Zeus trojan horse
RELATED TAG : Zeus trojan horse, trojan horse botnet, trojan horse bank, Zeus botnet, trojan horse virus, trojan horse remover, botnet, antivirus software, malware, financial Trojan.
Zeus (which also is known as Gorhax, Zbot, Wsnpoem, PRG and Kneber) is a Trojan horse which steals banking information by keystroke logging. This Trojan horse is spread mostly through drive-by downloads and phishing schemes. Zeus was firstly identified in July 2007. The Zeus botnet targets Windows machines, and computers running Windows XP Professional ServicePack 2 make up the most of the botnet. Kneber is first of all found on machines in corporate and government infrastructures.
The Zeus botnet is targeting login credentials for online financial services, e-mail accounts and online social networks. The top sites with stolen login credentials, in accordance with report of Netwitness are Sonico, Metroflog, Hi5, Netlog, Facebook and Yahoo. While the focus was on social networks and e-mail, Kneber is now targeting banking sites. The Zeus controlls computers in 196 countries. Five countries with the most significant instances of affected computers are Turkey, the USA, Egypt, Saudi Arabia and Mexico. Some 3.6 million computers are known to be damaged in the United States alone. 2,411 companies are known to have been damaged by the criminal operation running the botnet.
The present version of the Zeus botnet uses classical copy protection mechanisms to avert using of unlicensed pirate copies. Security company SecureWorks found out that the Zeus server only works with a system specific key. Like Windows OS, the malware make a kind of fingerprint of the respective hardware configuration when first started. It’s easy to buy Zeus in underground forums for as little as 700 USD and up to 3000-4000 USD for the latest version. The package includes a builder which generates a bot executable and Web server files (SQL templates, PHP, images) for using as control server and the command. While Zbot is a generic back door which allows full control by an unauthorized remote user, the basic function of Zbot is financial profit – stealing online credentials such as online banking, FTP, email and other online passwords. Recent available public version is 126.96.36.199.
Zeus is very complicated for detection even with up-to-date antivirus software. It is the first reason why its malware family is known as the biggest botnet on the internet: Security experts advise that businesses continue to offer training to users to preclude them from clicking suspicious or hostile links in on the internet or e-mails while also keeping up with antivirus updates.
Symantec approves that its Symantec Browser Protection can preclude “some infection attempts“. It remains unclear if modern antivirus software is effective at averting all of its variants from taking root. The most widespread banking Trojan often avoids detecting by antivirus software, in accordance with new researches. Zeus is detected only 23% of the time by up-to-date antivirus applications, researchers at Trusteer discovered. Trusteer sampled 10,000 computers which were infected by Zbot, and of these Zeus-infected machines, 55% were running-up-to date AV software. The massive Zbot botnet made up of 3.6 million computers in the United States or 1% of all computers in the country, according to Damballa data spreads Zeus, which is the №1 financial Trojan now, representing 44% of all financial malware infections now, according to Trusteer. The malware steals users’ online financial credentials and moves them to a remote server, where it can inject HTML onto pages rendered by the victim’s browser to show its own content mimicking, for example, a Web page of a bank.
“Zeus’ infection rate is higher than that of any other financial Trojan. We can see actual fraud linked to Zeus accounts being compromised, money transferred from accounts of customers infected with Zeus,” says Mickey Boodaei, founder and CEO of Trusteer, that sells online banking security tools. “When we investigate some of our banking customers’, we find evidence of abuse on the computer, so we know this crime ring is very active and dangerous.” It’s incomprehensible why Zeus is so wily, but Boodaei says there are some variants of the malware, that could make it more complicated to pinpoint.
“One thing we didn’t do is check the same thing for other Trojans. It could be that the infection rates are like this for all Trojans,” says Boodaei. “But we also know that Zeus is very effective at hiding in the operating systems, and it’s very difficult to remove it.”
It’s known that of the Zeus-infected bots 31% were not running any anti-virus program, while 14% were running anti-virus that was not up-to-date. The rest were running up-to-date anti-virus program. Trusteer estimates that among all Windows users, 71% run up-to-date anti-virus, 6% run anti-virus that is out of date, and nearly 23% don’t run any anti-virus program at all.
ISP Virgin Media is now using companies such as The Shadowserver Foundation to work out which of its customers might be part of botnets spreading Zeus.
If a third-party identifies a suspect connection, the organization will then write to the affected customer outlining how they can remove Zeus using through the company’s paid-for Digital Home Support service or online tools. This process hands the work of removing Zeus and other malware to the Virgin Media Security security software package that comes with Virgin’s ISP package, which now uses the BitDefender antivirus engine, one of the few reliably able to detect the newest version of the malware. Virgin to boost upload speeds for fibre broadband users for free. It’s unusual for an ISP to accept to using third-party companies to find botnets, but Zeus is serious enough at the moment to break convention. Recently in only its latest attack, UK-US company M86 Security revealed that Zeus v3 had successfully hacked the online bank accounts of 3,000 UK customers of a large high-street bank, stealing nearly $1 million. The organization doesn’t make any widespread use of internal botnet detection technology or if it does it won’t say so for fear of making users alert of covert monitoring.
“We don’t identify the spread of botnets ourselves because that could be an invasion of privacy,” says a source at Virgin Media. “We are writing to customers we have been told may be infected by malware, encouraging them to check their machines have an up to date security package, and offering advices on simple and free ways to disinfect their machines,” says Jon James, executive director of broadband at Virgin Media. “For those who need more help we also have our fee-based Digital Home Support service that fixes problems using the newst cutting edge remote control technology,” Jon James says.
BitDefender made a speciality of Zeus detection. Other security organizations aren’t supposed to be doing such a good job, that raises the problem of how customers can block Zeus first of all. Zeus also targets an amount of common vulnerabilities in widely used programs which a lot of users either have not patched or simply don’t grasp need patching.
In October 2010, FBI declared that using Zeus, hackers in Eastern Europe infected computers around the world. The virus was spread in the e-mails, and when targeted individuals at municipalities and businesses opened the e-mail, the trojan software installed itself on the victimized PC, secretly capturing passwords, account numbers, and other data used to log into online banking accounts. It is still active now. The hackers used this info to take possession of the victims’ bank accounts and make unauthorized transfers, often routing the funds to other accounts controlled by a network of “money mules.” Many of the USA money mules were gained from overseas. They made bank accounts using fake documents and names. Once the money was in their accounts, the mules could either wire it back to their chiefs in Eastern Europe, or turn it into cash and smuggle it out of the country. They were paid a commission for this work.
Law enforcement agencies say that over 60 people have been charged with trying to siphon millions of dollars out of banks by using the Zeus. There were about 11 of the arrests in NY City, according to the Federal Bureau of Investigation and the NY City police department. It also appears that these busts are related to a crackdown in London in which 19 people were blamed of being part of a cybercrime ring which stole nearly 6 million from UK banks.
On July 14, 2010, security company Trusteer filed a report that says that the credit cards of more than 15 unnamed US banks have been compromised. On 1 October 2010, FBI announced it had detected a major international cyber crime network which had used the Zeus to hack into US PCs and steal nearly $70m. More than 100 people were arrested on charges of conspiracy to commit bank fraud and money laundering. Of those, over 90 were in the United States, and some arrests were made in United Kingdom and Ukraine.