[tor-talk] "zeus" virus

David H. Lipman DLipman at Verizon.Net
Thu Aug 23 20:40:26 UTC 2012 

From: "scar" <scar at drigon.com>

> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA256
>
> hi all, i operate the "cave" router from my home DSL connection, and
> from time to time it will get suspended because CenturyLink will
> notice mailicious traffic from viruses routed thru the Tor network.
> most of the time i can block these because my they will tell me
> destination IP addresses.  but lately my service has been getting
> suspended because of this "zeus" virus and the reports my ISP sends
> don't have any destination ip addresses.  below is a sample report of
> what they send me, you can see with with 'conficker' one there is a
> dst address that i can block, but with zeus there is practically no
> data.  (the IP Address column is what my IP address was at the time)
> i have asked CenturyLink for more info, specifically destination ip
> addresses, but this is all they give me.  so does anyone know of a way
> to block this zeus thru Tor?  thanks
>
> Date/Time Seen (GMT)   IP Address        Infection Data (*)
> - --------------------   ---------------   ------------------------------
> 2012-08-20 00:56:32    67.1.15.107       infection => 'zeus',
> addl_data => '/config.bin'
> 2012-07-30 15:06:13    97.115.197.107    infection => 'zeus',
> addl_data => '/zs/config.bin'
> 2012-07-26 23:17:48    97.115.196.146    infection => 'conficker',
> subtype => 'downadup', src_port => '49510', dst_port => '80',
> http_host => '149.20.56.33', url => 'GET /search?q=0 HTTP/1.1',
> http_agent => 'Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1;
> InfoPath.2; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR
> 3.5.30729)', dst_ip => '149.20.56.33', sourceSummary => 'Sinkhole HTTP
> Drone Report'
> 2012-07-04 18:46:35    97.115.192.31     infection => 'zeus',
> addl_data => '/update32.php'
>

Zeus Bot (aka; ZBot) is not a virus.  It is a data stealing trojan with 
other aspects and it, and variants, have a large distribution on the 'net.

Usually config.bin is an encrypted file that has instructions for the Bot 
component.

Conficker (aka; Downup) is an I-worm and Bot.

Whatever the case, malicious bot activity is being detected and thus you 
should stop using Tor and you should make sure you computer(s) are clean.

I suggest reading this...
http://forums.malwarebytes.org/index.php?showtopic=9573

Creat an account and post your problem here...
http://forums.malwarebytes.org/index.php?s=547b20f67444c3ee30a883a34bf60fb0&showforum=7



References:
http://searchsecurity.techtarget.com/definition/Zeus-Trojan-Zbot
http://en.wikipedia.org/wiki/Zeus_%28Trojan_horse%29
http://en.wikipedia.org/wiki/Conficker




-- 
Dave
Multi-AV Scanning Tool - http://multi-av.thespykiller.co.uk
http://www.pctipp.ch/downloads/dl/35905.asp

More information about the tor-talk mailing list