The Register – One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.

Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study (PDF) released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.

Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.

A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs.

Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date.

Source

More about Zeus from an earlier article from The Washington Post:

The Washington Post – September 9, 2009
Cyber Thieves Steal $447,000 From Wrecking Firm
Organized cyber thieves are increasingly looting businesses in heists that can net hundreds of thousands of dollars. Security vendors and pundits may be quick to suggest a new layer of technology to thwart such crimes, but in a great many cases, the virtual robbers are foiled because an alert observer spotted something amiss early on and raised a red flag.

In mid-July, computer crooks stole $447,000 from Ferma Corp., a Santa Maria, Calif.-based demolition company, by initiating a large batch of transfers from Ferma’s online bank account to 39 “money mules,” willing or unwitting accomplices who typically are ensnared via job search Web sites into bogus work-at-home schemes…

Some types of malware, particularly a type of data-stealing Trojan horse programs known as “Zeus,” allow the attackers to change the display of a bank’s login page as a victim is entering their credentials. For example, when a victim submits his one-time password along with his credentials, the malware may force the browser to return a counterfeit page (still showing the bank’s domain name in the URL bar) stating that the bank’s site is down for maintenance, please try back again in 15 minutes. Meanwhile, those credentials are not submitted to the bank but instead sent to the attackers.

This tactic is remarkably effective: When an unwitting customer waits as instructed, the thieves use those intercepted credentials to log in as the victim and initiate unauthorized transfers from that account.

Parodi recalled that an employee who handles the company’s online account had trouble logging in just hours before the fraudulent transfers were discovered.

“The employee eventually had to reset his password, but by the time we figured out what was happening, the hacker had already withdrawn the money,” Perodi said.

Source

Even more information about Zues:

The Zeus Trojan, otherwise known as ZBot, is widely available for purchase in the cyber-underground. Zeus was linked to a campaign that stole thousands of FTP credentials in an effort to compromise a number of high-profile Websites — including sites belonging to Symantec, Bank of America and Amazon.com.

Now, the Trojan’s purveyors are adopting a new tactic to help their data-stealing efforts. Over at RSA’s FraudAction Research Lab, researchers say cyber-crooks are now using the Jabber IM open protocol as a way to quickly transmit stolen user credentials.

“The Jabber IM modules that have been built into these particular Trojans were configured to extract stolen user credentials from the Zeus Trojan’s ‘drop’ server database — and then immediately send those credentials to the online criminal, wherever he may be,” the RSA researcher wrote in the RSA Online Fraud Report released Aug. 27.

Stolen data is not necessarily available to the cyber-crook in real time — the attacker may reside in another part of the world or may not be connected to the server 24 hours a day, the report continued. For that reason, criminals are using the Jabber IM module to automatically forward and receive stolen credentials as soon as they are harvested…

Still, the move is new for Zeus, which according to security company Fortinet experienced a surge of activity on July 24. That particular day, the Zeus Trojan posted record detection levels for a single-day run, surpassing those of not only the Sober worm in January 2006, but also the infamous Storm worm in January 2007.

“The variant flooded on this day … was HTML/Agent.E: in fact a ZBot variant attached in a MIME [Multipurpose Internet Mail Extension] sample (e-mail),” the report said. “This e-mail seeding campaign once again — as we reported in June this year — used a simple e-card social engineering hook.”

The campaign helped catapult Zeus to No. 2 on Fortinet’s list of Top 10 malware during July 21 to Aug. 20 — a slightly less distinguished Mount Olympus, but one nonetheless.

Source

Zeus is a nasty piece of work and it’s important to understand that there are dangers out there despite the comfort level we come to accept when we have solutions such as firewall, antivirus, malware protection. This is not to mean that any of us panic but simply be vigilant, use safe practices, install and maintain useful protective solutions such as the aforementioned firewall, antivirus, malware software.

DON’T CLICK IT!

I can’t tell you how many times I have had a user call or email me stating that he/she saw a pop-up saying they needed antivirus so they clicked the ad. As someone that has been around the block as far as computers and viruses go I know how the story is going to go: “Hey, I saw an ad for *** and clicked it… Now my computer is *** and I can’t ***. What happened and what should I do?” Ouch. Those times for the user is not fun and many feel helpless and at the mercy of the technician helping them.

Some nasty ads have hit the Web browsers of visitors to NYTimes.com and some other sites in recent days. The ads, which are not authorized or endorsed by The Times, can hijack a person’s browser and make it appear as if a scan for viruses is running. The ads then promote “antivirus” software that is itself virus-like. The Times believes it has eliminated these ads, but if they popped up on your screen, here’s what you need to know about your computer’s security.

According to Rik Ferguson of the security-software maker Trend Micro, a malicious ad sparked a pop-up window with a bogus claim that the PC was infected with malware. It urged the user to run a system scan with its “Personal Antivirus” program — a convincing-looking ruse, but a complete fake — to clean out the infection.

If you closed this box, you should be O.K., though it’s a good idea to empty your browser cache — which stores temporary copies of many of the files used by your browser to render Web sites and, thus, can store malicious content.

This story reminds me that I need to recreate an antivirus section as the BYKYC website once had one before evolving to a WordPress setup. I will see what I can come up in the next few weeks.

Full Story

Symantec claims its 2009 Internet Security products will have “zero impact” on PC performance…

“Fundamentally, consumers don’t want to be bothered at all. We’ve set as our goal zero-impact security,” she said…

Symantec claims one of the ways the product will make less demand on system resources is by scaling back on the amount of scanning. “Our new technology allows us to scan less,” claimed Chaffin. “We know which files are good files and we can scan those less.”

“If software runs on millions of systems, it’s going to be good software,” Chaffin added. “If software only runs on a small number of machines, chances are it’s bad.”

Is there not a chance malware writers will quickly cotton on to which applications Norton is scanning less frequently and target those? “If they modify a file in any way, we can scan,” claimed Mallon.

Norton will also use the past history of the user to gauge how much scanning is necessary. “If someone’s not been infected before, the chances of them being infected are low.”

Norton Internet Security 2009 and Antivirus 2009 will be out this autumn.

Source

Congratulations Podloso. You are the first virus for the iPod. Well, technically.

Kaspersky Lab, a leading developer of secure content management solutions, has discovered the first virus designed to infect iPod portable media players. The virus, which has been named Podloso, is a proof of concept program which does not pose a real threat.

The virus is a file which can be launched and run on an iPod. It should be stressed that in order for the virus to function, Linux has to be installed on the iPod. If the virus is installed on the iPod by the user, the virus then installs itself to the folder which contains program demo versions. Podloso cannot be launched automatically without user involvement.

Once launched, the virus scans the device’s hard disk and infects all executable .elf format files. Any attempt to launch these files will cause the virus to display a message on the screen which says “You are infected with Oslo the first iPodLinux Virus”.

Podloso is a typical proof of concept virus, which is created in order to demonstrate that it is possible to infect a specific platform. It does not have a malicious payload and is unable to spread on its own: a user has to save the virus to the iPod for the device to become infected.