SecurityFocus

Call For Papers - hack.lu 2010 - 27-29 October - Luxembourg Apr 04 2010 04:50PM
Alexandre Dulaunoy (adulau gmail com) (1 replies)

info reg Zeus bot detection and analysis May 19 2010 11:12AM
Mayank.2.Bhatnagar (MBhatnagar ipolicynetworks com) (1 replies)

RE: info reg Zeus bot detection and analysis May 19 2010 03:39PM
Michele Zoerb (mzoerb the41 com) (1 replies)

RE: info reg Zeus bot detection and analysis May 19 2010 08:06PM
Younger Tyler (Tyler Younger ssfhs org)

Any tips on how to selectively get infected with Zeus?

You can find the latest Zeus variants here http://www.malwaredomainlist.com/mdl.php

Tyler

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Michele Zoerb
Sent: Wednesday, May 19, 2010 11:39 AM
To: Mayank.2.Bhatnagar; honeypot honeypot
Subject: RE: info reg Zeus bot detection and analysis

Interesting thoughts as I am just starting the same type of project. I want to get infected by Zeus and perform some analysis. I have a closed environment, but didn't think that detecting a virtual environment would be an issue for the bot. I will put my VMconverter onto a separate machine and clone from there.

Any tips on how to selectively get infected with Zeus?

Thanks,
Chele

-----Original Message-----
From: listbounce (at) securityfocus (dot) com [email concealed] [mailto:listbounce (at) securityfocus (dot) com [email concealed]] On Behalf Of Mayank.2.Bhatnagar
Sent: Wednesday, May 19, 2010 4:12 AM
To: honeypot honeypot
Subject: info reg Zeus bot detection and analysis

Hi everyone,

We are able to collect several samples of Zeus bot and there are many variants of the same.
However when we try to analyse it in our sandbox and closed environment, we are not able to get any activity.
There are several reports available, which are for same md5sum sample but still after much of analysis and triggering attempts, either the malicious sample dosnt trigger or if it does, it doesn't show any network activity.

What could be the reason? Where is the catch?? We have referred Zeus tracker sites (https://zeustracker.abuse.ch/blocklist.php), threatExpert reports but precisely what kind of analysis should be done and what environment created to analyse these setups.

We found that Vmware/Virtual setups may have been getting detected, but what abt a live sandbox environment. Why is the malicious exe not triggering there?? Where are we missing?

Anyone having pointers, suggestions...please suggest.
Thanks a lot,

Regards,
Mayank,
India

The information contained in this e-mail and any accompanying documents is intended for the sole use of the recipient to whom it is addressed, and may contain information that is privileged, confidential, and prohibited from disclosure under applicable law. If you are not the intended recipient, or authorized to receive this on behalf of the recipient, you are hereby notified that any review, use, disclosure, copying, or distribution is prohibited. If you are not the intended recipient(s), please contact the sender by e-mail and destroy all copies of the original message. Thank you.

[ reply ]