Comments on: Win32/Gataka: a banking Trojan ready to take off? http://www.welivesecurity.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off/ News, Views, and Insight from the ESET Security Community Mon, 03 Feb 2014 08:49:00 +0000 hourly 1 http://wordpress.org/?v=3.7 By: David Harley http://www.welivesecurity.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off/#comment-976 Sat, 07 Jul 2012 08:03:56 +0000 http://blog.eset.com/?p=13896#comment-976 I didn’t say it was quick. :) VT shares an awful lot of samples, not to mention those received from other sources. While modern labs have a lot of automated processes, sheer glut still poses prioritization issues. :(

]]>
By: Steve Frost http://www.welivesecurity.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off/#comment-975 Fri, 06 Jul 2012 21:03:03 +0000 http://blog.eset.com/?p=13896#comment-975 All samples have been submitted to VTotal but it seems like it isn't happening too quickly.  I have sent zipped files to Mssr Boutin directly with all of the information that I was able to glean so far in my personal investigations including dropper, injector, pcap, startup information, etc.
Glad to be able to help.
p.s. you have any analyst openings?  :D

]]>
By: David Harley http://www.welivesecurity.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off/#comment-974 Fri, 06 Jul 2012 14:14:12 +0000 http://blog.eset.com/?p=13896#comment-974 You can submit files to ESET via samples@eset.com (see http://kb.eset.com/esetkb/index?page=content&id=SOLN141&actp=search&viewlocale=en_US&searchid=1341583246732). We do share samples, of course, but if you submit your samples to VirusTotal (https://www.virustotal.com/) they’ll also share with participating vendors.

]]>
By: Steve Frost http://www.welivesecurity.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off/#comment-973 Fri, 06 Jul 2012 13:54:52 +0000 http://blog.eset.com/?p=13896#comment-973 I am a malware analyst for my company and have come across a large number of Gataka exe files that I need to get submitted to ESET as well as many AV firms as possible.  My company currently uses an AV company that doesn't appear to share information through the community.
Can you provide me with a link to submit at least 2 zipped, password-protected files containing 2 droppers and multiple examples of this variant?

]]>
By: Jean-Ian Boutin http://www.welivesecurity.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off/#comment-972 Tue, 03 Jul 2012 01:12:19 +0000 http://blog.eset.com/?p=13896#comment-972 Hi Philip,

Yes, I think it does. While it is impossible to know for sure the malware author intent, using internet explorer process to perform C&C communications is a good way to evade firewalls as users usually allow this process for outbound traffic.

]]>
By: Philip Kats. http://www.welivesecurity.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off/#comment-971 Tue, 03 Jul 2012 00:13:35 +0000 http://blog.eset.com/?p=13896#comment-971 Does it actually inject its code into iexplore to also bypass the firewall and do its communication actions?It's still an old method but effective,also used by DarkComet.
Regards,
Philip

]]>
By: Leo http://www.welivesecurity.com/2012/06/28/win32gataka-a-banking-trojan-ready-to-take-off/#comment-970 Thu, 28 Jun 2012 20:01:20 +0000 http://blog.eset.com/?p=13896#comment-970 Nice analysis. As a fellow researcher it is always good to see malware being broken apart :-)
Thanks for sharing.
BTW, Dakujem David a Robert.

]]>