Feeds

back to article World's nastiest trojan fools AV software

One of the world's nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines. Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, …

COMMENTS

This topic is closed for new posts.

Page:

Anonymous Coward

Cleanup cleanup, everybody cleanup....

So what AV's passed and which ones failed, so we can use the right tools to clean this up as fast as we can (for those under our control)?

0
0
Unhappy

So tell me about this Ubuntu again...

This is scary stuff... From http://ddanchev.blogspot.com/2008/04/crimeware-in-middle-zeus.html

>Written in VC + + 8.0... this is achieved at the expense of small size (10-25 Kb), it can work around most firewalls, works in limited accounts, steal browser passwords, takes snapshots of users machine and can be bought for about $700<

You wrote >is detected just 23 per cent of time by AV programs<

And after googling about it, found lots of what it can do, but nothing on how to detect and destroy it. Even the PDF report leaves out the 23% that do detect it and offers no advice as to how they so easily find it on their customers machine.

Something this capable, which is only going to get better, needs decisive action taken, and not by profit driven anti malware suites, but by governments and police globally working together and smacking these fraudsters with real jail time (what is it, 5 or 6 years for bank robbery?).

So, does MS Office 2003 run in Wine? can't live without my Outlook.

0
0
Unhappy

Scaremongering Perhaps???

Surprising Trusteer who comissioned the study, sell a product that helps combat this. Isn't that a coincidence.

0
0

You can-not be serious.....

Tony Paulazzo writed "can't live without my Outlook"

What ? The inconvenience of switching a mail/calendaring app is worse than having your bank account(s) emptied by criminals ? Really ?

Gobsmackedness

0
0
Go

Re: Tony

Yes, Outlook works in wine, it is a little pain to set up - or was when I tried last time, about year ago. You can always run VM, as I'm quite sure you already have license for Windows.

0
0
Bronze badge

One-time passwords?

I've written this before, but to me the only secure way for sensitive sites like banks, etc. is to have a one-time password card - strike out the last number, use the next on the next login. My only slight gripe is that they are only 4 digits - one hit out of a thousand, but...(having said that, 5 misses and you're out. It'll remind you if you've missed the sequence by 1 or two in the sequence, but that's your lot.). If the perps or me try to open a second window, instant logout.

Oh, and I only use Linux for accessing my bank. Just in case. NEVER the pub XP computer, on which this message is being created.

0
0
Pirate

This is a comment.

Why won't someone trace down the remote servers it connects to and smash them and their owners to kingdom come.

0
0
Linux

@Tony Paulazzo

"can't live without my Outlook" ... as one guy that recently won an election said: yes, you can. More so if you're contemplating the idea of stop keeping up with the never ending Windows malware stream or the possibility of yet another 6 hour Windows reinstall, or the possible inconveniences to your privacy of the malware of the day.

I've been using Linux at home for the last 8 years, partly to work and part as family use. On the long run, the time I've lost due to some missing software or feature in Windows has been more than recovered by the total lack of any kind of stability or security problems. Not to mention the numerous times that I've discovered that the Linux alternative is far more powerful than the Windows one. Those savings net out the loss of Outlook, at least for me.

0
0
Bronze badge
Linux

@Tony Paulazzo

Ubuntu 9.04 comes with Evolution installed

http://www.novell.com/products/evolution

I'm running the 64bit version on this laptop with 4GB memory, sweet :)

0
0
FAIL

Surprised?

There is an annoying tendency for the AV vendors to provide "internet suites" instead of core AV products now - which they think are more valuable. £40-50 per year for a subscription _renewal_ of the NIS which bundles on Dells? F-off.

All the bloaty extra crap, dialog boxes that won't go away, constant internet traffic, constant background scans, personal firewalls, slow Wifi negotiation (yes Norton, you!), phising filters and unwanted IE/firefox tool bars must detract development time from the CORE business of detecting threats! There will be teams of apps programmers across the globe adding yet more pointless bloat to AV suites - sack them and hire some research & detection engine engineers!

To all AV vendors. Remove the crap. Detect the threats.

For ~£50 per year you should reasonably expect software that successfully detects existing known trojans. If that is "too hard" get out the business and stop ripping off customers with your fake AV protection.

0
0
Happy

Real issue

Yeah, but is it pronounced "zay-us" or "Zoos", or simply "Oh, ^&%^%! Where's all my money gone?"

0
0
Unhappy

And the solution is?

Nice panic piece.

How do we stop it / detect it?

(and who said depth in journalism was dead)

0
0
WTF?

WTF

Tony you get 25 years for bank robbery, but you only get 10 for murder, good old brit justice.anything to do with money and you have had it. I would like to know what software managed to pick this up as well, seems a half written report to me without the answer

0
0
Grenade

Zeus Zbot and PRG, Swine Flu, Credit Crunch ...heart attack

Just face it people we are all gonna die. and if we don't die we are all going to go broke and if we don't all go broke we are going to borrow too much money and create another credit crunch!!

No immunisation, no working anti-virus and no hope!

We are all Doomed I tell you Doomed.

A list of the 'working' anti-virus's would have been helpful. It would at least of given us the impression that we could do something to protect ourselves.

icon: Suck on this evil wrong do'ers

0
0

Scary stuff

A trojan like this, which has been around for over a year, will have many versions. Commercial malware may also come with several capabilities as an option (or custom feature for a specific use/client), changing it's behaviour and patterns.

It's unlikely that "Antivirus Software A can remove Zeus, abut antivirus software B can't".

0
0
Alert

thunderbird with lightning & google provider plugins

Can't remember if office will run in wine but I use thunderbird with lightning & google provider plugins and it does the job for me.

The whole IT community has to work together to come to a better security model, instead of constantly bitching about which OS is "best" - infected PCs and nasties on the web have knock-ons for all of us, as was on el reg a while ago we need a seat-beat moment.

I for one am sick of having to dedicate so much time to making systems "secure" to then have to lather rinse and repeat when the next vulnerability raises its head. We have to stop vendors releasing incomplete, insecure and buggy code as we are the ones that suffer at the sharp end.

0
0
Linux

MS Office 2003

Yep - it runs in Wine.

0
0

@Tony Paulazzo

1) Who says its MS only?

2) Your abou to get flamed for saying you need Outlook...

0
0
Alert

More info

Can anyone shed some more light on this as this would appear sufficiently serious as to warrant attention? The article doesn't state whether certain browsers nor OS's offer any impunity. Is linux safe as usual? From a quick search there doesn not seem to be any detection tools available either for windows.

0
0

Virustotal Results

It looks like there are several versions of the trojan around. This blog (http://garwarner.blogspot.com/2009/09/irs-version-of-zeus-bot-continues.html) provides some analysis of one of the versions (based on IRS spam) and provides link to a Virustotal report which identifies the antivirus software that classifies it as malware.

BitDefender and GData call it "Trojan.Spy.Zbot.BFK"

Kaspersky calls it: "Trojan-Spy.Win32.Zbot.gen"

McAfee+Artemis calls it: "Suspect-29"

NOD32 calls it: "a variant of Win32/Kryptik.AET"

Sunbelt calls it: "Trojan-Downloader.Tibs.gen"

0
0

Tony Paulazzo

Codeweavers runs Office 2007 perfectly including Outlook 2007 :)

0
0
FAIL

And they call that "study"?

What an amazing piece of bollocks this so-called "study" is.

They claim that by installing (any kind of?) anti-malware, you can reduce the risk of becoming infected by this piece by 23%. Which brand?

The figure of 55% of infected machines running up-to-date AV is not worth the three characters to print it. WHICH BRAND of AV detects it, and which does not? What they suggest is that whatever brand of AV you're running, it will detect Zeus only if you're lucky. And that, ladies and gentlemen, is utter $&%/#.

But OTOH, it's a "study", and it comes in PDF form, so it must be true...

0
0
WTF?

So what is this 'fingerprint'

This paper is just far too vague. There's no indication given of which AV engines can detect this trojan, and no hint at what the fingerprint left behind is.

If my AV software can't tell me I've got zeus then I want to be able to find out manually!

0
0
Thumb Up

ahhh...

C++ ... still got it

0
0
Grenade

don't do banking on the internet

duh.

0
0
Anonymous Coward

Jailtime?

Screw that. The writers of these things should get the death sentence. That'll stop the little turds.

0
0
Grenade

Lies, damned lies, and...

Their software (provided by a handful of banks) reports if AV software is installed and up to date (according to the Windows Security Center), and if it detects the virus. This isn't the same as testing if AV software detects the virus, and they did no such analysis. Also, the machines their software is on (mostly home computers, I expect) may not be representative of the installed base of PCs overall (including office computers).

More importantly, they screwed up the math. p(Zeus|AVUTD) = p(Zeus) * 0.77; i.e., the probability of infection given that you have up-to-date AV software is the overall probability of infection times 0.77 . I think they (hopefully accidentally) used this for the final figure. p(Zeus|AVUTD)/p(Zeus|NoAV) = 0.57; you're 43% less likely to get infected if you have up-to-date AV than if unprotected. Still not great, but not nearly as alarming.

I also noticed that they didn't do any calculations regarding not-up-to-date AV software. Coincidentally, by their numbers, you're 43% less likely to be infected by having *no* AV software than by having it but not updating it. This doesn't make sense, and the only logical conclusion to draw is that their sample size is too small to be statistically accurate. If it's on 1% of all PCs, and they looked at 10,000, they only found about 100 infections, which gives a 9.8% margin of error (95% confidence interval). In other words, the study is all but useless and may or may not be intentional fearmongering.

0
0
Black Helicopters

Paranoid?

Its the NSA/GCHQ/Lizard people trying to refloat the economy by stealing money from your bank account.

0
0
Black Helicopters

Trusteer

Trusteer wouldn't just so happen to be selling a tool that *does* detect and remove this trojan would it?

Oooooohhhhh loooook, they make Rapport, which the Royal Bank of Scotland (and possibly others) are very actively promoting every time you log into the RBS digital banking service.

And now, well stone me, they've found a trojan that only Rapport detects.

Cracking coincidence Grommit!

0
0

There's an analysis of an infection of (a variant of?) this

at http://novirusthanks.org/blog/2008/11/trojan-spywin32zbot-analysis-of-malware/

From that, it looks like a lot more than 23% are detecting it - though that may well be an older version of the scumware

0
0
Anonymous Coward

Windows exclusive?

I guess this is another windows trojan. Anyone know what versions of windows it effects? and which AV software does detect it? Are the smug Mac & Linux communities effected?

0
0

Oh dear...

...looks like some very good coders have crossed to the dark side.

As requested in the first 2 posts - what detects/gets rid of it ???

0
0

Great

But what are we supposed to do about it?

0
0
Anonymous Coward

Good Lord!

This leaves us with only one option : accessing our banking websites from live CDs/DVDs/USBs and Microsoft should better give us one for its bloody damn OS we're faithfully using.

To all non-Microsoft fan boys: stop laughing right now! It's not funny at all.

0
0
Grenade

Which browser?

They also mention browsers, does it affect all browsers, or only certain ones? How does it circumvent most firewalls? Which Antivirus software detects it.. This is important info guys, particularly for the sysadmins out there...

@ Tony how come you can't live without Outlook? Looked at Kontact or Evolution recently?

A grenade - because this is going to explode soon!

0
0
Bronze badge
FAIL

Typical scare tactics.

The paper will not - say again NOT - stand up to academic assessment OR critique. There is no reference work listing appended, no experimental details that can be replicated, no listing of which AV products were or were not tested, or even of any control machines that were deliberately infected to show infection processes that should be countered by any future AV products.

In short, it's hot air.

I'll be more impressed if a properly researched and published paper on the topic comes out.

Wonder who is funding this bunch? Knowing that may make sense of the scare tactics.

0
0
Paris Hilton

Fingerprints

"The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC's browser process."

So given the scale of this threat, I do hope that we can expect a handy standalone detection app to be appearing imminently then? That would, after all, be the responsible thing to do...

Paris because she's known for being good with standalones.

0
0
Stop

Simple solution

Don't bank online.

1
0

I know this may get flamed.

I use Windows (as well as lLinux) a lot at work and don't mind it, but made a decesion to use Linux only at home at home. This was one of the reasons.

Seriously, use Evolution. It's just as good as Outlook when you get used it.

0
0
Silver badge
Pirate

death too good for them?

"Jailtime?

By Anonymous Coward

Screw that. The writers of these things should get the death sentence. That'll stop the little turds."

Odd that so many read about the huge bonuses paid out of thier pockets to a few yet don't clamour for the ultimate penalty. I wonder how much has been 'stolen' by those who 'deserve' the loot compared to the amounts nicked by the other crooks.

Must be O.K. if you know who is screwing you. "It's fine dear, we're not being robbed by Russkies, we're being fucked over by our own people"

0
0

Zeus/Zbot is a family not a unique thing

Scary. I just did a bit of research. The problem here is that all these "How do we detect it" questions are flawed because there is no "it". Zeus is a toolkit that a criminal buys and customises so there are hundreds, probably thousands, of variants out there. To put this into context, Kaspersky has discovered 6 new variants ...... since I last looked 30 minutes ago! Yes, that's 6 new versions of the Zeus/Zbot trojan in the last 30 minutes. They've discovered 13 new variants today (at time of writing this comment).

If anyone wants a link to Kaspersky info on this it's here: http://www.kaspersky.com/viruswatchlite?search_virus=zbot&hour_offset=-3

Looks to me like we need to know which anti virus software's behavioural algorithms will catch it because signature-based detection is having a hard time keeping up.

0
0
Paris Hilton

Prevention is better than a cure

Not been funny, I Could be very wrong but everyone seems preoccupied with how they can protect themselves from this great big evil virus. Well in short, don't go to dubious websites etc and that way you reduce the risk of getting infected in the first place. Or you can run a linux/unix OS which will reduce your infection risk even further :)

*Paris - Because she isn't bothered about penetrating infections and doesn't use Trojans*

0
0
Linux

Cheers for the responses

>Oh, and I only use Linux for accessing my bank. Just in case.<

Well I installed a dual boot of Ubuntu a few months ago, got it all working and everything, but then never used it after I sussed out how it all worked. But this is making me rethink, and thanks for the pointer to Evolution - it looks good.

As for, 'why Outlook?' Shrug, devil you know and all that, but, the windows vulnerabilities (assuming this doesn't affect Linux and Macs), is getting ridiculous. I pay Bitdefender £25 a year to slow my system down, lockup when the PC goes to sleep sometimes (just guesswork here), and slow my surfing to a crawl.

Time for a change. (First time I've used the penguin I think).

0
0
Stop

But...

Ok, so the evil guys get into my online banking account. But to transfer money out of the account they need a PINsentry card reader (easy to obtain - I have about 10 from different banks!) and my Chip and PIN card to generate the authorisation code - not so easy to obtain. Or am I missing something here?

0
0

@Anonymous Coward Posted Friday 18th September 2009 07:34 GMT

Your a moron.

This isn't some sort of Windows security hole. It's software that's been installed / ran by a user (and if it uses a root-kit they'll need admin rights) that does what the developer intended.

Your telling me Linux prevents that?! If so I'm glad I don't develop for it.

Number of major flaws on OSS recently only backs up the theory that malware is targeted for the biggest audience rather than the weakest platform - which would be any platform with the largest number of users who happily install any old crap that comes on a email.

P.S. Now installing Windows 7 on a VM. 15 minutes total install time.

Better than Linux? Not really. 6 Hours? Get a watch.

0
0
Bronze badge
Joke

@AC - Windows Exclusive

"Are the smug Mac & Linux communities effected?"

They most certainly are, but as to the real question of whether they are affected I presume not.

0
0
Big Brother

By Zeus's beard!

Sounds like AV company propaganda. Think about it... The average consumer mindset believes in the strongest brands to provide the best service. Thus, in the face of extreme fear such as having your bank details sniffed who they gonna call? It sure aint gonna be ghostbusters. Probably Norton or Mcafee.

0
0
FAIL

List of AV's and results

...or it didn't happen.

0
0
Megaphone

Oh noes

We're all gonna die!

0
0
FAIL

W00t?

What a pointlessly inadequate study; it makes no mention of specific AV engines and how they fared.

0
0

Page:

This topic is closed for new posts.