Tag Archives: botnets

New Mirai variant attacks Apache Struts vulnerability

New variants of the Mirai and Gafgyt botnets are targeting unpatched enterprise devices, according to new research.

Palo Alto Networks’ Unit 42 found the variants affect vulnerabilities in Apache Struts and in SonicWall’s Global Management System (GSM). The Mirai variant exploits the same vulnerability in Apache Struts that was behind the 2018 Equifax data breach, while the Gafgyt variant exploits a newly uncovered vulnerability in unsupported, older versions of SonicWall’s GSM.

The Unit 42 research team noted the Mirai variant involves taking advantage of 16 different vulnerabilities. And while that’s not unusual, it is the first known instance of Mirai or any of its variants targeting an Apache Struts vulnerability.

The research also found the domain that hosts the Mirai samples had resolved to a different IP address in August, which also hosted Gafgyt samples at that time. Those samples exploited the SonicWall GSM vulnerability, which is tracked as CVE-2018-9866. Unit 42’s research did not say whether the two botnets were the work of a single threat group or actor, but it did say the activity could spell trouble for enterprises.

“The incorporation of exploits targeting Apache Struts and SonicWall by these IoT/Linux botnets could indicate a larger movement from consumer device targets to enterprise targets,” the Palo Alto researchers wrote.

The Apache Struts vulnerability exploited by the new Mirai variant was patched last year before it was used in the Equifax breach. But systems that have not been updated are still susceptible to these types of exploits.

The Mirai botnet first emerged in the fall of 2016, and it has since affected hundreds of thousands of IoT and connected devices. The botnet’s malware had primarily targeted consumer devices, and it was responsible for massive distributed denial-of-service attacks on the German teleco Deutsche Telekom and on the domain name server provider Dyn, which took down websites such as Airbnb, Twitter, PayPal, GitHub, Reddit, Netflix and others.

The Unit 42 researchers discovered the Gafgyt and Mirai variant on Aug. 5, and they alerted SonicWall about its GMS vulnerability. The public disclosure was posted by Palo Alto on Sept. 9.

A series of new IoT botnets plague connected devices

Internet of things botnets continue to plague connected devices with two new botnets appearing this week.

The first of the IoT botnets causing trouble was discovered by security researchers at Bitdefender and is called Hide ‘N Seek, or HNS. HNS was first noticed on January 10, “faded away” for a few days and then reemerged on January 20 in a slightly different form, according to Bitdefender senior e-threat analyst Bogdan Botezatu. Since then, HNS — which started with only 12 compromised devices — had amassed over 32,000 bots worldwide as of January 26. Most of the affected devices are Korean-manufactured IP cameras.

“The HNS botnet communicates in a complex and decentralized manner and uses multiple anti-tampering techniques to prevent a third party from hijacking/poisoning it,” Botezatu explained in his analysis of HNS, also noting that the bot can perform device exploits similar to those done by the Reaper botnet. “The bot embeds a plurality of commands such as data exfiltration, code execution and interference with a device’s operation.”

Botezatu also explained that HNS works sort of like a worm in that it uses a randomly generated list of IP addresses to get potential targets. The list of targets can be updated in real time as the botnet grows or bots are lost or gained. Luckily, like other IoT botnets, the HNS “cannot achieve persistence” and a device reboot will remove it from the botnet.

“While IoT botnets have been around for years, mainly used for DDoS attacks, the discoveries made during the investigation of the Hide and Seek bot reveal greater levels of complexity and novel capabilities such as information theft — potentially suitable for espionage or extortion,” Botezatu said.

Unlike other recent IoT botnets, HNS is different from the infamous Mirai malware, and is instead similar to the Hajime botnet. Like Hajime, HNS has a “decentralized peer-to-peer architecture.”

The Masuta botnets

Two other new botnets on the scene do show similarities to Mirai, however.

The Masuta and PureMasuta variant were discovered by researchers at the company NewSky Security and appear to be the work of the Satori botnet creators. The Satori botnet targeted Huawei routers earlier this month, and the Masuta botnets now also target home routers.

According to the research from NewSky Security, Masuta shares a similar attack method with Mirai and uses weak, known or default credentials to access the targeted devices. PureMasuta is a bit more sophisticated and exploits a network administration bug uncovered in 2015 in D-Link’s Home Network Administration Protocol, which relies on the Simple Object Access Protocol to manage device configuration.

“Protocol exploits are more desirable for threat actors as they usually have a wider scope,” Ankit Anubhav, principal researcher at NewSky Security, wrote in the analysis of the botnets. “A protocol can be implemented by various vendors/models and a bug in the protocol itself can get carried on to a wider range of devices.”

PureMasuta has been infecting devices since September 2017.

In other news

  • Kaspersky Lab filed a preliminary injunction as part of its appeal against the U.S. Department of Homeland Security’s ban on the use of the company’s products in government agencies. The ban was originally issued in September 2017 in response to concerns that the Moscow-based security company helped the Russian government gather data on the U.S. through its antivirus software and other products. The ban, Binding Operational Directive (BOD) 17-01, was reinforced in December 2017 in the National Defense Authorization Act, despite offers from Kaspersky to have the U.S. government investigate its products and operations. In response to the National Defense Authorization Act, Kaspersky Lab filed a lawsuit against the U.S. government saying that the ban was unconstitutional. As part of the lawsuit, the injunction would, for now, stop the government ban on BOD 17-01.
  • The PCI Security Standards Council (PCI SSC) published new security requirements for mobile point-of-sale systems. The requirements focus on software-based PIN entry on commercial off-the-shelf (COTS) mobile devices. Requirements already exist for hardware-based devices that accept PINs, so these standards expand on them. The so-called PCI Software-Based PIN Entry on COTS (SPoC) Standard introduces a “requirement for a back-end monitoring system for additional external security controls such as attestation (to ensure the security mechanisms are intact and operational), detection (to notify when anomalies are present) and response (controls to alert and take action) to address anomalies,” according to PCI SSC CTO Troy Leach. The standard consists of two documents: the Security Requirements for solution providers, including designers of applications that accept PINS; and the Test Requirements, which “create validation mechanisms for payment security laboratories to evaluate the security” of the PIN processing apps. The SPoC security requirements focus on five core principles, according to Leach:
    • isolation of the PIN from other account data;
    • ensuring the software security and integrity of the PIN entry application on the COTS device;
    • active monitoring of the service, to mitigate against potential threats to the payment environment within the phone or tablet;
    • Required Secure Card Reader for PIN (SCRP) to encrypt and maintain confidentiality of account data; and
    • transactions restricted to EMV contact and contactless.
  • Alphabet, best known for being Google’s parent company, launched a new cybersecurity company — Chronicle. Chronicle is an offshoot of the group X and will be a stand-alone company under Alphabet. Former Symantec COO Stephen Gillett will be the company’s CEO. Chronicle offers two services to enterprises: a security intelligence and analytics platform and VirusTotal, an online malware and virus scanner Google acquired in 2012. “We want to 10x the speed and impact of security teams’ work by making it much easier, faster and more cost-effective for them to capture and analyze security signals that have previously been too difficult and expensive to find,” Gillett said in a blog post announcing the company launch. “We are building our intelligence and analytics platform to solve this problem.” The announcement did not provide many specifics, but the launch could pose a significant threat to cybersecurity vendors that do not have access to the same resources as a company with the same parent as Google.

Microsoft takes on global cybercrime epidemic in tenth malware disruption

The following post is from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.


Playing offense against cybercriminals is what drives me and everyone here at the Microsoft Digital Crimes Unit. Today, Microsoft has upped the ante against global cybercrime, taking legal action to clean up malware and help ensure customers stay safer online. In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. In the past, we’ve predominately seen botnets originating in Eastern Europe; however, the authors, owners and distributors of this malware are Kuwaiti and Algerian nationals. The social media-savvy cybercriminals have promoted their wares across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes—demonstrating that cybercrime is indeed a global epidemic.

Free Dynamic DNS is an easy target for cybercriminals

Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.

For a look at how cybercriminals leverage services like No-IP, and advice for customers to help ensure a safer online experience, please see the graphic below.

Microsoft legal and technical actions

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. The new threat information will be added to Microsoft’s Cyber Threat Intelligence Program (CTIP) and provided to Internet Service Providers (ISPs) and global Computer Emergency Response Teams (CERTs) to help repair the damage caused by Bladabindi-Jenxcus and other types of malware. The Microsoft Digital Crimes Unit worked closely with Microsoft’s Malware Protection Center to identify, reverse engineer and develop a remedy for the threat to clean infected computers. We also worked with A10 Networks, leveraging Microsoft Azure, to configure a sophisticated system to manage the high volume of computer connections generated by botnets such as Bladabindi-Jenxcus.

As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online. Meanwhile, we will continue to take proactive measures to help protect our customers and hold malicious actors accountable for their actions.

This is the third malware disruption by Microsoft since the November unveiling of the Microsoft Cybercrime Center—a center of excellence for advancing the global fight against cybercrime. This case and operation are ongoing, and we will continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter. Microsoft provides free tools and information to help customers clean and regain control of their computers at www.microsoft.com/security.

Microsoft takes on global cybercrime epidemic in tenth malware disruption

Editor’s Note: This blog post was updated with the following new information at 8 a.m. on July 9:

On Monday, June 30, Microsoft filed a civil suit in a Nevada federal court to disrupt Bladabindi-Jenxcus, a pervasive family of malware that put millions of customers at risk.

Today both Microsoft Corporation and Vitalwerks Internet Solutions, LLC announce they have reached a settlement in the matter of Microsoft Corporation v. Mutairi, et al.

Microsoft has reviewed the evidence provided by Vitalwerks and enters into the settlement confident that Vitalwerks was not knowingly involved with the subdomains used to support malware. Those spreading the malware abused Vitalwerks’ services.

Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware.

In the process of redirecting traffic to its servers for malware detection, Microsoft acknowledges that a number of Vitalwerks customers were impacted by service outages as a result of a technical error. Microsoft regrets any inconvenience these customers may have experienced.

The following post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, was originally published on June 30:


Playing offense against cybercriminals is what drives me and everyone here at the Microsoft Digital Crimes Unit. Today, Microsoft has upped the ante against global cybercrime, taking legal action to clean up malware and help ensure customers stay safer online. In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. In the past, we’ve predominately seen botnets originating in Eastern Europe; however, the authors, owners and distributors of this malware are Kuwaiti and Algerian nationals. The social media-savvy cybercriminals have promoted their wares across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes—demonstrating that cybercrime is indeed a global epidemic.

Free Dynamic DNS is an easy target for cybercriminals

Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.

For a look at how cybercriminals leverage services like No-IP, and advice for customers to help ensure a safer online experience, please see the graphic below.

Microsoft legal and technical actions

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. The new threat information will be added to Microsoft’s Cyber Threat Intelligence Program (CTIP) and provided to Internet Service Providers (ISPs) and global Computer Emergency Response Teams (CERTs) to help repair the damage caused by Bladabindi-Jenxcus and other types of malware. The Microsoft Digital Crimes Unit worked closely with Microsoft’s Malware Protection Center to identify, reverse engineer and develop a remedy for the threat to clean infected computers. We also worked with A10 Networks, leveraging Microsoft Azure, to configure a sophisticated system to manage the high volume of computer connections generated by botnets such as Bladabindi-Jenxcus.

As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online. Meanwhile, we will continue to take proactive measures to help protect our customers and hold malicious actors accountable for their actions.

This is the third malware disruption by Microsoft since the November unveiling of the Microsoft Cybercrime Center—a center of excellence for advancing the global fight against cybercrime. This case and operation are ongoing, and we will continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter. Microsoft provides free tools and information to help customers clean and regain control of their computers at www.microsoft.com/security.

Microsoft takes on global cybercrime epidemic in tenth malware disruption

Editor’s Note: This blog post was updated with the following new information at 8 a.m. on July 9:

On Monday, June 30, Microsoft filed a civil suit in a Nevada federal court to disrupt Bladabindi-Jenxcus, a pervasive family of malware that put millions of customers at risk.

Today both Microsoft Corporation and Vitalwerks Internet Solutions, LLC announce they have reached a settlement in the matter of Microsoft Corporation v. Mutairi, et al.

Microsoft has reviewed the evidence provided by Vitalwerks and enters into the settlement confident that Vitalwerks was not knowingly involved with the subdomains used to support malware. Those spreading the malware abused Vitalwerks’ services.

Microsoft identified malware that had escaped Vitalwerks’ detection. Upon notification and review of the evidence, Vitalwerks took immediate corrective action allowing Microsoft to identify victims of this malware. The parties have agreed to permanently disable Vitalwerks subdomains used to control the malware.

In the process of redirecting traffic to its servers for malware detection, Microsoft acknowledges that a number of Vitalwerks customers were impacted by service outages as a result of a technical error. Microsoft regrets any inconvenience these customers may have experienced.

The following post from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit, was originally published on June 30:


Playing offense against cybercriminals is what drives me and everyone here at the Microsoft Digital Crimes Unit. Today, Microsoft has upped the ante against global cybercrime, taking legal action to clean up malware and help ensure customers stay safer online. In a civil case filed on June 19, Microsoft named two foreign nationals, Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.

We’re taking No-IP to task as the owner of infrastructure frequently exploited by cybercriminals to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware. In the past, we’ve predominately seen botnets originating in Eastern Europe; however, the authors, owners and distributors of this malware are Kuwaiti and Algerian nationals. The social media-savvy cybercriminals have promoted their wares across the Internet, offering step-by-step instructions to completely control millions of unsuspecting victims’ computers to conduct illicit crimes—demonstrating that cybercrime is indeed a global epidemic.

Free Dynamic DNS is an easy target for cybercriminals

Dynamic Domain Name Service (DNS) is essentially a method of automatically updating a listing in the Internet’s address book, and is a vital part of the Internet. However, if not properly managed, a free Dynamic DNS service like No-IP can hold top-rank among abused domains. Of the 10 global malware disruptions in which we’ve been involved, this action has the potential to be the largest in terms of infection cleanup. Our research revealed that out of all Dynamic DNS providers, No-IP domains are used 93 percent of the time for Bladabindi-Jenxcus infections, which are the most prevalent among the 245 different types of malware currently exploiting No-IP domains. Microsoft has seen more than 7.4 million Bladabindi-Jenxcus detections over the past 12 months, which doesn’t account for detections by other anti-virus providers. Despite numerous reports by the security community on No-IP domain abuse, the company has not taken sufficient steps to correct, remedy, prevent or control the abuse or help keep its domains safe from malicious activity.

For a look at how cybercriminals leverage services like No-IP, and advice for customers to help ensure a safer online experience, please see the graphic below.

Microsoft legal and technical actions

On June 19, Microsoft filed for an ex parte temporary restraining order (TRO) from the U.S. District Court for Nevada against No-IP. On June 26, the court granted our request and made Microsoft the DNS authority for the company’s 23 free No-IP domains, allowing us to identify and route all known bad traffic to the Microsoft sinkhole and classify the identified threats. The new threat information will be added to Microsoft’s Cyber Threat Intelligence Program (CTIP) and provided to Internet Service Providers (ISPs) and global Computer Emergency Response Teams (CERTs) to help repair the damage caused by Bladabindi-Jenxcus and other types of malware. The Microsoft Digital Crimes Unit worked closely with Microsoft’s Malware Protection Center to identify, reverse engineer and develop a remedy for the threat to clean infected computers. We also worked with A10 Networks, leveraging Microsoft Azure, to configure a sophisticated system to manage the high volume of computer connections generated by botnets such as Bladabindi-Jenxcus.

As malware authors continue to pollute the Internet, domain owners must act responsibly by monitoring for and defending against cybercrime on their infrastructure. If free Dynamic DNS providers like No-IP exercise care and follow industry best practices, it will be more difficult for cybercriminals to operate anonymously and harder to victimize people online. Meanwhile, we will continue to take proactive measures to help protect our customers and hold malicious actors accountable for their actions.

This is the third malware disruption by Microsoft since the November unveiling of the Microsoft Cybercrime Center—a center of excellence for advancing the global fight against cybercrime. This case and operation are ongoing, and we will continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter. Microsoft provides free tools and information to help customers clean and regain control of their computers at www.microsoft.com/security.

Microsoft helps FBI in GameOver Zeus botnet cleanup

The following post is from Richard Domingues Boscovich, Assistant General Counsel, Microsoft Digital Crimes Unit.


Following Monday’s multi-national action against the GameOver Zeus botnet, we’re pleased to announce that Microsoft, working closely with the FBI and industry partners, has taken action to remove malware, so that infected computers can no longer be used for harm.

GameOver Zeus, a variant of the Zeus (or Zbot) family of malware, is a highly prevalent password-stealing trojan, according to research by the Microsoft Security Intelligence Report. Dell SecureWorks Counter Threat Unit reports that it was the most active banking trojan of 2013. However, the impact of GameOver Zeus is not limited to the financial industry – nearly all major business and public sector organizations are impacted. Security researchers estimate that between 500,000 and 1 million computers worldwide are infected, and the FBI estimates that Gameover Zeus is responsible for more than $100 million in losses.

The FBI-led legal action and private-sector-led technical action against GameOver Zeus has taken down a portion of the command-and-control (C&C) infrastructure linked to domains generated by the malware and registered by the cyber-criminals. In this operation, codenamed b157, the FBI seized the registered domains. Microsoft did not file a civil action in this matter, unlike some of its previous actions. Unlike most botnet centralized C&C servers, GameOver Zeus uses peer-to-peer (P2P) technology, making its C&C decentralized, more elusive and more resilient than its predecessors.

Microsoft’s role in this technical action was to conduct analysis on the P2P network and develop a cleaning solution. Also, through an additional feed from Shadow Server, we are able to augment our visibility into the number of impacted IP addresses that feed into Microsoft’s Cyber-Threat Intelligence Program (C-TIP), and work closely with global Community Emergency Response Teams (CERTs) and Internet service providers (ISPs) to help owners of compromised computers regain control of their systems. Based upon these actions, it is anticipated that the cybercriminals’ business model will be disrupted, and they will be forced to rebuild their criminal infrastructure. More importantly, victims of GameOver Zeus have been, and will continue to be, notified and their infected computers cleaned to prevent future harm.

This is the second botnet operation by Microsoft since the Nov. 14 unveiling of the new Microsoft Cybercrime Center – a center of excellence for advancing the global fight against cybercrime – and marks Microsoft’s ninth involvement in a botnet operation. Similar to Microsoft’s December 2013 ZeroAccess botnet case, GameOver Zeus is part of a cooperative effort with industry partners and law enforcement to take out cybercriminal networks to ensure that people worldwide can use their computing devices and services with confidence.

sampleemailGOZ

About GameOver Zeus

GameOver Zeus is spread through drive-by downloads, where the cybercriminals create a website that downloads malware onto any unprotected computer that visits that site. It is also distributed through the Cutwail spam botnet via phishing, where cybercriminals send counterfeit emails that appear to be legitimate communications from well-known businesses and organizations. These deceptive emails contain realistic language that could entice the recipient to click on a link or attachment, which ultimately deploys the GameOver Zeus malware onto the victim’s computer. The botnet automatically begins key logging when a user of an infected computer types into the Web browser, unwittingly giving cybercriminals access to passwords and private account information. The infected computer sends stolen data to the botnet’s C&C server, and stores it there for later use by the criminal.

GameOver Zeus has many similar properties to Zeus, such as logging keystrokes to steal banking credentials, but it also comes packaged with malicious functions that allow it to launch distributed denial-of-service (DDoS) attacks against financial institutions. Variants have allowed GameOver Zeus to circumvent perimeter security including firewalls, webfilters and network intrusion detection systems, by disguising itself as an encrypted .EXE file. GameOver Zeus also deploys a process known as “web injects,” which provide the ability to modify the HTML of a target website, and inject additional form fields to dupe a victim into entering sensitive information beyond standard banking credentials. In addition to targeting financial institutions, GameOver Zeus has deployed web injects targeting department stores, social networking sites and webmail services. Most recently, a variant is targeting job seekers and recruiters by attempting to steal log-in credentials for popular job search sites. Unlike some of the earlier versions of Zeus, such as ICE IX, Spy Eye and Citadel, GameOver Zeus has not been marketed and offered for sale in the public domain.

This case and operation are ongoing, and we will continue to provide updates as they become available. To stay up to date on the latest developments on the fight against cybercrime, follow the Microsoft Digital Crimes Unit on Facebook and Twitter.

Visit http://support.microsoft.com/gp/cu_sc_virsec_master for detailed instructions on how to remove the GameOver Zeus trojan using malware removal or anti-virus software as quickly as possible.