This shows you the differences between two versions of the page.
| Both sides previous revision Previous revision Next revision | Previous revision Next revisionBoth sides next revision |
| en:information_technology:the_zeus_malware_incident [2019-10-24 21:04] – Heikki | en:information_technology:the_zeus_malware_incident [2020-06-22 12:53] – Heikki |
|---|
| ====== The ZeuS malware incident ====== | ====== The ZeuS malware incident ====== |
| |
| <wrap info>This report was written in 2014, latest update 2017-10-22. [[:fi:tietotekniikka:zeus_haittahohjelma_koneella|Summary in Finnish]].</wrap> | <WRAP info>This report was written in 2014, latest update 2017-10-22. [[:fi:tietotekniikka:zeus_haittahohjelma_koneella|Summary in Finnish]].</wrap> |
| |
| My Windows 7 desktop computer was hit by [[http://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS_has_come_enhanced_with_Tor|ZeuS malware]] or some variant of it. It wasn't detected by virus scanners and so it lived on the computer at least over a month, maybe much longer. Here is the full story. | My Windows 7 desktop computer was hit by [[http://www.securelist.com/en/blog/208214171/The_inevitable_move_64_bit_ZeuS_has_come_enhanced_with_Tor|ZeuS malware]] or some variant of it. It wasn't detected by virus scanners and so it lived on the computer at least over a month, maybe much longer. Here is the full story. |
| ===== Symptoms ===== | ===== Symptoms ===== |
| |
| I started to have occasional issues with my internet connection. It appeared that the connection sometimes dropped for a while and then started to work again. Resetting the 4G modem or cable modem didn't help and rebooting the computer seemed to help only for a while. I then used tools like ping and it appeared that the network wasn't really down since ping packets traveled fine without issues. I then download [[http://technet.microsoft.com/fi-fi/sysinternals/bb897437.aspx|TCPView]] to monitor network connections and noticed that [[:en:information_technology:opera_tor_malware|Opera browser was behaving badly]]. Opera was listening on TCP port 9050 that is [[https://www.torproject.org|the Tor port]], there were some active network Tor connections and Opera was causing a massive flooding of TCP connections. So assumably TCP sockets ran out and that caused the network issues. | I started to have occasional issues with my internet connection. It appeared that the connection sometimes dropped for a while and then started to work again. Resetting the 4G modem or cable modem didn't help and rebooting the computer seemed to help only for a while. I then used tools like ping and it appeared that the network wasn't really down since ping packets traveled fine without issues. I then download [[http://technet.microsoft.com/fi-fi/sysinternals/bb897437.aspx|TCPView]] to monitor network connections and noticed that [[en:information_technology:opera_tor_malware|Opera browser was behaving badly]]. Opera was listening on TCP port 9050 that is [[https://www.torproject.org|the Tor port]], there were some active network Tor connections and Opera was causing a massive flooding of TCP connections. So assumably TCP sockets ran out and that caused the network issues. |
| |
| As explained [[en:it:opera_tor_malware|in my earlier text]] running the virus scanners revealed nothing. I was also unable to find anything written about Opera browser attacks using Tor network. I uninstalled Opera and the issue went away. Reinstalling Opera caused the issue to come back. So I didn't know what it was but I decided not to install and use Opera browser anymore. | As explained [[en:information_technology:opera_tor_malware|in my earlier text]] running the virus scanners revealed nothing. I was also unable to find anything written about Opera browser attacks using Tor network. I uninstalled Opera and the issue went away. Reinstalling Opera caused the issue to come back. So I didn't know what it was but I decided not to install and use Opera browser anymore. |
| |
| ===== The second wave ===== | ===== The second wave ===== |