Nasty Trojan Zeus Evades Antivirus Software

Keep on Guard!


This is one nasty piece of malware, seems like it’s working on a low level as per rootkits, there aren’t many technical details but it may well be operating on a Ring 0 level.

The level of detection by AV software is quite scary, especially since the malware is specifically targeting bank login details and it has the ability to intercept the browser process.

Definitely one to watch out for in your organization.

One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.

Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study [PDF] released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.

Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.

It seems to be operating on a level that the AV engines can’t even detect as when installed with the latest signatures they still can’t alert a user they are infected.

It’s time AV engines get a little more advanced and hook into important processes like the browser and ensure they aren’t being tampered with or monitored.

Some kind of active memory protection must be possible.


A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs.

Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date.

Sitting at number 1 trojan this is a serious issue, especially with the stealthy mode in which it operates it looks like it’s going to be hard to stop the infections.

I someone comes up with a tool or method to prevent and detect these infections.

Source: The Register

Posted in: Malware, Privacy

, , , , , , ,


Latest Posts:


DAST vs SAST - Dynamic Application Security Testing vs Static DAST vs SAST – Dynamic Application Security Testing vs Static
In security testing, much like most things technical there are two very contrary methods, Dynamic Application Security Testing or DAST and Static or SAST.
Cr3dOv3r - Credential Reuse Attack Tool Cr3dOv3r – Credential Reuse Attack Tool
Cr3dOv3r is a fairly simple Python-based set of functions that carry out the prelimary work as a credential reuse attack tool.
Mr.SIP - SIP Attack And Audit Tool Mr.SIP – SIP Attack And Audit Tool
Mr.SIP was developed in Python as a SIP Attack and audit tool which can emulate SIP-based attacks. Originally it was developed to be used in academic work.
Uber Paid Hacker To Hide 57 Million User Data Breach Uber Paid Hackers To Hide 57 Million User Data Breach
Uber is not known for it's high level of ethics, but it turns out Uber paid hackers to not go public with the fact they'd breached 57 Million accounts.
RDPY - RDP Security Tool For Hacking Remote Desktop Protocol RDPY – RDP Security Tool For Hacking Remote Desktop Protocol
RDPY is an RDP Security Tool in Twisted Python with RDP Man in the Middle proxy support which can record sessions and Honeypot functionality.
Terabytes Of US Military Social Media Spying S3 Data Exposed Terabytes Of US Military Social Media Spying S3 Data Exposed
Once again the old, default Amazon AWS S3 settings are catching people out, the US Military has left terabytes of social media spying S3 data exposed.


5 Responses to Nasty Trojan Zeus Evades Antivirus Software

  1. JibbaJabber September 18, 2009 at 8:44 pm #

    “I someone comes up with a tool or method to prevent and detect these infections.”

    I -hope- so too, only problem is most people who don’t know jack and don’t use antivirus anyways because of the ‘hassle’ involved in it and the complexity of the task just won’t get it, still.

    However, many of the whole security software suites that include Firewall, anti-virus, anti-phishing, anti-spyware, etc. protection do include system hooks and such for protecting themselves, and you know what happens? The protection becomes so bloated that it’s as bad as the malware you’re attempting to protect yourself from. Have you tried any of it? It’s really hopeless from the end user perspective. The bad guys will always find a way to subvert the system for their illicit gains until everything is useless. Enjoy.

  2. senn September 20, 2009 at 1:47 am #

    I’ve seen lot of computers infected with this zbot. Some antivirus able to detect this virus behavior however failed to remove it. And some anti virus not able to detect it at all.

  3. Little Mac September 20, 2009 at 12:51 pm #

    Memory monitoring, kernel/whole-system protection is provided by some security products. If the malware can’t access the CPU, it can’t infect the system no matter what it does. Typically this comes from a powerful HIPS; then it doesn’t matter about the AV (definitions are. Always behind the curve anyway).

    My personal choice, Comodo CIS, is free (not Open-Source) and lightweight on the system. There are many other good ones, some also free (Online Armour has paid and free versions). The only downside to these apps is that they do require some user interaction.

  4. monstr-fan-boy September 22, 2009 at 4:33 pm #

    There already is an removal tool out there. it

  5. nunya October 6, 2009 at 3:28 pm #

    The 6.0 version of Evidence Eliminator by Robinhood software on its website contains the Zbot trojan and is not detected until after install. Steer clear of it.