Nasty Trojan Zeus Evades Antivirus Software

Use Netsparker


This is one nasty piece of malware, seems like it’s working on a low level as per rootkits, there aren’t many technical details but it may well be operating on a Ring 0 level.

The level of detection by AV software is quite scary, especially since the malware is specifically targeting bank login details and it has the ability to intercept the browser process.

Definitely one to watch out for in your organization.

One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.

Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study [PDF] released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.

Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.

It seems to be operating on a level that the AV engines can’t even detect as when installed with the latest signatures they still can’t alert a user they are infected.

It’s time AV engines get a little more advanced and hook into important processes like the browser and ensure they aren’t being tampered with or monitored.

Some kind of active memory protection must be possible.


A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs.

Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date.

Sitting at number 1 trojan this is a serious issue, especially with the stealthy mode in which it operates it looks like it’s going to be hard to stop the infections.

I someone comes up with a tool or method to prevent and detect these infections.

Source: The Register

Posted in: Malware, Privacy

, , , , , , ,


Latest Posts:


StaCoAn - Mobile App Static Analysis Tool StaCoAn – Mobile App Static Analysis Tool
StaCoAn is a cross-platform tool which aids developers, bug bounty hunters and ethical hackers performing mobile app static analysis on the code of the application for both native Android and iOS applications.
snallygaster - Scan For Secret Files On HTTP Servers snallygaster – Scan For Secret Files On HTTP Servers
snallygaster is a Python-based tool that can help you to scan for secret files on HTTP servers, files that are accessible that shouldn't be public and can pose a s
Portspoof - Spoof All Ports Open & Emulate Valid Services Portspoof – Spoof All Ports Open & Emulate Valid Services
The primary goal of the Portspoof program is to enhance your system security through a set of new camouflage techniques which spoof all ports open and also emulate valid services on every port.
Cambridge Analytica Facebook Data Scandal Cambridge Analytica Facebook Data Scandal
One of the biggest stories of the year so far has been the scandal surrounding Cambridge Analytica that came out after a Channel 4 expose that demonstrated the depths they are willing to go to profile voters, manipulate elections and much more.
GetAltName - Discover Sub-Domains From SSL Certificates GetAltName – Discover Sub-Domains From SSL Certificates
GetAltName it's a little script to discover sub-domains that can extract Subject Alt Names for SSL Certificates directly from HTTPS websites which can provide you with DNS names or virtual servers.
Memcrashed - Memcached DDoS Exploit Tool Memcrashed – Memcached DDoS Exploit Tool
Memcrashed is a Memcached DDoS exploit tool written in Python that allows you to send forged UDP packets to a list of Memcached servers obtained from Shodan.


5 Responses to Nasty Trojan Zeus Evades Antivirus Software

  1. JibbaJabber September 18, 2009 at 8:44 pm #

    “I someone comes up with a tool or method to prevent and detect these infections.”

    I -hope- so too, only problem is most people who don’t know jack and don’t use antivirus anyways because of the ‘hassle’ involved in it and the complexity of the task just won’t get it, still.

    However, many of the whole security software suites that include Firewall, anti-virus, anti-phishing, anti-spyware, etc. protection do include system hooks and such for protecting themselves, and you know what happens? The protection becomes so bloated that it’s as bad as the malware you’re attempting to protect yourself from. Have you tried any of it? It’s really hopeless from the end user perspective. The bad guys will always find a way to subvert the system for their illicit gains until everything is useless. Enjoy.

  2. senn September 20, 2009 at 1:47 am #

    I’ve seen lot of computers infected with this zbot. Some antivirus able to detect this virus behavior however failed to remove it. And some anti virus not able to detect it at all.

  3. Little Mac September 20, 2009 at 12:51 pm #

    Memory monitoring, kernel/whole-system protection is provided by some security products. If the malware can’t access the CPU, it can’t infect the system no matter what it does. Typically this comes from a powerful HIPS; then it doesn’t matter about the AV (definitions are. Always behind the curve anyway).

    My personal choice, Comodo CIS, is free (not Open-Source) and lightweight on the system. There are many other good ones, some also free (Online Armour has paid and free versions). The only downside to these apps is that they do require some user interaction.

  4. monstr-fan-boy September 22, 2009 at 4:33 pm #

    There already is an removal tool out there. it

  5. nunya October 6, 2009 at 3:28 pm #

    The 6.0 version of Evidence Eliminator by Robinhood software on its website contains the Zbot trojan and is not detected until after install. Steer clear of it.