Zeus Config Decryptor

The banking trojan Zbot (aka WSNPOEM/Zeus/PRG) is still circulating “in-the-wild” in various modifications.

If you are tracking Zbot submissions at ThreatExpert web site, you might find useful the following tool that decrypts the contents of the configuration files downloaded by this trojan: DecodeZeusConfig.zip.

The decrypted config file will normally contain URLs of additional components it downloads along with the URLs of online banking services that it attacks and bogus HTML fields it attempts to inject into online banking login forms.

For example, analysis of the Zeus config file contents over the last week reveals the targeted URLs of the following online financial services:

  • Alfa Bank (Russia)
  • Ameriprise Financial Services (US)
  • Banca March (Spain)
  • Bancaja (Spain)
  • Banco Pastor (Spain)
  • Banco Popular (Spain)
  • Banco Santander, S.A. (Spain)
  • BANESNET S.A. (Spain)
  • Banesto (Spain)
  • Bank of America (US)
  • Barclays Bank (UK)
  • Barclays Bank, S.A. (Spain)
  • Cahoot/Abbey National (UK)
  • Caixa Tarragona (Spain)
  • Caixanova (Spain)
  • Caja Espana (Spain)
  • Caja Extremadura (Spain)
  • Caja Madrid (Spain)
  • Caja Madrid Empresas (Spain)
  • Caja Rural (Spain)
  • Caja Segovia (Spain)
  • Cajamurcia (Spain)
  • Cajasol (Spain)
  • CajaSur (Spain)
  • Citibank (US)
  • Citibank Deutschland Gruppe (Germany)
  • Citizens Bank (US)
  • Clydesdale Bank (UK)
  • comdirect bank AG (Germany)
  • Dresdner Bank (Germany)
  • e-gold (US)
  • ePassporte (Netherlands)
  • E-port.Ru (Russia)
  • Fibanc-Mediolanum (Spain)
  • FIDUCIA IT AG (Germany)
  • Fifth Third Bank (US)
  • Halifax/Bank of Scotland (UK)
  • HSBC Bank (UK)
  • JPMorgan Chase & Co. (US)
  • KeyCorp (US)
  • Kutxa, Caja Gipuzkoa San Sebastian (Spain)
  • La Caja de Canarias (Spain)
  • Lloyds TSB (UK)
  • MDM Bank (Russia)
  • MoneyMail.Ru (Russia)
  • National City Bank (US)
  • norisbank GmbH (Germany)
  • PayPal, Inc. (US)
  • RBK Money (Russia)
  • SunTrust Bank (US)
  • TD Group Financial Services (Canada)
  • U.S. Bank (US)
  • Unicaja (Spain)
  • Volksbank Rhein-Wupper eG (Germany)
  • VR-NetWorld eBanking (Germany)
  • Wachovia Securities (US)
  • Washington Mutual, Inc. (US)
  • Wells Fargo Bank (US)
  • Westpac Banking Corporation (Australia)
  • Yorkshire Bank (UK)
This entry was posted in Online Fraud, The Law. Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *


You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>