We have discussed the infamous Zeus family of malware and its numerous variants many times on Naked Security, including identifying the introduction of the Necurs rootkit into the Gameover variant, putting the Citadel variant under the microscope, and a technical paper analyzing the original Zeus.
These versions of Zeus and many more continue to plague netizens across the globe, stealing vast quantities of data and costing individuals and institutions huge amounts of money.
I will be giving a presentation at SOURCE Dublin this week that demonstrates the process of extracting useful information from a variety of key Zeus variants including Citadel, Gameover and IceIX.
With so much Zeus activity around it is important to understand as much about a sample and the impact of an infection as possible.
This means obtaining and decrypting configuration files, decrypting network traffic to read exfiltrated data, and extracting and tracking the various encryption keys and network addresses being used.
Fortunately, all these versions of Zeus stem from a common codebase which lightens the workload when working out how to extract that kind of data from newer variants.
If you’re in the Dublin area, why not drop by to see my talk, and all the other excellent presentations at this year’s conference.
SOURCE Dublin combines cutting-edge business, technology, and application security presentations, providing security experts and industry professionals the opportunity to share insights and develop future business prospects.
James Wyke is a Senior Threat Researcher at SophosLabs UK.
Keep up with SophosLabs
At SophosLabs we’re dedicated to sharing our research with the security community. From time to time we present our technical papers at industry conferences, such as the upcoming Virus Bulletin 2014 conference, 24 – 26 September 2014.
Sign up for Sophos Blog newsletter by filling in your email address at the top right of the blog’s webpage. Follow us on your favorite social media networks, chat with us in our forums, download our informative podcasts, or sign up for our RSS feeds.