The Register – One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.
Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study (PDF) released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.
Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.
A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs.
Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date.
Source
More about Zeus from an earlier article from The Washington Post:
The Washington Post – September 9, 2009
Cyber Thieves Steal $447,000 From Wrecking Firm
Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag.
In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma’s online bank account to 39 “money mules,” willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes…
Some types of malware, particularly a type of data-stealing Trojan horse programs known as “Zeus,” allow the attackers to change the display of a bank’s login page as a victim is entering their credentials. For example, when a victim submits his one-time password along with his credentials, the malware may force the browser to return a counterfeit page (still showing the bank’s domain name in the URL bar) stating that the bank’s site is down for maintenance, please try back again in 15 minutes. Meanwhile, those credentials are not submitted to the bank but instead sent to the attackers.
This tactic is remarkably effective: When an unwitting customer waits as instructed, the thieves use those intercepted credentials to log in as the victim and initiate unauthorized transfers from that account.
Parodi recalled that an employee who handles the company’s online account had trouble logging in just hours before the fraudulent transfers were discovered.
“The employee eventually had to reset his password, but by the time we figured out what was happening, the hacker had already withdrawn the money,” Perodi said.
Source
Even more information about Zues:
The Zeus Trojan, otherwise known as ZBot, is widely available for purchase in the cyber-underground. Zeus was linked to a campaign that stole thousands of FTP credentials in an effort to compromise a number of high-profile Websites — including sites belonging to Symantec, Bank of America and Amazon.com.
Now, the Trojan’s purveyors are adopting a new tactic to help their data-stealing efforts. Over at RSA’s FraudAction Research Lab, researchers say cyber-crooks are now using the Jabber IM open protocol as a way to quickly transmit stolen user credentials.
“The Jabber IM modules that have been built into these particular Trojans were configured to extract stolen user credentials from the Zeus Trojan’s ‘drop’ server database — and then immediately send those credentials to the online criminal, wherever he may be,” the RSA researcher wrote in the RSA Online Fraud Report released Aug. 27.
Stolen data is not necessarily available to the cyber-crook in real time — the attacker may reside in another part of the world or may not be connected to the server 24 hours a day, the report continued. For that reason, criminals are using the Jabber IM module to automatically forward and receive stolen credentials as soon as they are harvested…
Still, the move is new for Zeus, which according to security company Fortinet experienced a surge of activity on July 24. That particular day, the Zeus Trojan posted record detection levels for a single-day run, surpassing those of not only the Sober worm in January 2006, but also the infamous Storm worm in January 2007.
“The variant flooded on this day … was HTML/Agent.E: in fact a ZBot variant attached in a MIME [Multipurpose Internet Mail Extension] sample (e-mail),” the report said. “This e-mail seeding campaign once again — as we reported in June this year — used a simple e-card social engineering hook.”
The campaign helped catapult Zeus to No. 2 on Fortinet’s list of Top 10 malware during July 21 to Aug. 20 — a slightly less distinguished Mount Olympus, but one nonetheless.
Source
Zeus is a nasty piece of work and it’s important to understand that there are dangers out there despite the comfort level we come to accept when we have solutions such as firewall, antivirus, malware protection. This is not to mean that any of us panic but simply be vigilant, use safe practices, install and maintain useful protective solutions such as the aforementioned firewall, antivirus, malware software.
IObit Security 360 is an advanced malware & spyware removal utility that detects, removes the deepest infections, and protects your PC from various of potential spyware, adware, trojans, keyloggers, bots, worms, and hijackers. With the unique “Dual-Core” engine and the heuristic malware detection, IObit Security 360 detects the most complex and deepest spyware and malware in a very fast and efficient way. IObit Security 360 has a real-time malware protection and frequent updating for prevention of zero-day security threats. Designed for Windows® 7, Vista™, XP and 2000 (32bit and 64bit), IObit Security 360 can work with your Antivirus for a superior PC security.
“This hacker tool could easily be installed, for example, on a computer on display in a retail store, which could then scan all iPhones that pass within the reach of its network,” Intego said. “Or, a hacker could sit in an Internet café and let his computer scan all iPhones that come within the range of the Wi-Fi network in search of data. ”
Ad-Aware provides protection from known Spyware including: Data-mining, aggressive advertising, Parasites, Scumware, selected traditional Trojans, Dialers, Malware, Browser hijackers, and tracking components.