Nasty Trojan Zeus Evades Antivirus Software

Outsmart Malicious Hackers


This is one nasty piece of malware, seems like it’s working on a low level as per rootkits, there aren’t many technical details but it may well be operating on a Ring 0 level.

The level of detection by AV software is quite scary, especially since the malware is specifically targeting bank login details and it has the ability to intercept the browser process.

Definitely one to watch out for in your organization.

One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.

Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study [PDF] released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.

Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.

It seems to be operating on a level that the AV engines can’t even detect as when installed with the latest signatures they still can’t alert a user they are infected.

It’s time AV engines get a little more advanced and hook into important processes like the browser and ensure they aren’t being tampered with or monitored.

Some kind of active memory protection must be possible.


A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs.

Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date.

Sitting at number 1 trojan this is a serious issue, especially with the stealthy mode in which it operates it looks like it’s going to be hard to stop the infections.

I someone comes up with a tool or method to prevent and detect these infections.

Source: The Register

Posted in: Malware, Privacy

, , , , , , ,


Latest Posts:


What You Need To Know About KRACK WPA2 Wi-Fi Attack What You Need To Know About KRACK WPA2 Wi-Fi Attack
The Internet has been blowing up in the past week about the KRACK WPA2 attack that is extremely widespread and is a flaw in the Wi-Fi standard itself.
Spaghetti Download - Web Application Security Scanner Spaghetti Download – Web Application Security Scanner
Spaghetti is an Open-source Web Application Security Scanner, it is designed to find various default and insecure files, configurations etc.
Taringa Hack - 27 Million User Records Leaked Taringa Hack – 27 Million User Records Leaked
The Taringa hack is actually one of the biggest leaks of the year with 27 million weakly hashed passwords breached, but it's not often covered in the West.
A2SV - Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed A2SV – Auto Scanning SSL Vulnerability Tool For Poodle & Heartbleed
A2SV is a Python-based SSL Vulnerability focused tool that allows for auto-scanning and detection of the common and well-known SSL Vulnerabilities.
VHostScan - Virtual Host Scanner With Alias & Catch-All Detection VHostScan – Virtual Host Scanner With Alias & Catch-All Detection
VHostScan is a Python-based virtual host scanner that can be used with pivot tools, detect catch-all scenarios, aliases and dynamic default pages.
Equifax Hack Blamed On Single Employee Equifax Hack Blamed On Single Employee
We wrote about the Equifax Hack, Data Breach and Leak last month, which happened due to a flaw in Apache Struts that for some reason hadn't been patched.


5 Responses to Nasty Trojan Zeus Evades Antivirus Software

  1. JibbaJabber September 18, 2009 at 8:44 pm #

    “I someone comes up with a tool or method to prevent and detect these infections.”

    I -hope- so too, only problem is most people who don’t know jack and don’t use antivirus anyways because of the ‘hassle’ involved in it and the complexity of the task just won’t get it, still.

    However, many of the whole security software suites that include Firewall, anti-virus, anti-phishing, anti-spyware, etc. protection do include system hooks and such for protecting themselves, and you know what happens? The protection becomes so bloated that it’s as bad as the malware you’re attempting to protect yourself from. Have you tried any of it? It’s really hopeless from the end user perspective. The bad guys will always find a way to subvert the system for their illicit gains until everything is useless. Enjoy.

  2. senn September 20, 2009 at 1:47 am #

    I’ve seen lot of computers infected with this zbot. Some antivirus able to detect this virus behavior however failed to remove it. And some anti virus not able to detect it at all.

  3. Little Mac September 20, 2009 at 12:51 pm #

    Memory monitoring, kernel/whole-system protection is provided by some security products. If the malware can’t access the CPU, it can’t infect the system no matter what it does. Typically this comes from a powerful HIPS; then it doesn’t matter about the AV (definitions are. Always behind the curve anyway).

    My personal choice, Comodo CIS, is free (not Open-Source) and lightweight on the system. There are many other good ones, some also free (Online Armour has paid and free versions). The only downside to these apps is that they do require some user interaction.

  4. monstr-fan-boy September 22, 2009 at 4:33 pm #

    There already is an removal tool out there. it

  5. nunya October 6, 2009 at 3:28 pm #

    The 6.0 version of Evidence Eliminator by Robinhood software on its website contains the Zbot trojan and is not detected until after install. Steer clear of it.