Cleanup cleanup, everybody cleanup....
So what AV's passed and which ones failed, so we can use the right tools to clean this up as fast as we can (for those under our control)?
One of the world's nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines. Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, …
This is scary stuff... From http://ddanchev.blogspot.com/2008/04/crimeware-in-middle-zeus.html
>Written in VC + + 8.0... this is achieved at the expense of small size (10-25 Kb), it can work around most firewalls, works in limited accounts, steal browser passwords, takes snapshots of users machine and can be bought for about $700<
You wrote >is detected just 23 per cent of time by AV programs<
And after googling about it, found lots of what it can do, but nothing on how to detect and destroy it. Even the PDF report leaves out the 23% that do detect it and offers no advice as to how they so easily find it on their customers machine.
Something this capable, which is only going to get better, needs decisive action taken, and not by profit driven anti malware suites, but by governments and police globally working together and smacking these fraudsters with real jail time (what is it, 5 or 6 years for bank robbery?).
So, does MS Office 2003 run in Wine? can't live without my Outlook.
I've written this before, but to me the only secure way for sensitive sites like banks, etc. is to have a one-time password card - strike out the last number, use the next on the next login. My only slight gripe is that they are only 4 digits - one hit out of a thousand, but...(having said that, 5 misses and you're out. It'll remind you if you've missed the sequence by 1 or two in the sequence, but that's your lot.). If the perps or me try to open a second window, instant logout.
Oh, and I only use Linux for accessing my bank. Just in case. NEVER the pub XP computer, on which this message is being created.
"can't live without my Outlook" ... as one guy that recently won an election said: yes, you can. More so if you're contemplating the idea of stop keeping up with the never ending Windows malware stream or the possibility of yet another 6 hour Windows reinstall, or the possible inconveniences to your privacy of the malware of the day.
I've been using Linux at home for the last 8 years, partly to work and part as family use. On the long run, the time I've lost due to some missing software or feature in Windows has been more than recovered by the total lack of any kind of stability or security problems. Not to mention the numerous times that I've discovered that the Linux alternative is far more powerful than the Windows one. Those savings net out the loss of Outlook, at least for me.
There is an annoying tendency for the AV vendors to provide "internet suites" instead of core AV products now - which they think are more valuable. £40-50 per year for a subscription _renewal_ of the NIS which bundles on Dells? F-off.
All the bloaty extra crap, dialog boxes that won't go away, constant internet traffic, constant background scans, personal firewalls, slow Wifi negotiation (yes Norton, you!), phising filters and unwanted IE/firefox tool bars must detract development time from the CORE business of detecting threats! There will be teams of apps programmers across the globe adding yet more pointless bloat to AV suites - sack them and hire some research & detection engine engineers!
To all AV vendors. Remove the crap. Detect the threats.
For ~£50 per year you should reasonably expect software that successfully detects existing known trojans. If that is "too hard" get out the business and stop ripping off customers with your fake AV protection.
Just face it people we are all gonna die. and if we don't die we are all going to go broke and if we don't all go broke we are going to borrow too much money and create another credit crunch!!
No immunisation, no working anti-virus and no hope!
We are all Doomed I tell you Doomed.
A list of the 'working' anti-virus's would have been helpful. It would at least of given us the impression that we could do something to protect ourselves.
icon: Suck on this evil wrong do'ers
A trojan like this, which has been around for over a year, will have many versions. Commercial malware may also come with several capabilities as an option (or custom feature for a specific use/client), changing it's behaviour and patterns.
It's unlikely that "Antivirus Software A can remove Zeus, abut antivirus software B can't".
Can't remember if office will run in wine but I use thunderbird with lightning & google provider plugins and it does the job for me.
The whole IT community has to work together to come to a better security model, instead of constantly bitching about which OS is "best" - infected PCs and nasties on the web have knock-ons for all of us, as was on el reg a while ago we need a seat-beat moment.
I for one am sick of having to dedicate so much time to making systems "secure" to then have to lather rinse and repeat when the next vulnerability raises its head. We have to stop vendors releasing incomplete, insecure and buggy code as we are the ones that suffer at the sharp end.
Can anyone shed some more light on this as this would appear sufficiently serious as to warrant attention? The article doesn't state whether certain browsers nor OS's offer any impunity. Is linux safe as usual? From a quick search there doesn not seem to be any detection tools available either for windows.
It looks like there are several versions of the trojan around. This blog (http://garwarner.blogspot.com/2009/09/irs-version-of-zeus-bot-continues.html) provides some analysis of one of the versions (based on IRS spam) and provides link to a Virustotal report which identifies the antivirus software that classifies it as malware.
BitDefender and GData call it "Trojan.Spy.Zbot.BFK"
Kaspersky calls it: "Trojan-Spy.Win32.Zbot.gen"
McAfee+Artemis calls it: "Suspect-29"
NOD32 calls it: "a variant of Win32/Kryptik.AET"
Sunbelt calls it: "Trojan-Downloader.Tibs.gen"
What an amazing piece of bollocks this so-called "study" is.
They claim that by installing (any kind of?) anti-malware, you can reduce the risk of becoming infected by this piece by 23%. Which brand?
The figure of 55% of infected machines running up-to-date AV is not worth the three characters to print it. WHICH BRAND of AV detects it, and which does not? What they suggest is that whatever brand of AV you're running, it will detect Zeus only if you're lucky. And that, ladies and gentlemen, is utter $&%/#.
But OTOH, it's a "study", and it comes in PDF form, so it must be true...
Their software (provided by a handful of banks) reports if AV software is installed and up to date (according to the Windows Security Center), and if it detects the virus. This isn't the same as testing if AV software detects the virus, and they did no such analysis. Also, the machines their software is on (mostly home computers, I expect) may not be representative of the installed base of PCs overall (including office computers).
More importantly, they screwed up the math. p(Zeus|AVUTD) = p(Zeus) * 0.77; i.e., the probability of infection given that you have up-to-date AV software is the overall probability of infection times 0.77 . I think they (hopefully accidentally) used this for the final figure. p(Zeus|AVUTD)/p(Zeus|NoAV) = 0.57; you're 43% less likely to get infected if you have up-to-date AV than if unprotected. Still not great, but not nearly as alarming.
I also noticed that they didn't do any calculations regarding not-up-to-date AV software. Coincidentally, by their numbers, you're 43% less likely to be infected by having *no* AV software than by having it but not updating it. This doesn't make sense, and the only logical conclusion to draw is that their sample size is too small to be statistically accurate. If it's on 1% of all PCs, and they looked at 10,000, they only found about 100 infections, which gives a 9.8% margin of error (95% confidence interval). In other words, the study is all but useless and may or may not be intentional fearmongering.
Trusteer wouldn't just so happen to be selling a tool that *does* detect and remove this trojan would it?
Oooooohhhhh loooook, they make Rapport, which the Royal Bank of Scotland (and possibly others) are very actively promoting every time you log into the RBS digital banking service.
And now, well stone me, they've found a trojan that only Rapport detects.
Cracking coincidence Grommit!
They also mention browsers, does it affect all browsers, or only certain ones? How does it circumvent most firewalls? Which Antivirus software detects it.. This is important info guys, particularly for the sysadmins out there...
@ Tony how come you can't live without Outlook? Looked at Kontact or Evolution recently?
A grenade - because this is going to explode soon!
The paper will not - say again NOT - stand up to academic assessment OR critique. There is no reference work listing appended, no experimental details that can be replicated, no listing of which AV products were or were not tested, or even of any control machines that were deliberately infected to show infection processes that should be countered by any future AV products.
In short, it's hot air.
I'll be more impressed if a properly researched and published paper on the topic comes out.
Wonder who is funding this bunch? Knowing that may make sense of the scare tactics.
"The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC's browser process."
So given the scale of this threat, I do hope that we can expect a handy standalone detection app to be appearing imminently then? That would, after all, be the responsible thing to do...
Paris because she's known for being good with standalones.
By Anonymous Coward
Screw that. The writers of these things should get the death sentence. That'll stop the little turds."
Odd that so many read about the huge bonuses paid out of thier pockets to a few yet don't clamour for the ultimate penalty. I wonder how much has been 'stolen' by those who 'deserve' the loot compared to the amounts nicked by the other crooks.
Must be O.K. if you know who is screwing you. "It's fine dear, we're not being robbed by Russkies, we're being fucked over by our own people"
Scary. I just did a bit of research. The problem here is that all these "How do we detect it" questions are flawed because there is no "it". Zeus is a toolkit that a criminal buys and customises so there are hundreds, probably thousands, of variants out there. To put this into context, Kaspersky has discovered 6 new variants ...... since I last looked 30 minutes ago! Yes, that's 6 new versions of the Zeus/Zbot trojan in the last 30 minutes. They've discovered 13 new variants today (at time of writing this comment).
If anyone wants a link to Kaspersky info on this it's here: http://www.kaspersky.com/viruswatchlite?search_virus=zbot&hour_offset=-3
Looks to me like we need to know which anti virus software's behavioural algorithms will catch it because signature-based detection is having a hard time keeping up.
Not been funny, I Could be very wrong but everyone seems preoccupied with how they can protect themselves from this great big evil virus. Well in short, don't go to dubious websites etc and that way you reduce the risk of getting infected in the first place. Or you can run a linux/unix OS which will reduce your infection risk even further :)
*Paris - Because she isn't bothered about penetrating infections and doesn't use Trojans*
>Oh, and I only use Linux for accessing my bank. Just in case.<
Well I installed a dual boot of Ubuntu a few months ago, got it all working and everything, but then never used it after I sussed out how it all worked. But this is making me rethink, and thanks for the pointer to Evolution - it looks good.
As for, 'why Outlook?' Shrug, devil you know and all that, but, the windows vulnerabilities (assuming this doesn't affect Linux and Macs), is getting ridiculous. I pay Bitdefender £25 a year to slow my system down, lockup when the PC goes to sleep sometimes (just guesswork here), and slow my surfing to a crawl.
Time for a change. (First time I've used the penguin I think).
Ok, so the evil guys get into my online banking account. But to transfer money out of the account they need a PINsentry card reader (easy to obtain - I have about 10 from different banks!) and my Chip and PIN card to generate the authorisation code - not so easy to obtain. Or am I missing something here?
Your a moron.
This isn't some sort of Windows security hole. It's software that's been installed / ran by a user (and if it uses a root-kit they'll need admin rights) that does what the developer intended.
Your telling me Linux prevents that?! If so I'm glad I don't develop for it.
Number of major flaws on OSS recently only backs up the theory that malware is targeted for the biggest audience rather than the weakest platform - which would be any platform with the largest number of users who happily install any old crap that comes on a email.
P.S. Now installing Windows 7 on a VM. 15 minutes total install time.
Better than Linux? Not really. 6 Hours? Get a watch.
Sounds like AV company propaganda. Think about it... The average consumer mindset believes in the strongest brands to provide the best service. Thus, in the face of extreme fear such as having your bank details sniffed who they gonna call? It sure aint gonna be ghostbusters. Probably Norton or Mcafee.
Providing a link to tools the specifically target and clean this infection might have been nice, as well as a list of which AV programs have good success rates would also have been nice (cross referenced to their overall success rates with other viri, which might be lower).
Sounding the alarm doesn;'t do a whole lot of good if you can't actually assist us.
Some clues as to how it infects the machine, and how to prevent that might also be nice...
"Your a moron."
Thanks, that sets the tone for the rest of the response.
"This isn't some sort of Windows security hole. It's software that's been installed / ran by a user (and if it uses a root-kit they'll need admin rights) that does what the developer intended."
On a platform that defaults to allow such kind of software to run with admin rights because users default to admin rights, perhaps?
"Your telling me Linux prevents that?! If so I'm glad I don't develop for it."
It does not completely prevent it, just makes it more difficult. Nothing can ensure peace of mind, but there are ways to minimize it. Windows has to deal with a lot of badly written software that simply does not know how to run without admin rights, even if it is perfectly possible. What I cannot understand is the second sentence: are you glad developing for a platform that allows users do stupid things?
"Number of major flaws on OSS recently only backs up the theory that malware is targeted for the biggest audience rather than the weakest platform - which would be any platform with the largest number of users who happily install any old crap that comes on a email."
Whatever the reason, you seem to have reliable data on the number of OSS flaws versus other platforms, care to share that evidence? I'll share my evidence. Number of security outbreaks, infections, or any other kind of attacks in 2 Linux home boxes in 8 years:zero. Without running any kind of antivirus or similar security tools. Just the home router firewall, thanks. 8 years without devoting a second of my time, a cycle of my CPU or a byte on my hard disk to protecting me from something that should not be so easy to happen in the first place.
Whatever the reason, fact is, Linux is more secure. I don't care if it is because not popular or because is more secure or probably because both things at the same time. The plain fact is that Linux is more secure.
I'm ready to admit that if you configure Windows properly you can achieve similar levels of security. But that will be at the cost of some software not working properly, some of your machine resources devoted to that, plus the time you need to spend doing it. And yet after all that you'll not be free from things like SMB exploits happening.
"P.S. Now installing Windows 7 on a VM. 15 minutes total install time."
Mmmmm.... interesting, you really should post a YouTube Video of your VM W7 install, I'm sure the world will be shocked to know that you can install on that short time. Again, care to provide proof?
"Better than Linux? Not really. 6 Hours? Get a watch."
No, not really, I was making that number up. Make it 30 mins for the base OS, another 30 mins for Office and 2 and half hours of applying service packs, patches and rebooting. Only 3 and half hours, tops.
Ubuntu comes alive in 45 minutes, patches incuded, with office productivity, mail client, etc, already installed.
Oh, perhaps in your world where everybody who does not think like you is a moron time runs differently. But thanks to you and people with your midnset, Windows will always keep a big market share and the rest of the world will be safe. Please keep using Windows, Linux does not need users like you.
> Not been funny, I Could be very wrong but everyone seems preoccupied with how they can protect themselves from this great big evil virus. Well in short, don't go to dubious websites etc and that way you reduce the risk of getting infected in the first place.<
Good thinking... only one of the Zeus variants infecting systems was coming from the Paul McCartney site (just re released all the Beatles library in cleaned up Mono and new Stereo - not him, but you can bet his website has surged with visits).
Unless you consider him dubious, which is fair enough.
...but a 23% (average) detection rate, regardless of AV product. Some did better, some almost certainly failed utterly, but none was able to detect/block with 100% surety, because the proliferation of variants (and ability to obfuscate any signatures) leaves the AV vendors trailing a long way behind.
Seems like this might be a better interpretation of some rather loose language.
A new varriant every 5 minutes makes it very easy to get bitten when your AV software auto-updates only once a day.
The 'report' seems to be a poor product, with little info., terrible analysis and liitle evidence etc.. Unfortunately it has been echoed around the globe by many on-line publications. I note SANS has not joined the hysteria.
As for the OS - let each choose their own - I choose Linux (since ~1993), if anyone feels safer with anything else then so be it. Unfortunately we all have to live with this situation and hysteria, bitching, misinformation and plain ignorance does not help. This menace needs to be tackled with a united front. For banking one-time passwords seem a very sensible way forward, combined with a broad array of measures including : suspicion, care, good AV, safest web-browser, updated software, bank security measures.
I choose Linux, Firefox (with NoScript ), Thunderbird and a healthy dose of scepticism, anyone else is naturally free to differ.
By the way free software (esp. Linux) is not just free as in free beer but free as in FREEDOM.
Installing Linux on most hardware ( I have 6 systems I care for ) takes 30 -60 mins ( I mostly use OpenSuse ) and does NOT require the use of the command-line - but what a blessing it can be.
I'm not anti-MS but I only run one laptop with XP, mainly for a small number of programs that are better than the Linux alternatives - I use Linux for the greater number that are better or as good for my purposes.I certainly don't consider it healthy for the entire world to be dependant on 1 OS apart from any other considerations. It's like ALL of us having the same MHC (http://en.wikipedia.org/wiki/Major_histocompatibility_complex) and therefore being equally susceptible to a (biological) infection wiping the whole planet out.
Have a good weekend.
( I think the guy who suggested spending everything down at the pub as a security measure was more useful than most of the other comments !)
@Anonymous Coward 14:48
"...W7 install, I'm sure the world will be shocked to know that you can install on that short time. Again, care to provide proof?"
Installation time of Kubuntu and Windows 7 RC on my Atom-based Internet PC are virtually identical.
Kubuntu is longer to configure overall though since many of its default base apps are junk and have to be replaced with others from the packager.
Oh, and FYI, Windows 7 performs better on this system than K/Ubuntu because it is using a threaded UI -- K/Ubuntu lags like terrible on the UI when torrenting etc.
If any politician would suggest implementing a law that would create the death penalty for people who write trojans or viruses, I'd vote for them in a minute. Add in life without parole for anyone creating bots that add messages in forums and I'd nominate them for sainthood.
I use a Mac and I'm smart enough not to fall for social engineering crap, so it doesn't directly affect me. But it makes my life a lot more difficult. The small online forum I host gets about 5 real messages per week - but about 30 spambot messages per week, even though all the security is turned on (phbb). I spend a lot more time getting rid of the spam crap than dealing with the forum.
it's about time that someone does something about this. There are reasonable technical solutions in addition to tracking the people down and leveling criminal penalties.
If the OS-whiners could pause their usual knee-jerk kindergarten argument about who is fit to run Linux and "smug" users, they might actually notice what the biggest reported problem is with keeping computers free of infection:
"Of Zeus-infected machines, about 31 per cent don't run AV at all and 14 percent run AV that's out of date."
Or, close to half of all Windows users seem to believe they are invulnerable to attack. This is a MUCH bigger deal than Mac or Linux users touting OS's that, let's face it, ARE vulnerable to fewer viruses. This is a much bigger deal than arguing about how secure Windows is or isn't.
Maybe we could someday stop all the time-wasting and figure out how to get computer users to put antivirus software on their machines? Maybe the manufacturers could start including some kind of educational material, or AV software that doesn't bog down the entire system and expire after 60 days? Maybe the tech support staff who like to sneer and make jokes about idiot users could make politely imparting information and explaining the need for basic security part of their job?
Because I can tell you, out here in the support trenches, the AV numbers are even wors.. People will look straight at you and say they still don't understand why they need to worry about AV software, because they don't bank online, or have any confidential information on their computer, etc., etc. It takes time to explain about things like botnets and denial of service attacks and being a good net citizen, not to mention all the nasty problems viruses can cause them as well. Making AV software available for free hasn't even helped.
Maybe we could all band together and petitions ISPs to kick infected machines offline until they clean up their act? Require subscribers to prove they know how to keep their AV software up to date before they can get an account in the first place?
The problem is not smug Mac/Linux/Unix/BeOS/OS2/VMS/DOS/CPM/abacus/sliderule-insert-your-favorite-non-Windows-alternative users who AREN'T getting and spreading viruses like Zeus. The problem is the huge percentage of Windows users who ARE.
Not knowing how the different AV engines performed doesn't make this report "inadequate," as one person put it. 45% of users had no protection or out-of-date protection. If there's anyone reading this who doesn't already know how the "nothing" AV engine fares in tests, raise your hand.
A 100% failure rate over 45% of users is a fairly scary, and certainly adequate, statistic. It makes the virus itself seem quite harmless in comparison to the toll taken by the apparent failure of an entire industry - one that has dropped the ball where educating users and increasing security is concerned.
snark snark snark grrrrrrr
Nail on head. Many of us routinely remove any preinstalled AV software from friends'/relatives' PCs because it's bloated, intrusive, buggy, overpriced nagware that causes more problems than it solves.. We need better products, ASAP.
AV vendors, please wake up and smell the coffee. Reclaim your image and your market.
Go onto any "hacking" forum these days and you'll see kiddies who can obtain software for a few $$ to create a "fully-UD" (undetectable) virus. A 23% detection rate would be seen as poor. These kids buy freely available keyloggers such as turkojan or ardamax and just crypt them to make them UD. These crypted loggers can be sent freely throughout the internet and give thousands of bank details to kids as young as 13. anyone with a Windows PC can do it.
When i saw the detection rate i was actually suprised at how _high it was.
I attended a meeting with Mr Klein, the CTO of Trusteer, a while back. He asked how effective AV software was these days. He replied that it picked up only 40% of the viruses and malware out there. So I guess if Trusteer can show how good they are at detecting the bad stuff that AV products can't then that's priceless PR for his cause. After all he's in the market of selling his products to the banks!
Paris, because I'd rather she protect my assets.
i've been running Ubuntu for four years now and I would like to say one thing - it's a great OS but the Apps are crap. They should be called "crApps."
Open Office sucks. Simple. It is nowhere near as good as Office 2007. NEVER do your CV in OOo, unless you're on welfare/jobsearch/dhss/dole (whatever you call it in your home country) and you're only applying to be able to tick a box and collect your cheque.
Evolution: tried it, pure rubbish.
... and try finding a game that runs natively in Linux. Good luck with that. Ditto with trying to get a Nokia phone, USB camera or iPod to work without an emulator (wine, got it. not really a long-term answer though, is it?)
Tell you what Ubuntu does do VERY well - gives you a free OS to use as a media server. If that's what you need, go Ubuntu. You can even run it on the PC you owned ten years ago. No, really.
It's not that I don't appreciate Ubuntu - it has run my Squeezecentre for years - but, unless the primary result of you leaving home is that, somewhere, there's a village deprived of its idiot, there's no real difference between linux and windows - good security thinking and practices will prevent infection.
If you're borderline, buy a Mac - at least the software is written by professionals.
... oh, and on the online banking thing - if your bank's website is that bad that you enter a cleartext password, then you need to either change banks or don't use their website. If they have that little respect for your security, they won't support you if it's breached.
There are very few AV products that protect users against trojans or keyloggers. But then what do expect from an industry that can't protect against anything it doesn't already know about. The thing that surprises me is why Symantec et all haven't been sued yet for false advertising. None of them do as they claim, often as not they are beaten by the incredible advanced malware technique of renaming the virus or trojan to something not on a list of names of viruses and trojans. Given the wild and unrealistic claims on the boxes of these products, if there was ever something that deserved to be forcibly taken off the market for false advertising, antivirus software would be it.
I've only found one application that actively guards against malware.. ie. prevents an attack as it happens and doesn't require a hard disk scan to do it. It also finds and removes trojans that most antivirus products won't detect or can't clean from your system. While far from perfect at least it tries to protect the user from themselves in real time, which is more than any other product does, but then PC Tools were always a step above most other software houses.
How does it infect a computer? Must the user install it, or does it install itself?
Also, what is the target OS? Windows? Linux? OS/2?
- If the user/ne'er-do-well have to install it by hand, then we can rest better. On the other hand, if it can install itself when you browse the Wibbly Wobbly Web, then simply blocking executables and downloads at firewall level and you should be safe.
- If it can download and install itself, what are the infection vectors it take to install itself? Otherwise this study is meaningless, and just scaremongering.
- Target OS is too vague. We all have to assume Windows since the majority of viruses is written to target windows. But it will be nice to know for sure.
FAIL because it's scaremongering.
Biting the hand that feeds IT © 1998–2020