# ISFB: Still Live and Kicking **journal.cecyf.fr/ojs/index.php/cybin/article/view/15** Maciej Kotowicz CERT PL DOI: [https://doi.org/10.18464/cybin.v2i1.15](https://doi.org/10.18464/cybin.v2i1.15) ## Abstract ISFB is also known as Gozi2/Ursnif, sometimes Rovnix. ISFB reappeared in early 2013 attracting some attention from the research community and a lot of confusion in the naming convention and to what was being analyzed. Then suddenly, it went dark again. However, dark does not mean dead. With attention of the world focused on Dridex and Dyre, ISFB silently evolved, hiding from the spotlight to become one of the most complex and fully featured banking trojans out there In this paper, we break the silence surrounding ISFB, giving a full description of this malware capabilities which are beyond those of the average banking trojan: 4 ways of communicating with the CC, half a dozen tricks to steal your money, the ability to create movies of your activity and naturally numerous ways of manipulating your web traffic. ## References [1] D. Jackson, “The unrelenting evolution of vawtrak.”, https://info.phishlabs.com/blog/theunrelenting-evolution-of-vawtrak, 2014. [2] N. Kuzmin, “Gozi v1 leak,” 2010. [3] Horgh, “Ursnif still in active development.” http://blog.howpublishedsonmalware.se/post/2014/10/09/Ursnif-still-in-active-development, 2014. [4] unknown, “Isfb leak.”, https://github.com/gbrindisi/malware/tree/master/windows/gozi-isfb, 2015. [5] GovCERT.ch, “Gozi isfb - when a bug really is a feature.”, https://www.govcert.admin.ch/blog/18/gozi-isfb-when-a-bug-really-is-a-feature, 2016. [6] Proofpoint, “Nightmare on tor street: Ursnif variant dreambot adds tor functionality.”, https://www.proofpoint.com/us/threat-insight/post/ursnif-variant-dreambot-adds-torfunctionality, 2016. [7] L. Kessem and L. Keshet, “Meet goznym: The banking malware offspring of gozi isfb and nymaim.”, https://securityintelligence.com/meet-goznym-the-banking-malware-offspring-ofgozi-isfb-and-nymaim/, 2016. [8] J. Jedynak and M. Kotowicz, “Nymaim: the untold story,”, https://lokalhost.pl/talks/vb2016/, 2016 [9] Kafeine, “A fileless ursnif doing some pos focused reco.”, http://malware dontneedcoffee com/2015/07/a-fileless-ursnif-doing-some-pos html 2015 ----- [10] J. Grunzweig and B. Levene, Powersniff malware used in macro-based attacks., http://researchcenter.paloaltonetworks.com/2016/03/powersniff-malware-used-in-macrobased-attacks/, 2015. [11] D. Kizhakkinan, Y. Wang, D. Caselden, and E. Eng, “Threat actor leverages windows zero-day exploit in payment card data attacks.”, https://www.fireeye.com/blog/threatresearch/2016/05/windows-zero-day-payment-cards.html, 2016. Copyright (c) 2016 Maciej Kotowicz [Creative Commons License](http://creativecommons.org/licenses/by/4.0/) [This work is licensed under a Creative Commons Attribution 4.0 International License.](http://creativecommons.org/licenses/by/4.0/) Authors who publish with this journal agree to the following terms: Authors retain copyright and grant the journal right of first publication with the work [simultaneously licensed under a Creative Commons Attribution License that allows](http://creativecommons.org/licenses/by/4.0/) others to share the work with an acknowledgement of the work's authorship and initial publication in this journal. Authors are able to enter into separate, additional contractual arrangements for the non-exclusive distribution of the journal's published version of the work (e.g., post it to an institutional repository or publish it in a book), with an acknowledgement of its initial publication in this journal. -----