SANS Digital Forensics and Incident Response Blog: Tag - zeus

Digital Forensics Case Leads: ZeusTracker; Legal Hold Software; Port Control as a Forensic Tool

The Zeus banking Trojan continues to siphon cash from businesses' bank accounts. Attackers compromise networks and computers then lie in wait until accounts are accessed, at which point authentication may be hijacked allowing attackers to submit transactions. The credentials match, even two-factor systems are being defeated. At last count, attackers made over $120 million in unauthorized transactions in Q3 2009 (source: FDIC).

Multi-factor and out-of-band authentication will not cure the ill if the customers' machines are owned by the attackers. Per transaction authentication is needed (probably digitally signed and with MAC). If you are working as an incident responder, it may be helpful to know some of the currently active command and control systems connected to Zeus. Here is a handy list, provided by ZeusTracker (note: SSL certificate errors may pop-up,


Client-side Web Application Attacks

Over the past few years, attacks against web applications have become more prevalent and sophisticated. There are several methods of attacking web applications, SQL injection being one of the more well-known. In this article, we are going to discuss a different class of attacks and a few examples of how an incident responder or computer forensic investigator might spot them.

All web forms contain fields that are used to grab input from a user and post it to the server for processing. Form fields are commonly used to collect information, from transaction details on e commerce sites to authentication credentials for restricted content. While form fields are used to collect data legitimately from users, they can also be used maliciously.

An example of this is a client side attack commonly known as form field injection. In this type of attack, malware interacting in a web browser adds additional form fields to