Can you explain how to decode the Zeus config.bin file?
By submitting your email address, you agree to receive emails regarding relevant topic offers from TechTarget and its partners. You can withdraw your consent at any time. Contact TechTarget at 275 Grove Street, Newton, MA.
The Zeus config.bin file is used to store the Zeus Trojan configuration. The file is encrypted with RC4, so it must be unecrypted, or decoded, before it can be analyzed. ThreatExpert has a blog post on how to decode the Zeus config file along with a utility for doing so. You can also use the free OllyDebug tool for Zeus Trojan analysis and decoding the config file. The file contains the details of which URLs are targeted by the customized Zeus bot. By identifying the URLs targeted, you can further observe what account credentials were attacked. The config file also has URLs used for downloading updates, which you can use to try to identify other infected computers on your network.
Ask the expert
Have questions about enterprise information security threats? Send them to expert Nick Lewis, and you may see the answers appear on SearchSecurity.com! All questions are anonymous.
Once you have identified the targeted URLs, notify the affected websites they are being targeted so they can monitor their systems for attacks. You can also block access to these targeted websites, or only allow access from systems that require access and are clean from malware. For any account credentials compromised, you should immediately contact the financial institution to change the credentials and put a hold on any financial transactions that may have been initiated. You could also block access to the URLs used for updates to prevent updates.
Dig Deeper on Malware, Viruses, Trojans and Spyware
Related Q&A from Nick Lewis
Latentbot malware has layers of obfuscation that makes it hard to detect. Expert Nick Lewis explains how its process works, beginning with a phishing...continue reading
A hard to detect type of Linux malware, Rekoobe, can download files to user systems. Expert Nick Lewis explains the malware's key functionality and ...continue reading
Pro POS, a new type of POS malware, has simple operations and is easy to obtain. How was it so successful against businesses? Expert Nick Lewis ...continue reading
Have a question for an expert?
Please add a title for your question
Get answers from a TechTarget expert on whatever's puzzling you.