ie8 fix
madison

Zero Day

Ryan Naraine, Emil Protalinski and Dancho Danchev
Home / News & Blogs / Zero Day

Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

By | September 23, 2011, 11:07am PDT

Summary: Microsoft’s malicious software removal tool is disinfecting the Zeus malware (also called Zbot) from between 60,000 and over 100,000 unique Windows computers every month.

Despite a widespread industry effort to disrupt and shut down the Zeus malware gang, Microsoft’s malicious software removal tool is still finding tens of thousands of machines infected with the notorious banker trojan every month.

According to Microsoft, the tool is disinfecting the Zeus malware (also called Zbot) from between 60,000 and over 100,000 unique Windows computers every month.  The disinfection utility is updated and released once a month on Patch Tuesday to clean Windows machines from the most prevalent malware threats.

follow Ryan Naraine on twitter

Here’s the breakdown of MSRT Zeus disinfections for the last few months:

Month Count
March 103391
April 113814
May 60385
June 83555
July 61323
August 89994

“Yes, it’s still around and kicking,” says Microsoft’s Matt McCormack.

“We’re still seeing both distinct malware families out and about in the wild. Between the two, we’re finding that they’re responsible for a significant amount of the e-commerce-related fraud happening at any given time,” McCormack added.

In August, Microsoft sneaked in a new definition signature for Zeus into the cleaning utility and discovered and removed about 90,000 Windows machines infected with Zeus.

According to abuse.ch’s Zeus tracker, there are about 220 command and control servers online at any given time.  The site monitors the about 700 servers hosting the botnet.

Kick off your day with ZDNet's daily e-mail newsletter. It's the freshest tech news and opinion, served hot. Get it.

More from “Zero Day”

Topics

Ryan Naraine, Malicious Software, Industry Effort, Banker Trojan, Spyware, Adware & Malware, Productivity, Spyware, Viruses And Worms, Cyberthreats, Microsoft Windows, Security, Operating Systems, Software

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues.

Disclosure

Ryan Naraine

The most important disclosure is of my employment with Kaspersky Lab as a member of the global research and analysis team. Kaspersky Lab is a global company specializing in anti-malware and secure content management technologies. I do not own stocks or other investments in any technology company.

Biography

Ryan Naraine

Ryan Naraine is a journalist and social media enthusiast specializing in Internet and computer security issues. He is currently security evangelist at Kaspersky Lab, an anti-malware company with operations around the globe. He is taking a leadership role in developing the company's online community initiative around secure content management technologies.

Prior to joining Kaspersky Lab, Ryan was Editor-at-Large/Security at eWEEK, leading the magazine's and Web site's coverage of Internet and computer security issues and managing the popular SecurityWatch blog, covering the daily threats, vulnerabilities and IT security technologies. He also covered IT security, hacker attacks and secure content management topics for Jupiter Media's internetnetnews.com.

Ryan can be reached at naraine SHIFT 2 gmail.com. For daily updates on Ryan's activities, follow him on Twitter.

Related Discussions on TechRepublic

Did you know you can take part in these discussions with your ZDNet membership?
Ask a Question Start a Discussion
13
Comments
Add Your Opinion

Join the conversation!

Just In

RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
Mister Spock 25th Sep
@William Farrell
+1

plain
View in thread
0 Votes
+ -
RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
Return_of_the_jedi Updated - 23rd Sep
Hence the reason for secure boot.
0 Votes
+ -
RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
Rabid Howler Monkey 23rd Sep
@Return_of_the_jedi wrote:
"Hence the reason for secure boot.

Wrong again, Billy. This article concerns Zbot, here:

http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99&tabid=2

Zbot doesn't modify the MBR. You're thinking of the Alureon malware family, here:

http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99&tabid=2
0 Votes
+ -
RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
Return_of_the_jedi Updated - 23rd Sep
@Rabid Howler Monkey

I think you got the point.

PS. In your links, all I saw were Windows screenshots.
Did i miss something?
0 Votes
+ -
RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
Michael Kelly 23rd Sep
@Rabid Howler Monkey

In that case, hence the reason for including AV in the OS package.
0 Votes
+ -
RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
Rabid Howler Monkey Updated - 24th Sep
@Michael Kelly Zeus variants are well-known for bypassing AV scanners, even if the signatures are kept up-to-date. And the Symantec link posted above indicates that Zeus targets limited and standard user accounts as well as Admin accounts. Thus, least privilege alone won't cut the mustard.

I personally hope Microsoft is considering adding AppLocker capabilities to all editions of Windows 8 because application whitelisting provide superior defense against Zeus than AV scanners. Windows XP Pro and Vista Business/Ultimate users can configure Software Restriction Policy whitelisting via gpedit.msc. Windows Vista/7 Home users can implement application whitelisting using built-in Parental Controls. Significantly, Parental Controls does not provide dll protection and trusted executables (e.g., rundll32.exe and svchost.exe) can run malicious payloads packaged in dll files. Windows XP Home users must download, install and configure 3rd party application whitelisting software (of which there is a lot).

The combination of least privilege and application whitelisting provide solid defense against most Windows malware. Write where you cannot execute (C:\Users\username) and execute where you cannot write (C:\Windows and C:\Program Files).
0 Votes
+ -
I have a few things to say about this
toddybottom Updated - 23rd Sep
http://www.zdnet.com/tb/1-103479-2044727?tag=talkback-river;1_103479_2044727
"the user is launching an application, entering their administrative login and password, then installing the backdoor software.

The operating system could be the most secure in the world, but it can't protect against gullible or naive users."

http://www.zdnet.com/tb/1-103479-2044718?tag=talkback-river;1_103479_2044718
"The file would be flagged as executable union first launch (of course this, like UAC, relies on the user taking notice). But it'll run - it's just a program. This is a problem for ANY system where the users clicks on icons to open files/applications. The problem is the icon can look deceptive, and that (with extension shenanigans) can trick the user.

This isn't really very OS specific, the problem is endemic with ALL "WIMP" style GUIs."




I think that about covers it.
0 Votes
+ -
RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
Rabid Howler Monkey 23rd Sep
@toddybottom wrote:
"This isn't really very OS specific

This is true because the default user account in Windows Vista/7, Mac OS X and most popular desktop Linux distros provides a prompt allowing the user to enter their credentials and/or escalate privileges. (The default account in XP has Admin privileges.) Microsoft needs to, upon first boot by the user, have him/her create a standard user account where the UAC prompt for entering credentials and escalating privileges is disabled (note that this doesn't mean that UAC itself is disabled) and drop the user into this account. If a power Windows user wishes to receive a UAC prompt for credentials while in a standard user account, this should be easy for the user to enable.

The default user account in Windows should be used to Administer the system, power users excepted. All other activities (e.g., opening documents, browsing the web, email, IM, media streaming) should be done in a standard user account where there is no possibility for the user to escalate privileges. This is how most Windows sysadmins configure systems for their end users in the enterprise.

Of course, nothing will prevent a determined end user (read consumer) from logging in to the default account to install tainted software.
0 Votes
+ -
RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
Cylon Centurion 23rd Sep
I wonder what the ratio of infections are when comparing Windows Vista/7 to Windows XP.
0 Votes
+ -
RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
Martmarty 23rd Sep
@Cylon Centurion
The fact that it was concealed, it has most probably infected more W7/Vista than XP.
0 Votes
+ -
Of course it's still kicking
William Farrell 23rd Sep
you can clean people's machines all you want, but you can't stop them from doing the smae thing that got them in trouble in the first place.
0 Votes
+ -
RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
MrElectrifyer 23rd Sep
@William Farrell LOL, exactly what I had in mind grin
0 Votes
+ -
RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'
rostova 24th Sep
sometimes i get so dizzy on me, so this time it would be great to use few custom essay possibilities over the edge

Join the conversation!

Formatting +
BB Codes - Note: HTML is not supported in forums
  • [b] Bold [/b]
  • [i] Italic [/i]
  • [u] Underline [/u]
  • [s] Strikethrough [/s]
  • [q] "Quote" [/q]
  • [ol][*] 1. Ordered List [/ol]
  • [ul][*] · Unordered List [/ul]
  • [pre] Preformat [/pre]
  • [quote] "Blockquote" [/quote]
ie8 fix
Click Here
ie8 fix

The best of ZDNet, delivered

ZDNet Newsletters

Get the best of ZDNet delivered straight to your inbox

Facebook Activity

Blog Roll

Blog Archive

White Papers, Webcasts, & Resources
ie8 fix
ie8 fix