Is your PC part of the “Pobelka” botnet?

According to their press release some researchers of the netherland based security companies FOX-IT and SurfRight tracked down an average sized botnet a couple of weeks ago. Pobelka (the russian word for: Money Laundering) was focussed on German and Netherland banking customers. This financial fraud botnet was build to gathered very sensitive private data like online banking accounts and credit card details.

Pobelka (spreaded by the Zeus variant Citadel) is acting the same way as Carberp, SpyEye, Hermes, Gozi and Bugat: It manipulates Online Transactions via a Man-in-the-Browser attack. Once unattended installed, it keeps quiet till the user starts online banking. Right before SSL encryption works and the payment request is transfered to the banking servers, the cybercriminals change the money transfer details by overwriting the users wanted input. Depending on the authentification mechanism the victim is unable to detect the scam without checking the printed copies of his bank statement.


I’d like to know if I am infected. What do I need to do?

  1. Stay calm!
  2. Please check your computer (and all other windows devices within your residential network) with the Edition of HitmanPro. This “2nd Oppinion Scanner” is able to detect and delete it. The usage is free of charge!
  3. Also check whether your operation system is up-to-date: Secunia’s Online-Check can assist you here!
  4. In case of an infection: It is likely that the trojan has stolen login data previously. Please change the access creditials of your banking & email accounts, as all the other important onces (like e.g. eBay, Amazon, Paypal, etc.). As Pobelka, like all the other banking trojans compromise your systems very aggressive, we suggest to consider a re-installation your system from scratch. In case you need any assistance here, we are happy to help at our support forum.

Some tipps of the security experts of the German Anti-Botnet Advisory Center:

Pobelka and many other malware is spreaded via infected websites, having been compromised without the knowledge of the domain owner (Sample: Blackhole Exploit Kit). Having done so, the normal visit of a websites is action enough (we call this: drive-by exploit) to compromise the visitors device and to install malware fully-automated and unattend.

By side up-to-date browser software, a frequently patched operating system and a professional anti virus solution, we suggest the usage of “script blockers”: Those only allows the processing of script code after the users allowance: For firefox NoScript or FlashBlock are two great examples.