Zeus = Zbot virus

[Telegraph_Sam]

This topic was last referred to in a forum on 19th Sept but (from what I can see) not since.  From that report it looked "serious".  This evening it was highlighted on UK BBC Radio 4 national news**, which implies that it is even more "serious".  The fact that Avast doesn't seem to have issued any comments on it, as far as I can tell, does this mean that we are unprotected?  Is there a reputable dedicated "fix" that is not malware itself?  Apparently it can get through normal anti-virus software.

If there was a worried smiley I would use it!

** The two suspected perpetrators have been arrested in Manchester - but not the virus itself ..

[polonus]

Hi malware fighters,

"Zeus originates from Russia", according to Roel Schouwenberg, Senior AV researcher with the Russian av vendor Kaspersky Lab, re: http://www.kaspersky.nl/  
Well quite some time ago the original malcreants that developed the bot  made it public they would discontinue the malware, this made for Zeus to go "opensource". It is rather unlikely that the arrest of the Zeus trojan susspects in the U.K. will make a serious difference for the number of Zbot variants we are about to see."

The best protection is to update your OS and third party software (use Secunia PSI), use normal user rights for your normal online activities, and a webbrowser like Firefox with the NoScript and RequestPolicy add-ons installed. Of course have a resident av solution and a two way firewall installed.

There has been activity in the past to seek to close down the Zeus Command and Control servers:
 http://www.abuse.ch/?p=1192

The overall zombie total for various botnets worldwide could be well over 400 million machines.
There is even a zeus tracker: hXtps://zeustracker.abuse.ch/

As security company Trusteer found, a stealthy piece of malware waiting for PC users to log in to bank websites, Zeus, can be detected in only 23% of cases by AV programs. So, even AV programs with up-to-date malware signatures are mainly unable to detect the infection.

Moreover, Zeus avoids identification using sophisticated techniques such as root-kit technology, going with Zbot and PRG names. Trusteer is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC's browser process. Use ThreatExpert Memory Scanner for traces Zeus cannot hide.

Thus, a recent report estimated Zeus to be No. 1 trojan, with 3.6 million infections in the US alone, or about 1% cent of the installed base of PCs. Trusteer also found Zeus is guilty in 44% of the banking malware infections. After sneaking onto a PC, Zeus sits quietly in the background until a user logs on to a financial website.

About 31% of Zeus-infected machines don't run AV at all and 14% run AV that's out of date, while the rest of 55% had up to date AV programs.

polonus

[Telegraph_Sam]

Thanks for your informed comments which I am sure will be appreciated by forum visitors generally.

I couldn't find ThreatExpert Memory Scanner on the Trusteer web site [trusteer.com] but I have downloaded (but not yet installed) the Trusteer Rapport program.  The video demos on the website will not function on my PC which is disappointing.  Hopefully this will be the most effective step I can take in current circumstances.  If I use MS IE 8 not Firefox are there any particular measures to take (apart from just upping the security settings)?

I have a router for additional protection and the Filseclab firewall which my local PC shop recommended plus Avast 4 which usually updates automatically.  Up to now I have relied on Malwarebites to remove any particularly difficult viruses.

[polonus]

Hi you Telegraph_Sam,

The download link: http://www.threatexpert.com/memoryscanner.aspx
Agree to the EULA and download...

pol

[Yanto.Chiang]

Hi Polonus,

It quite interesting me to know deeply about this attacks method :
1. How to define that client has been infected by Zbot?
2. How is Zbot infected the victims? Is it like social engineering attacks through email or IM which warning the victims to do something like others legitimate products did?

[Yanto.Chiang]

Hi Polonus,

Then if we found malicious at our memory like me :

Full Scan Summary:

    * Scan details:
          o Scan started: Thursday, November 19, 2009 11:45:29
          o Scan time: 14 minutes, 28 seconds
          o Number of memory objects scanned: 14038
                + processes: 76
                + modules: 4348
                + heap pages: 9614
          o Number of suspicious memory objects detected: 0
          o Number of malicious memory objects detected: 2
          o Overall Risk Level: High

    * Summary of the detected threat characteristics:

Severity Level   What's been found
   

A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
       View detected locations

    * Process "svchost.exe", heap page: [0x04240000 - 0x04280000]
    * Process "svchost.exe", heap page: [0x042c0000 - 0x04300000]

   

MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).
       View detected locations

    * Process "svchost.exe", heap page: [0x04240000 - 0x04280000]
    * Process "svchost.exe", heap page: [0x042c0000 - 0x04300000]

    * Summary of the detected memory objects:

Severity Level   Memory Object
   

Process "svchost.exe", heap page: [0x04240000 - 0x04280000]
       View detected characteristics

    * A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
    * MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).

   

Process "svchost.exe", heap page: [0x042c0000 - 0x04300000]
       View detected characteristics

    * A network-aware worm that uses known exploit(s) in order to replicate across vulnerable networks.
    * MS04-011: LSASS Overflow exploit - replication across TCP 445 (common for Sasser, Bobax, Kibuv, Korgo, Gaobot, Spybot, Randex, other IRC Bots).

Is there any tool you could suggested to me to clean this out?

[Telegraph_Sam]

Hi you Telegraph_Sam,

The download link: http://www.threatexpert.com/memoryscanner.aspx
Agree to the EULA and download...

pol

Hi Polonus
If you look at www.trusteer.com you see that they claim that their services are used by a number of well known financial institutions, including Coventry Building Society.  I spoke to CBS this morning - they don't know of Trusteer.  Makes you wonder ..

[Telegraph_Sam]

Hi you Telegraph_Sam,

The download link: http://www.threatexpert.com/memoryscanner.aspx
Agree to the EULA and download...

pol

Hi Polonus
I was discussing Trusteer on one of the other forms - it appears to be a highly controversial program!  The contrary view is that Prevx.com is a better solution but I have not (yet) downloaded it.  [The other view is that if you have good security on your PC then there is no need for anything else ...]

I quote: "trusteer can be easily disabled by malware so i simply dont recommend this as a valid security product:

http://broadcast.oreilly.com/2008/12/snake-oil-legitimate-vendors-s.html"

When you have read this blog you - or rather I - don't know what to believe!

[YoKenny]

@Telegraph_Sam

Prevx is good at detecting malware but you have to purchase it for US $34.95 for 1 year subscription to have it remove anything.

The combination of Malwarebytes' Anti-Malware (MBAM) and WinPatrol is very good.

[Charles_Nelson]

Hi you Telegraph_Sam,

The download link: http://www.threatexpert.com/memoryscanner.aspx
Agree to the EULA and download...

pol

Hi Polonus
I was discussing Trusteer on one of the other forms - it appears to be a highly controversial program!  The contrary view is that Prevx.com is a better solution but I have not (yet) downloaded it.  [The other view is that if you have good security on your PC then there is no need for anything else ...]

I quote: "trusteer can be easily disabled by malware so i simply dont recommend this as a valid security product:

http://broadcast.oreilly.com/2008/12/snake-oil-legitimate-vendors-s.html"

When you have read this blog you - or rather I - don't know what to believe!

Hi,

Telegraph_Sam - I have to say that you are very negative about Trusteer / Rapport. You seem to have gone to great lengths to paint them in a bad light including recommending and quoting from a very strange "broadcast.oreilly.com" blog post which actually seems to be written by a competing company??? This leads me to think that you also work for another company... maybe the Prevx that you mentioned/recommended before... I don't know Trusteer or Prevx but a quick check on their websites and you can see that Trusteer has many big name banks as clients and I couldn't find any at all on the Prevx site. Secondly, a quick google or twitter search of Prevx brings up some really interesting results.. apprently they have some serious egg on their face recently and very publicly thought that malware is a microsoft bug and had to get microsoft to tell them (also very publically) that this is acutually malware!!! - Not a company I would trust with my pc security with. Besides you also have to pay quite a bit it seems ("you have to purchase it for US $34.95 for 1 year subscription to have it remove anything") to get it to work properly.
If you do work for one of these companies (i.e. Prevx) then I think its a bit underhand and not very professional making these kind of comments in an environment where people are actually trying to get solid, reliable information, and not a ranting vendetta...

Charles Nelson.

[polonus]

Hi Yanto.Chiang,

Here we also brief on what to look for in a PC that may reveal a Zeus infection:
The ZEUS trojan will commonly use names like NTOS.EXE, LD08.EXE, LD12.EXE, PP06.EXE, PP08.EXE, LDnn.EXE and PPnn.EXE etc, so search your PCs for files with names like this. The ZEUS Trojan will typically be between 40KBytes and 150Kbytes in size.
Also look for a folder with the name WSNPOEM, this is also a common sign of infection for the ZEUS Trojan.
Finally, check the Registry lloking for RUN keys referencing any of these names.
https://zeustracker.abuse.ch/  (This link will trigger a security certificate warning due to the fact that the google maps API currently does not support SSL (https). Allow / accept the security certificate exception to visit) reveals the known locations of various versions of Zeus on a Windows system as follows:
Variant 1
C:\WINDOWS\system32\ntos.exe
C:\WINDOWS\system32\wsnpoem\audio.dll
C:\WINDOWS\system32\wsnpoem\video.dll
Variant 2
C:\WINDOWS\system32\oembios.exe
C:\WINDOWS\system32\sysproc64\sysproc86.sys
C:\WINDOWS\system32\sysproc64\sysproc32.sys
Variant 3
C:\WINDOWS\system32\twext.exe
C:\WINDOWS\system32\twain_32\local.ds
C:\WINDOWS\system32\twain_32\user.ds
Variant 4
C:\WINDOWS\system32\sdra64.exe
C:\WINDOWS\system32\lowsec\local.ds
C:\WINDOWS\system32\lowsec\user.ds

Also consider manual removal instructions from Spybot S&D forums:
http://forums.spybot.info/showthread.php?t=47049

With just 23% detection rate for an up to date av solutions against this trojan in the wild,
will the common user ever feel confident enough to make secure online transactions?

polonus

[Telegraph_Sam]

 properly.
If you do work for one of these companies (i.e. Prevx) then I think its a bit underhand and not very professional making these kind of comments in an environment where people are actually trying to get solid, reliable information, and not a ranting vendetta...

Charles Nelson.
[/quote]

Hi Charles Nelson

If you (re-) read the correspondence you should see that I raised the topic from a position of ignorance - I had never heard of Prevx beforehand and their name only arose in the course of correspondence on this and another forum.  My intention was (and is) to air and swap experiences from those who had used these or indeed any other form of defence against Zeus, and if both negative and positive reports are the result, so much the better.  You and I can make our decisions.

I have no allegiance to either.  My suspicions were aroused when (as you can read above) I cross checked with one of the references quoted on the Trusteer web site - Coventry Building Society - and CBS was unable to confirm any knowledge of the program.  How do we know if Trusteer (or Prevx) is not malware masquerading as a fix - other than by quoting other people's experience?

I have downloaded both programs (including the Prevx freebie) but have still not installed either.  In the interim I got an email from Avast saying that their latest update covered Zeus.

You can call this a randing vendetta if you wish though I think more moderate language would be appropriate.  The words quoted are not mine anyway.  I invite you to make some positive contribution if you can quote "solid, reliable information" from your own experience.

[Charles_Nelson]

Hi Telegraph Sam

I looked at the Coventry Building Society website and the rapport software is on the homepage (bottom right) - http://www.coventrybuildingsociety.co.uk/

Telegraph_Sam "How do we know if Trusteer (or Prevx) is not malware masquerading as a fix"...

I am guessing that if a high street institution like the Coventry Building Society have it on their home page then it must be reputable and credible.... I would also think that if other high street banks use it (I can see Royal Bank of Scotland and ING Direct from a quick glance at their website) then for me that gives it good credentials. These are major high street banks that trust it and provide it to protect their customers banking sessions.

This whole post has got me interested  so I have downloaded the software and will give it a whirl... I will report back here at some point about it..

Charles

[drbob01]

I apparently still have the Zeus virus on my computer, in spite of updated Avast program.  I also have malwarebytes and Secunia psi.  Do I need to search for these *exe files and then delete them when I find them?  Is this a manual removal process? Thanks

[CharleyO]

***

What makes you think you have Zeus on your computer?

What indications does your computer have?


***