Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
Next revision		 Previous revision
Last revisionBoth sides next revision
en:information_technology:the_zeus_malware_incident [2019-10-24 21:04] Heikkien:information_technology:the_zeus_malware_incident [2023-02-20 23:37] – external edit 127.0.0.1
Line 1: Line 1:
 ====== The ZeuS malware incident ====== ====== The ZeuS malware incident ======
  
-<wrap info>This report was written in 2014, latest update 2017-10-22. [[:fi:tietotekniikka:zeus_haittahohjelma_koneella|Summary in Finnish]].</wrap>+<WRAP info>This report was written in 2014, latest update 2017-10-22. [[:fi:tietotekniikka:zeus_haittahohjelma_koneella|Summary in Finnish]].</WRAP>
  
 My Windows 7 desktop computer was hit by [[http://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS_has_come_enhanced_with_Tor|ZeuS malware]] or some variant of it. It wasn't detected by virus scanners and so it lived on the computer at least over a month, maybe much longer. Here is the full story. My Windows 7 desktop computer was hit by [[http://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS_has_come_enhanced_with_Tor|ZeuS malware]] or some variant of it. It wasn't detected by virus scanners and so it lived on the computer at least over a month, maybe much longer. Here is the full story.
Line 13: Line 13:
 I started to have occasional issues with my internet connection. It appeared that the connection sometimes dropped for a while and then started to work again. Resetting the 4G modem or cable modem didn't help and rebooting the computer seemed to help only for a while. I then used tools like ping and it appeared that the network wasn't really down since ping packets traveled fine without issues. I then download [[http://technet.microsoft.com/fi-fi/sysinternals/bb897437.aspx|TCPView]] to monitor network connections and noticed that [[en:information_technology:opera_tor_malware|Opera browser was behaving badly]]. Opera was listening on TCP port 9050 that is [[https://www.torproject.org|the Tor port]], there were some active network Tor connections and Opera was causing a massive flooding of TCP connections. So assumably TCP sockets ran out and that caused the network issues. I started to have occasional issues with my internet connection. It appeared that the connection sometimes dropped for a while and then started to work again. Resetting the 4G modem or cable modem didn't help and rebooting the computer seemed to help only for a while. I then used tools like ping and it appeared that the network wasn't really down since ping packets traveled fine without issues. I then download [[http://technet.microsoft.com/fi-fi/sysinternals/bb897437.aspx|TCPView]] to monitor network connections and noticed that [[en:information_technology:opera_tor_malware|Opera browser was behaving badly]]. Opera was listening on TCP port 9050 that is [[https://www.torproject.org|the Tor port]], there were some active network Tor connections and Opera was causing a massive flooding of TCP connections. So assumably TCP sockets ran out and that caused the network issues.
  
-As explained [[en:it:opera_tor_malware|in my earlier text]] running the virus scanners revealed nothing. I was also unable to find anything written about Opera browser attacks using Tor network. I uninstalled Opera and the issue went away. Reinstalling Opera caused the issue to come back. So I didn't know what it was but I decided not to install and use Opera browser anymore.+As explained [[en:information_technology:opera_tor_malware|in my earlier text]] running the virus scanners revealed nothing. I was also unable to find anything written about Opera browser attacks using Tor network. I uninstalled Opera and the issue went away. Reinstalling Opera caused the issue to come back. So I didn't know what it was but I decided not to install and use Opera browser anymore.
  
 ===== The second wave ===== ===== The second wave =====
Line 41: Line 41:
   * Why ZeuS caused TCP socket flooding that finally made you detect it? I assume that this happened because of some sort of malfunction on ZeuS or because of the fact that I had an active firewall that blocked the sockets causing ZeuS to open more and more sockets. But all this is purely speculation. I was lucky to have that TCP socket flooding happening. Without it I might have been running ZeuS like forever. It is also possible that this ZeuS variant was just acting annoying on purpose. But I think this is unlikely: nowdays malware is mostly to do something beneficial without getting noticed by the user, not to act annoying and dropping network connections.   * Why ZeuS caused TCP socket flooding that finally made you detect it? I assume that this happened because of some sort of malfunction on ZeuS or because of the fact that I had an active firewall that blocked the sockets causing ZeuS to open more and more sockets. But all this is purely speculation. I was lucky to have that TCP socket flooding happening. Without it I might have been running ZeuS like forever. It is also possible that this ZeuS variant was just acting annoying on purpose. But I think this is unlikely: nowdays malware is mostly to do something beneficial without getting noticed by the user, not to act annoying and dropping network connections.
  
-{{tag>IT 2013 2014 2017 Tor malware virus ZeuS Opera svchost Windows}}+{{tag>it 2013 2014 2017 tor malware virus zeus opera svchost windows}}