's encrypted.
  • The current ransom is $300 by MoneyPak or 2BTC, which at the time of writing would be $280 and change.
  • Fabian reported that registry data is stored at HKCU/Software/CryptoLocker. I cannot glean the meaning of the DWORD values on files but I do notice they are unique, likely salts for the individual files. I'm curious what purpose that would serve if the private key was revealed as the salts would be useless.
  • I have confirmed the message soulscore left that setting the BIOS timer back a few hours adds an equal amount of time. No telling whether that will work once it has a network connection and can see the C&C server, though.
  • The virus walked right through an up-to-date version of GFI Vipre. It appears AV companies either consider the risk too low to update definitions or, more likely, they're having trouble creating heuristic patterns that don't cause a lot of collateral damage.
10/11 EDIT: I ran Daphne on the infected PC to get a better idea of what might be going on. lsass.exe is running like crazy. Computer's had it's CPU pegged all day. I noticed the primary executable running from %AppData% has a switch on the end of the run command, which in my case is /w000000EC. No idea what that means.
10/15 EDIT: I just wanted to thank all the redditors that have submitted information on this. I have some interesting new developments that I'll be editing in full tomorrow.
10/18 EDIT: Hello arstechnica! Please read through comments before posting a question as there's a very good chance it's been answered.
New developments since 10/15:
  • We have confirmation that both Malwarebytes Antimalware Pro and Avast Free and Pro will stop CryptoLocker from running. My personal choice of the two is MBAM Pro but research on your own, AV Comparatives is a wonderful resource.
  • We have reports of a new vector of infection, Java. This is hardly surprising as Zeus was already being transmitted in this fashion, but Maybe_Forged reports contracting the virus with a honeypot VM in this manner.
  • zfs_balla made a hell of a first post on reddit, giving us a lot of insight to the behavior of the decryption process, and answered a frequently-asked question. I'm paraphrasing below.
A file encrypted twice and decrypted once is still garbage.
The waiting for payment confirmation screen stayed up for 16 days before a decryption began, so don't lose hope if it's been up a while.
The DWORD values in the registry have no bearing on decryption. Renaming an encrypted file to one on the list in the registry will decrypt it. However, I would presume this would only work for files that the virus encrypted on that machine as the public key is different with every infection.
Adding any new matching files to somewhere the virus has access will cause them to be encrypted, even at the "waiting for payment confirmation" screen. Be careful.
Hitting "Cancel" on a file that can't be found doesn't cancel the entire decryption, just that file.
EDIT 2: I've rewritten the bulk of this post so people don't have to slog through edits for important information.
10/21 EDIT: Two noteworthy edits. One is regarding Carbonite, which is apparently a viable backup option for this, it is covered under File Recovery. The other is regarding a piece of software called CryptoPrevent. I have not tried it, but according to the developer's website it blocks %localappdata%\*.exe and %localappdata%\*\*.exe which is not necessary for the current variant and will inflict quite a bit of collateral damage. I have no reason right now to doubt the legitimacy of the program, but be aware of the tradeoffs going in.
I'm now at the 15000 character limit. Wat do?
submitted by bluesoul to sysadmin [link] [comments]

10 Most Dangerous Viruses in Internet History.

Getting a computer virus has happened to many users in some fashion or another. To most, it is simply a mild inconvenience, requiring a cleanup and then installing that antivirus program that you’ve been meaning to install but never got around to. But in other cases, it can be a complete disaster, with your computer turning into a very expensive brick which which no amount of antivirus can protect.
In this list, we will highlight some of the worst and notorious computer viruses that have caused a lot of damage in real life. And since people usually equate general malware like worms and trojan horses as viruses, we’re including them as well. These malware have caused tremendous harm, amounting to billions of dollars and disrupting critical real life infrastructure. Here are the 10 most famous and malicious computer viruses.
Recommended Reading: 10 Signs Your PC Has Been Compromised

1. ILOVEYOU

The ILOVEYOU virus is considered one of the most virulent computer virus ever created and it’s not hard to see why. The virus managed to wreck havoc on computer systems all over the world, causing damages totaling in at an estimateof $10 billion. 10% of the world’s Internet-connected computers were believed to have been infected. It was so bad that governments and large corporations took their mailing system offline to prevent infection.
📷via BBC
The virus was created by two Filipino programers, Reonel Ramones and Onel de Guzman. What it did was use social engineering to get people to click on the attachment; in this case, a love confession. The attachment was actually a script that poses as a TXT file, due to Windows at the time hiding the actual extension of the file. Once clicked, it will send itself to everyone in the user’s mailing list and proceed to overwrite files with itself, making the computer unbootable. The two were never charged, as there were no laws about malware. This led to the enactment of the E-Commerce Law to address the problem.

2. Code Red

Code Red first surfaced on 2001 and was discovered by two eEye Digital Security employees. It was named Code Red because the the pair were drinking Code Red Mountain Dew at the time of discovery. The worm targeted computers with Microsoft IIS web server installed, exploiting a buffer overflow problem in the system. It leaves very little trace on the hard disk as it is able to run entirely on memory, with a size of 3,569 bytes. Once infected, it will proceed to make a hundred copies of itself but due to a bug in the programming, it will duplicate even more and ends up eating a lot of the systems resources.
📷via F-Secure
It will then launch a denial of service attack on several IP address, famous among them the website of the White House. It also allows backdoor access to the server, allowing for remote access to the machine. The most memorable symptom is the message it leaves behind on affected web pages, "Hacked By Chinese!", which has become a meme itself. A patch was later released and it was estimate that it caused $2 billion in lost productivity. A total of 1-2 million servers were affected, which is amazing when you consider there were 6 million IIS servers at the time.

3. Melissa

Named after an exotic dancer from Florida, it was created by David L. Smith in 1999. It started as an infected Word document that was posted up on the alt.sex usenet group, claiming to be a list of passwords for pornographic sites. This got people curious and when it was downloaded and opened, it would trigger the macro inside and unleash its payload. The virus will mail itself to the top 50 people in the user’s email address book and this caused an increase of email traffic, disrupting the email services of governments and corporations. It also sometimes corrupted documents by inserting a Simpsons reference into them.
📷via MSN Canada
Smith was eventually caught when they traced the Word document to him. The file was uploaded using a stolen AOL account and with their help, law enforcement was able to arrest him less than a week since the outbreak began.He cooperated with the FBI in capturing other virus creators, famous among them the creator of the Anna Kournikova virus. For his cooperation, he served only 20 months and paid a fine of $5000 of his 10 year sentence. The virus reportedly caused $80 million in damages.

4. Sasser

A Windows worm first discovered in 2004, it was created by computer science student Sven Jaschan, who also created the Netsky worm. While the payload itself may be seen as simply annoying (it slows down and crashes the computer, while making it hard to reset without cutting the power), the effects were incredibly disruptive, with millions of computers being infected, and important, critical infrastructure affected. The worm took advantage of a buffer overflow vulnerability in Local Security Authority Subsystem Service (LSASS), which controls the security policy of local accounts causing crashes to the computer. It will also use the system resources to propagate itself to other machines through the Internet and infect others automatically.
📷via HP
The effects of the virus were widespread as while the exploit was already patched, many computers haven’t updated. This led to more than a million infections, taking out critical infrastructures, such as airlines, news agencies, public transportation, hospitals, public transport, etc. Overall, the damage was estimated to have cost $18 billion. Jaschen was tried as a minor and received a 21 month suspended sentence.

5. Zeus

Zeus is a Trojan horse made to infect Windows computers so that it will perform various criminal tasks. The most common of these tasks are usually man-in-the-browser keylogging and form grabbing. The majority of computers were infected either through drive-by downloads or phishing scams. First identified in 2009, it managed to compromise thousands of FTP accounts and computers from large multinational corporations and banks such as Amazon, Oracle, Bank of America, Cisco, etc. Controllers of the Zeus botnet used it to steal the login credentials of social network, email and banking accounts.
📷via Abuse.ch
In the US alone, it was estimated that more than 1 million computers were infected, with 25% in the US. The entire operation was sophisticated, involving people from around the world to act as money mules to smuggle and transfer cash to the ringleaders in Eastern Europe. About $70 million were stolen and in possession of the ring. 100 people were arrested in connection of the operation. In late 2010, the creator of Zeus announced his retirement but many experts believe this to be false.

6. Conficker

Also known as Downup or Downadup, Conficker is a worm of unknown authorship for Windows that made its first appearance in 2008. The name comes form the English word, configure and a German pejorative.It infects computers using flaws in the OS to create a botnet. The malware was able to infect more than 9 millions computers all around the world, affecting governments, businesses and individuals. It was one of the largest known worm infections to ever surface causing an estimate damage of $9 billion.
📷via Wikipedia
The worm works by exploiting a network service vulnerability that was present and unpatched in Windows. Once infected, the worm will then reset account lockout policies, block access to Windows update and antivirus sites, turn off certain services and lock out user accounts among many. Then, it proceeds to install software that will turn the computer into a botnet slaveand scareware to scam money off the user. Microsoft later provided a fix and patch with many antivirus vendors providing updates to their definitions.

7. Stuxnet

Believed to have been created by the Israeli Defence Force together with the American Government, Stuxnet is an example of a virus created for the purpose of cyberwarfare, as it was intended to disrupt the nuclear efforts of the Iranians. It was estimated that Stuxnet has managed to ruin one fifth of Iran’s nuclear centrifuges and that nearly 60% of infections were concentrated in Iran.
📷via IEEE
The computer worm was designed to attack industrial Programmable Logic Controllers (PLC), which allows for automation of processes in machinery. It specifically aimed at those created by Siemens and was spread through infected USB drives. If the infected computer didn’t contain Siemens software, it would lay dormant and infect others in a limited fashion as to not give itself away. If the software is there, it will then proceed to alter the speed of the machinery, causing it to tear apart. Siemens eventually found a way to remove the malware from their software.

8. Mydoom

Surfacing in 2004, Mydoom was a worm for Windows that became one of the fastest spreading email worm since ILOVEYOU. The author is unknown and it is believed that the creator was paid to create it since it contains the text message, “andy; I’m just doing my job, nothing personal, sorry,”. It was named by McAfee employee Craig Schmugar, one of the people who had originally discovered it. ‘mydom’ was a line of text in the program’s code (my domain) and sensing this was going to be big, added ‘doom’ into it.
📷via Virus.Wikidot.com
The worm spreads itself by appearing as an email transmission error and contains an attachment of itself. Once executed, it will send itself to email addresses that are in a user’s address book and copies itself to any P2P program’s folder to propagate itself through that network. The payload itself is twofold: first it opens up a backdoor to allow remote access and second it launches a denial of service attack on the controversial SCO Group. It was believed that the worm was created to disrupt SCO due to conflict over ownership of some Linux code. It caused an estimate of $38.5 billion in damages and the worm is still active in some form today.

9. CryptoLocker

CryptoLocker is a form of Trojan horse ransomware targeted at computers running Windows. It uses several methods to spread itself, such as email, and once a computer is infected, it will proceed to encrypt certain files on the hard drive and any mounted storage connected to it with RSA public key cryptography. While it is easy enough to remove the malware from the computer, the files will still remain encrypted. The only way to unlock the files is to pay a ransom by a deadline. If the deadline is not met, the ransom will increase significantly or the decryption keys deleted. The ransom usually amount to $400 in prepaid cash or bitcoin.
📷via Bleepingcomputer.com
The ransom operation was eventually stopped when law enforcement agencies and security companies managed to take control part of the botnet operating CryptoLocker and Zeus. Evgeniy Bogachev, the ring leader, was charged and the encryption keys were released to the affected computers. From data collected from the raid, the number of infections is estimated to be 500,000, with the number of those who paid the ransom to be at 1.3%, amounting to $3 million.

10. Flashback

Though not as damaging as the rest of the malware on this list, this is one of the few Mac malware to have gain notoriety as it showed that Macs are not immune. The Trojan was first discovered in 2011 by antivirus company Intego as a fake Flash install. In its newer incarnation, a user simply needs to have Java enabled (which is likely the majority of us). It propagates itself by using compromised websites containing JavaScript code that will download the payload. Once installed, the Mac becomes part of a botnet of other infected Macs.
📷via CNET
The good news is that if it is infected, it is simply localized to that specific user’s account. The bad news is that more than 600,000 Macs were infected, including 274 Macs in the Cupertino area, the headquarters of Apple. Oracle published a fix for the exploit with Apple releasing an update to remove Flashback from people’s Mac. It is still out in the wild, with an estimate of 22,000 Macs still infected as of 2014.
submitted by bogdan9409 to u/bogdan9409 [link] [comments]

What is ZeuS Virus? bitcoin - YouTube Set up a Zeus Botnet Como configurar zeus botnet 2016 Zeus 2.1.0.1 Botnet Tutorial Made Easy For Beginers 2013

Zeus and ZeroAccess are two of the most interesting malicious code used with this specific purpose. ZeroAccess is the world’s fastest-growing botnet detected in 2012. It infected millions of computers with the primary intent to commit large-scale click fraud and Bitcoin mining. The Zeus botnet is a banking Trojan. Why ZeroAccess botnet stopped bitcoin mining There have been several reports this week detailing how security firm Symantec took down a large portion of a bitcoin mining botnet called ZeroAccess. Zeus Botnet 2.1.0.1. Zeus botnet is very good botnet for ever from long time scan ftp user pass how to scan ssh root how to send bulk sms how to send sms from computer how to setup any rat how to setup bitcoin miner how to setup botnet how to setup DarkSky DDoS Loader Bot Cracked how to setup Diamond Fox botnet how to setup EdgeLog The Justice Department today announced a multi-national effort to disrupt the Gameover Zeus Botnet – a global network of infected victim computers used by cyber criminals to steal millions of dollars from businesses and consumers – and unsealed criminal charges in Pittsburgh, Pennsylvania, and Omaha, Nebraska, against an administrator of the botnet. Zeus is a Trojan horse that steals banking information by Man-in-the-browser keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009.

[index] [9909] [17613] [30967] [27161] [17419] [16472] [17316] [25382] [19054] [18894]

What is ZeuS Virus?

Zeus Botnet 2017 Windows 10 Google Chrome , Firefox and MS Edge World's BEST Botnet - Duration: 8:30. Lord Newton 20,323 views. 8:30. Bizarre Looking RCA Radio! Learn to setup your zeus botnet with ease. In just a click your bot is ready for spread but ensure you use this educationally. Add me on skype: fabsneaty231 or YM: fabulousike2004 for more details ... bitcoin Петр Головин ... Zeus Botnet 2016 Latest - Grabs from CHROME, MOZILLA and IE by White Hat. 9:07. Athena HTTP Botnet setup by Haris Mian. 8:38. Смотрите в HD. Miner botnet bitcoin/litecoin. Подобного рода майнеры на разных площадках стоят от 300$. ... Zeus Botnet New 2015 Latest - Grabs ... https://zeus-net.pro/ discord on the site : https://zeus-net.pro/ LAYER 4 : 120-300 GBPS / LAYER 7 : 100-800 K/RS L4 & L7 WITH METHODS BYPASS TAGS: free ip stresser free ip booter wycinanie po ...

Flag Counter