This site brings to you a consolidation of malware articles and alerts, as well as the antimalware solutions to fix and block it all. Please read our About page for more information.

ZeroAccess (Sirefef, Vobfus, 0access), is a rather prolific piece of malware.

On Sophos' research blog, James Wyke summarizes the ongoing tracking of the ZeroAccess rootkit and its botnet:

http://nakedsecurity.sophos.com/2012/09/19/zeroaccess-botnet-uncovered/

Over 9 million computers compromised with this rootkit! I suggest reading through this and following all the links to previous zeroaccess articles. One of the more imporant ones is the Sophos ZeroAccess Botnet technical paper you can download at http://www.sophos.com/en-us/why-sophos/our-people/technical-papers/zeroaccess-botnet.aspx.

If somehow reading "9 million computers compromised" wasn't enough, Sean at F-Secure's blog posted a visual representation using Google Earth:

http://www.f-secure.com/weblog/archives/00002430.html

So what does ZeroAccess actually do? It mines bitcoins and runs click fraud. If you aren't that familiar with bitcoin currency, you may want to read up on it quick: http://en.wikipedia.org/wiki/Bitcoin#Mining_and_node_operation
  
Read the full article at ZeroAccess Rootkit and Botnet

A few weeks ago, RSA wrote about a new attack against U.S. banks using a custom trojan (Gozi Prinimalka) and ~100 botmasters.

http://blogs.rsa.com/rsafarl/cyber-gang-seeks-botmasters-to-wage-massive-wave-of-trojan-attacks-against-u-s-banks/

Krebs shared his thoughts on this attack labeled "Project Blitzkrieg":

https://krebsonsecurity.com/tag/gozi-prinimalka/

The last couple of weeks technical details on this trojan and botnet were scarce. Arbor Networks finally revealed what many of us were waiting for:

http://ddos.arbornetworks.com/2012/10/trojan-prinimalka-bits-and-pieces/

A quick summary to improve your detection capabilities:

- Dropped files use the pattern %UserProfile%govXXXX.exe (X's are 4 lowercase letters)
- C&C IP addresses include 93.115.241.114 and 213.155.28.104
- C&C uri request includes /system/prinimalka.py/
- Opens up SOCKS proxy to relay traffic

Now that this gozi variant has been reverse engineered well in advance of the attack, I suspect new variants will show up with altered configurations.
  
Read the full article at Project Blitzkrieg: The Gozi Prinimalka trojan

I'll keep this brief because there are much better sources of information about what Flame (Skywiper) is and how it works.

So to summarize -

What Flame is:

http://www.kaspersky.com/about/news/virus/2012/Kaspersky_Lab_and_ITU_Research_Reveals_New_Advanced_Cyber_Threat

This is a trojan used in cyber espionage, originally targeting Iran. It appears to have been around since 2010 (and maybe as early as 2008) and is touted as one of the most complex trojans and C&C infrastructures created to date.

How Flame works:

http://www.crysys.hu/skywiper/skywiper.pdf
http://blog.soleranetworks.com/2012/05/30/what-we-know-so-far-about-the-flame-trojan-3/

Those are both great analysis that reverse engineers the application.

  
Read the full article at Flame and its C&C Domains