This is one nasty piece of malware, seems like it’s working on a low level as per rootkits, there aren’t many technical details but it may well be operating on a Ring 0 level.
The level of detection by AV software is quite scary, especially since the malware is specifically targeting bank login details and it has the ability to intercept the browser process.
Definitely one to watch out for in your organization.
One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.
Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study [PDF] released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.
Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.
It seems to be operating on a level that the AV engines can’t even detect as when installed with the latest signatures they still can’t alert a user they are infected.
It’s time AV engines get a little more advanced and hook into important processes like the browser and ensure they aren’t being tampered with or monitored.
Some kind of active memory protection must be possible.
A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging programs.
Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date.
Sitting at number 1 trojan this is a serious issue, especially with the stealthy mode in which it operates it looks like it’s going to be hard to stop the infections.
I someone comes up with a tool or method to prevent and detect these infections.
Source: The Register
JibbaJabber says
“I someone comes up with a tool or method to prevent and detect these infections.”
I -hope- so too, only problem is most people who don’t know jack and don’t use antivirus anyways because of the ‘hassle’ involved in it and the complexity of the task just won’t get it, still.
However, many of the whole security software suites that include Firewall, anti-virus, anti-phishing, anti-spyware, etc. protection do include system hooks and such for protecting themselves, and you know what happens? The protection becomes so bloated that it’s as bad as the malware you’re attempting to protect yourself from. Have you tried any of it? It’s really hopeless from the end user perspective. The bad guys will always find a way to subvert the system for their illicit gains until everything is useless. Enjoy.
senn says
I’ve seen lot of computers infected with this zbot. Some antivirus able to detect this virus behavior however failed to remove it. And some anti virus not able to detect it at all.
Little Mac says
Memory monitoring, kernel/whole-system protection is provided by some security products. If the malware can’t access the CPU, it can’t infect the system no matter what it does. Typically this comes from a powerful HIPS; then it doesn’t matter about the AV (definitions are. Always behind the curve anyway).
My personal choice, Comodo CIS, is free (not Open-Source) and lightweight on the system. There are many other good ones, some also free (Online Armour has paid and free versions). The only downside to these apps is that they do require some user interaction.
monstr-fan-boy says
There already is an removal tool out there. it
nunya says
The 6.0 version of Evidence Eliminator by Robinhood software on its website contains the Zbot trojan and is not detected until after install. Steer clear of it.