[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [tor-talk] "zeus" virus



From: "scar" <scar@xxxxxxxxxx>

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

hi all, i operate the "cave" router from my home DSL connection, and
from time to time it will get suspended because CenturyLink will
notice mailicious traffic from viruses routed thru the Tor network.
most of the time i can block these because my they will tell me
destination IP addresses.  but lately my service has been getting
suspended because of this "zeus" virus and the reports my ISP sends
don't have any destination ip addresses.  below is a sample report of
what they send me, you can see with with 'conficker' one there is a
dst address that i can block, but with zeus there is practically no
data.  (the IP Address column is what my IP address was at the time)
i have asked CenturyLink for more info, specifically destination ip
addresses, but this is all they give me.  so does anyone know of a way
to block this zeus thru Tor?  thanks

Date/Time Seen (GMT)   IP Address        Infection Data (*)
- --------------------   ---------------   ------------------------------
2012-08-20 00:56:32    67.1.15.107       infection => 'zeus',
addl_data => '/config.bin'
2012-07-30 15:06:13    97.115.197.107    infection => 'zeus',
addl_data => '/zs/config.bin'
2012-07-26 23:17:48    97.115.196.146    infection => 'conficker',
subtype => 'downadup', src_port => '49510', dst_port => '80',
http_host => '149.20.56.33', url => 'GET /search?q=0 HTTP/1.1',
http_agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
3.5.30729)', dst_ip => '149.20.56.33', sourceSummary => 'Sinkhole HTTP
Drone Report'
2012-07-04 18:46:35    97.115.192.31     infection => 'zeus',
addl_data => '/update32.php'


Zeus Bot (aka; ZBot) is not a virus. It is a data stealing trojan with other aspects and it, and variants, have a large distribution on the 'net.

Usually config.bin is an encrypted file that has instructions for the Bot component.

Conficker (aka; Downup) is an I-worm and Bot.

Whatever the case, malicious bot activity is being detected and thus you should stop using Tor and you should make sure you computer(s) are clean.

I suggest reading this...
http://forums.malwarebytes.org/index.php?showtopic=9573

Creat an account and post your problem here...
http://forums.malwarebytes.org/index.php?s=547b20f67444c3ee30a883a34bf60fb0&showforum=7



References:
http://searchsecurity.techtarget.com/definition/Zeus-Trojan-Zbot
http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29
http://en.wikipedia.org/wiki/Conficker




--
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

_______________________________________________
tor-talk mailing list
tor-talk@xxxxxxxxxxxxxxxxxxxx
https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk