Zeus Trojan moving past anti-Virus protections
by Steve Ragan - Sep 17 2009, 21:15Trusteer issued a report this week that highlights the infection rate of the Zeus family of Malware, which targets banking related information. Interestingly enough, when Trusteer sampled 10,000 users of their Rapport browser security service infected by Zeus, the Malware bypassed up-to-date anti-Virus protections the majority of the time.
“When we set out to measure the efficiency of antivirus products in the wild against Zeus, we had no idea what kind of results we would get,” said Amit Klein, CTO of Trusteer and head of the company’s research organization.
The Zeus family of Malware is the number one botnet online, with 3.6 million PC infected in the U.S. alone, Trusteer said. The Malware will infect a system and wait until the user accesses one of the predefined banking URLs listed in the Malware code. Once the site is accessed, the login information is sent to the criminals for later processing.
Zeus can also modify, in a user’s browser, the genuine web pages from a bank’s web servers to ask for personal information, such as payment card number and PIN, one time passwords, etc.
The raw data collected from the 10,000 users came from just one single day in September, and showed that 32-percent were not using anti-Virus protection, 6-percent were using it but it was out of date, and 71-percent were using anti-Virus with current updates applied.
When it came to Zeus infected systems, 31-percent were lacking anti-Virus protections entirely, 14-percent had some anti-Virus protection, but it was out of date, and the majority, 55-percent, were not only using anti-Virus software, but it was current.
“The findings, that up-to-date anti-virus programs were only effective at blocking Zeus infections 23 percent of the time, are disturbing. This is bad news for consumers and banks, since the vast majority of Zeus infections are going unnoticed,” Klein added.
With all the focus as of late, on pro-active anti-Virus protections and constantly updated signatures, the idea that Zeus was able to get past anti-Virus protection measures is concerning. How is it that with all the recent hype over community-based, cloud-leveraging, instant signature offering, and security technology pushed by the top five security vendors, almost 69-percent failed to detect Zeus?
We don’t know the vendors who were used for anti-Virus protection, nor what the version of the software was. Trusteer didn’t offer this in their report, likely because they couldn’t collect this data.
Pro-active protections are where things are heading. Faster and smaller updates, global threat detection networks linked to the client software – either on their own or thanks to an opt-in community – are designed for just this reason.
Signatures alone will not help detect Trojan’s like Zeus where there are countless variants. However, the data from Trusteer shows that the developing pro-active technology, while eventually becoming an important layer of defense, has an uphill battle ahead of it, and that it has quite some way to go before it is seriously effective.
The entire Trusteer report is online here.
Comment on this Story