SophosLabs: Dissecting Zeus at SOURCE Dublin

source-dublinWe have discussed the infamous Zeus family of malware and its numerous variants many times on Naked Security, including identifying the introduction of the Necurs rootkit into the Gameover variant, putting the Citadel variant under the microscope, and a technical paper analyzing the original Zeus.

These versions of Zeus and many more continue to plague netizens across the globe, stealing vast quantities of data and costing individuals and institutions huge amounts of money.

I will be giving a presentation at SOURCE Dublin this week that demonstrates the process of extracting useful information from a variety of key Zeus variants including Citadel, Gameover and IceIX.

With so much Zeus activity around it is important to understand as much about a sample and the impact of an infection as possible.

This means obtaining and decrypting configuration files, decrypting network traffic to read exfiltrated data, and extracting and tracking the various encryption keys and network addresses being used.

Fortunately, all these versions of Zeus stem from a common codebase which lightens the workload when working out how to extract that kind of data from newer variants.

If you’re in the Dublin area, why not drop by to see my talk, and all the other excellent presentations at this year’s conference.

SOURCE Dublin combines cutting-edge business, technology, and application security presentations, providing security experts and industry professionals the opportunity to share insights and develop future business prospects.

James Wyke is a Senior Threat Researcher at SophosLabs UK.

Keep up with SophosLabs

At SophosLabs we’re dedicated to sharing our research with the security community. From time to time we present our technical papers at industry conferences, such as the upcoming Virus Bulletin 2014 conference, 24 – 26 September 2014.

Keep up to date with our latest industry-leading research and technical papers, expert opinion, and security advice at Naked Security, and right here on the Sophos Blog.

Sign up for Sophos Blog newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.

4 thoughts on “SophosLabs: Dissecting Zeus at SOURCE Dublin

  1. Pingback: Here’s how you can help stop Gameover/Zeus and Cryptolocker | Sophos Blog

  2. Pingback: The next generation of the PlugX APT – new SophosLabs research | Sophos Blog

  3. Pingback: SophosLabs research spotlights rising threat of Vawtrak financial malware | Sophos Blog

  4. Pingback: Net Universe ǀ Connecting Solutions – SophosLabs research spotlights rising threat of Vawtrak financial malware

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s