[nsp-sec] Zbot encryption key?
Lawrence Baldwin
baldwinl at mynetwatchman.com
Tue Jun 9 18:35:46 EDT 2009
This is the key we see being used frequently...suspect it's the one that
comes default with the 1.2 kit:
# encrypt key: gsdfvaa336
--
Lawrence Baldwin
Chief Forensics Officer/
Cybercrime Investigator
myNetWatchman.com
Alpharetta, GA
+1.678.624.0924
Nicholas Ianelli wrote:
> ----------- nsp-security Confidential --------
>
>
>> Has anyone successfully found a way to extract the encryption key found
>> within Zbot binaries? We would very much like to know what data if any
>> Zbot is swiping from our infected hosts (for NYS reporting purposes).
>
> If I recall correctly, both the config and the data are RC4 encrypted,
> with the initial key data available in the unpacked binary.
>
> Do you have a copy of the malicious binary and sample data?
>
> Cheers,
> Nick
>
_______________________________________________
nsp-security mailing list
nsp-security at puck.nether.net
https://puck.nether.net/mailman/listinfo/nsp-security
Please do not Forward, CC, or BCC this E-mail outside of the nsp-security
community. Confidentiality is essential for effective Internet security
counter-measures.
_______________________________________________
More information about the nsp-security
mailing list