At the moment there is a gigantic outbreak of the Dorifel virus in the Netherlands. Dorifel is related to Zbot/Citadel…
It comes through mail and it encrypts Word and Excel documents and replace them with .scr
causing networks to no longer function…
Tools to restore these encrypted files are in the hands of our forum qualified removal experts,
I have sent the links to them…
Why this country, the Netherlands? Well the botserver hides phishing websites for 4 major Dutch banks.
See anti-scam info on the apparent Russian owner of that botnet: http://www.anti-scam-forum.net/showFullThread_1288628426.htm
This apparently is the CC-server: http://urlquery.net/report.php?id=123021
At the moment it is not giving commands, but experts fear this could change any moment (see: Dorifel analysis - link article author = Brenno de Winter: http://webwereld.nl/analyse/111452/de-code-van-dorifel-nader-bekeken/2.html Extensive analysis of Dorifel for webwereld.nl)
FILEMAGIC Macromedia Flash data (compressed),
but on that same AS we find this: http://urlquery.net/report.php?id=122830
and that is not very reassuring, many IDS alerts there. I think this IP should be blocked…
and also these IPs: 184.82.162.163 en 184.22.103.202, together with this domain “bank-auth dot org”,
Well the alarming worrisome news behind this all is that part of the Dorifel infected computers in Holland had a previous Citadel infection that went on unnoticed for quite some time.
So there is a big underlying problem, that has not been solved yet. The presence of the next generation banking malware bot, that hides the C&C server address.
Citadel has added antiemulyator protection (new algorithm), to allow to protect the botnet on the reversing and getting into trackers, see description here: http://letsbytecode.com/security/citadel-trojan-hides-the-real-address-of-the-c-c-server/ (article author = syntax).
The Citadel Trojan, also a banking malware, includes “improvements” over Zeus such as:
more stealth in evading detection from tracking sites;
better communications with the command and control server (that gives it orders and thus controls it);
the ability to block access to security sites; and
the ability to record videos of victim activities.
Quote taken from Paul Lubic Security Blog - author Paul Lubic)
On the planning stage of such a malicious campaign this posting on the dsl report forum by MGD (kudo’s to MGD for getting to this info) http://www.dslreports.com/forum/remark,21966638?hilite=selling+domain
I assume protection against injected trackers is an important issue…
Also VM-environment should learn to run in “stealth” mode so Citadel cannot detect a sandbox is running and play dead to wait for a postponed infect,
The malcreants responsible for the Dorifel/Citadel/Zeus infrastructure are also testing Hermes as a banking trojan. They are using open source projects, like http://hermes-bot.net/forum/ to run test runs,
And here the avast forum spam filter stopped me in my tracks, I tried to comment on malcreant’s test runs with the H E R M E S Open Source IRC bot in a resource engineered version. Cybercriminals make use of different botnets, in the USA Citadel is used to install Reveton-malware. Dorifel was used for postponed launching of a banking trojan like H E R M E S,
polonus
P.S. Could it be that bot herders are very religious people? See: http://bible.cc/acts/14-12.htm (Z E U S & H E R M E S - Barnabas & Paul)