Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

Summary: Microsoft's malicious software removal tool is disinfecting the Zeus malware (also called Zbot) from between 60,000 and over 100,000 unique Windows computers every month.

SHARE:

Despite a widespread industry effort to disrupt and shut down the Zeus malware gang, Microsoft's malicious software removal tool is still finding tens of thousands of machines infected with the notorious banker trojan every month.

According to Microsoft, the tool is disinfecting the Zeus malware (also called Zbot) from between 60,000 and over 100,000 unique Windows computers every month.  The disinfection utility is updated and released once a month on Patch Tuesday to clean Windows machines from the most prevalent malware threats.

follow Ryan Naraine on twitter

Here's the breakdown of MSRT Zeus disinfections for the last few months:

Month Count
March 103391
April 113814
May 60385
June 83555
July 61323
August 89994
"Yes, it's still around and kicking," says Microsoft's Matt McCormack.

"We're still seeing both distinct malware families out and about in the wild. Between the two, we're finding that they're responsible for a significant amount of the e-commerce-related fraud happening at any given time," McCormack added.

In August, Microsoft sneaked in a new definition signature for Zeus into the cleaning utility and discovered and removed about 90,000 Windows machines infected with Zeus.

According to abuse.ch's Zeus tracker, there are about 220 command and control servers online at any given time.  The site monitors the about 700 servers hosting the botnet.

Topics: Malware, CXO, Operating Systems, Security, Software, Windows

Kick off your day with ZDNet's daily email newsletter. It's the freshest tech news and opinion, served hot. Get it.

Talkback

13 comments
Log in or register to join the discussion
  • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

    Hence the reason for secure boot.
    Return_of_the_jedi
    • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

      @Return_of_the_jedi wrote:
      "Hence the reason for secure boot.

      Wrong again, Billy. This article concerns Zbot, here:

      http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99&tabid=2

      Zbot doesn't modify the MBR. You're thinking of the Alureon malware family, here:

      http://www.symantec.com/security_response/writeup.jsp?docid=2008-091809-0911-99&tabid=2
      Rabid Howler Monkey
      • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

        @Rabid Howler Monkey <br><br>I think you got the point.<br><br>PS. In your links, all I saw were Windows screenshots.
        Did i miss something?
        Return_of_the_jedi
      • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

        @Rabid Howler Monkey

        In that case, hence the reason for including AV in the OS package.
        Michael Kelly
      • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

        @Michael Kelly Zeus variants are well-known for bypassing AV scanners, even if the signatures are kept up-to-date. And the Symantec link posted above indicates that Zeus targets limited and standard user accounts as well as Admin accounts. Thus, least privilege alone won't cut the mustard.<br><br>I personally hope Microsoft is considering adding AppLocker capabilities to all editions of Windows 8 because application whitelisting provide superior defense against Zeus than AV scanners. Windows XP Pro and Vista Business/Ultimate users can configure Software Restriction Policy whitelisting via gpedit.msc. Windows Vista/7 Home users can implement application whitelisting using built-in Parental Controls. Significantly, Parental Controls does not provide dll protection and trusted executables (e.g., rundll32.exe and svchost.exe) can run malicious payloads packaged in dll files. Windows XP Home users must download, install and configure 3rd party application whitelisting software (of which there is a lot).<br><br>The combination of least privilege and application whitelisting provide solid defense against most Windows malware. Write where you cannot execute (C:\Users\username) and execute where you cannot write (C:\Windows and C:\Program Files).
        Rabid Howler Monkey
  • I have a few things to say about this

    http://www.zdnet.com/tb/1-103479-2044727?tag=talkback-river;1_103479_2044727
    "the user is launching an application, entering their administrative login and password, then installing the backdoor software.

    The operating system could be the most secure in the world, but it can't protect against gullible or naive users."

    http://www.zdnet.com/tb/1-103479-2044718?tag=talkback-river;1_103479_2044718
    "The file would be flagged as executable union first launch (of course this, like UAC, relies on the user taking notice). But it'll run - it's just a program. This is a problem for ANY system where the users clicks on icons to open files/applications. The problem is the icon can look deceptive, and that (with extension shenanigans) can trick the user.

    This isn't really very OS specific, the problem is endemic with ALL "WIMP" style GUIs."




    I think that about covers it.
    toddybottom
    • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

      @toddybottom wrote:
      "This isn't really very OS specific

      This is true because the default user account in Windows Vista/7, Mac OS X and most popular desktop Linux distros provides a prompt allowing the user to enter their credentials and/or escalate privileges. (The default account in XP has Admin privileges.) Microsoft needs to, upon first boot by the user, have him/her create a standard user account where the UAC prompt for entering credentials and escalating privileges is disabled (note that this doesn't mean that UAC itself is disabled) and drop the user into this account. If a power Windows user wishes to receive a UAC prompt for credentials while in a standard user account, this should be easy for the user to enable.

      The default user account in Windows should be used to Administer the system, power users excepted. All other activities (e.g., opening documents, browsing the web, email, IM, media streaming) should be done in a standard user account where there is no possibility for the user to escalate privileges. This is how most Windows sysadmins configure systems for their end users in the enterprise.

      Of course, nothing will prevent a determined end user (read consumer) from logging in to the default account to install tainted software.
      Rabid Howler Monkey
  • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

    I wonder what the ratio of infections are when comparing Windows Vista/7 to Windows XP.
    The one and only, Cylon Centurion
    • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

      @Cylon Centurion
      The fact that it was concealed, it has most probably infected more W7/Vista than XP.
      Martmarty
  • Of course it's still kicking

    you can clean people's machines all you want, but you can't stop them from doing the smae thing that got them in trouble in the first place.
    William Farrell
    • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

      @William Farrell LOL, exactly what I had in mind :D
      MrElectrifyer
    • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

      @William Farrell
      +1

      :|
      Tim Cook
  • RE: Despite crackdown, Zeus bank-robbery malware still 'alive and kicking'

    sometimes i get so dizzy on me, so this time it would be great to use few <a href="http://customwritingservices.org/custom-essays.php">custom essay</a> possibilities over the edge
    rostova