The Register – One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.
Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study (PDF) released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.
Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.
A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs.
Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date.
Source
More about Zeus from an earlier article from The Washington Post:
The Washington Post – September 9, 2009
Cyber Thieves Steal $447,000 From Wrecking Firm
Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag.
In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma’s online bank account to 39 “money mules,” willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes…
Some types of malware, particularly a type of data-stealing Trojan horse programs known as “Zeus,” allow the attackers to change the display of a bank’s login page as a victim is entering their credentials. For example, when a victim submits his one-time password along with his credentials, the malware may force the browser to return a counterfeit page (still showing the bank’s domain name in the URL bar) stating that the bank’s site is down for maintenance, please try back again in 15 minutes. Meanwhile, those credentials are not submitted to the bank but instead sent to the attackers.
This tactic is remarkably effective: When an unwitting customer waits as instructed, the thieves use those intercepted credentials to log in as the victim and initiate unauthorized transfers from that account.
Parodi recalled that an employee who handles the company’s online account had trouble logging in just hours before the fraudulent transfers were discovered.
“The employee eventually had to reset his password, but by the time we figured out what was happening, the hacker had already withdrawn the money,” Perodi said.
Source
Even more information about Zues:
The Zeus Trojan, otherwise known as ZBot, is widely available for purchase in the cyber-underground. Zeus was linked to a campaign that stole thousands of FTP credentials in an effort to compromise a number of high-profile Websites — including sites belonging to Symantec, Bank of America and Amazon.com.
Now, the Trojan’s purveyors are adopting a new tactic to help their data-stealing efforts. Over at RSA’s FraudAction Research Lab, researchers say cyber-crooks are now using the Jabber IM open protocol as a way to quickly transmit stolen user credentials.
“The Jabber IM modules that have been built into these particular Trojans were configured to extract stolen user credentials from the Zeus Trojan’s ‘drop’ server database — and then immediately send those credentials to the online criminal, wherever he may be,” the RSA researcher wrote in the RSA Online Fraud Report released Aug. 27.
Stolen data is not necessarily available to the cyber-crook in real time — the attacker may reside in another part of the world or may not be connected to the server 24 hours a day, the report continued. For that reason, criminals are using the Jabber IM module to automatically forward and receive stolen credentials as soon as they are harvested…
Still, the move is new for Zeus, which according to security company Fortinet experienced a surge of activity on July 24. That particular day, the Zeus Trojan posted record detection levels for a single-day run, surpassing those of not only the Sober worm in January 2006, but also the infamous Storm worm in January 2007.
“The variant flooded on this day … was HTML/Agent.E: in fact a ZBot variant attached in a MIME [Multipurpose Internet Mail Extension] sample (e-mail),” the report said. “This e-mail seeding campaign once again — as we reported in June this year — used a simple e-card social engineering hook.”
The campaign helped catapult Zeus to No. 2 on Fortinet’s list of Top 10 malware during July 21 to Aug. 20 — a slightly less distinguished Mount Olympus, but one nonetheless.
Source
Zeus is a nasty piece of work and it’s important to understand that there are dangers out there despite the comfort level we come to accept when we have solutions such as firewall, antivirus, malware protection. This is not to mean that any of us panic but simply be vigilant, use safe practices, install and maintain useful protective solutions such as the aforementioned firewall, antivirus, malware software.
WASHINGTON — The government must take a more active role in securing the Internet, industry experts told Congress Tuesday, arguing that as businesses and governments rely more on cyberspace the prospect of a serious attack grows.
Google on Wednesday introduced a plan to offer ultra-high-speed Internet access to consumers in a test intended to showcase the potential new uses of broadband networks once such speeds become commonplace.
It’s no secret that criminals are stealing credit card and bank account data and selling it underground. But most people would find it shocking to learn just how little their sensitive personal information costs.
SAN FRANCISCO (Reuters) – Google Inc is shipping its Chrome browser with Sony Corp PCs, sealing the Internet company’s first such deal since it introduced the Web browser last year to compete with Microsoft.
