Protect your customers from Zeus Trojan

Simon Woodhead

Simon Woodhead

14th August 2012

If you’re not aware, the Zeus Trojan is very bad news. Unlike many trojans which seek indirect financial gain or mischief, this one is a bit more direct about it and can cost an unlimited amount of money.

Zeus is sold on the black-market for around $3,000 but has a whole eco-system of modules (think AppStore for crooks) for specific targets, e.g. UK banks, French banks etc. A module to remote control PCs is a further $10,000 for example.

Once infected, the computer is ‘owned’. Zeus may lie dormant for a while, the computer may become part of a botnet, may be remotely controlled or monitored by VNC but the scariest part is Zeus has the ability to add fields to web pages and otherwise manipulate the browser contents. Typically, a user may be asked ‘additional security questions’ when using on-line banking with the details captured by the perpetrator, or they may find (often too late) that the payee’s account details have changed.

Imagine doing your weekly payroll run or a batch of supplier payments only to find that the payments didn’t go where intended. Instead they’d have gone to somebody else in your country – most likely a mule who had responded to an advert to make thousands from home. The mule will be quickly caught, but they’re dispensable. By the time they are caught, funds will already have been passed on to the perpetrator. As a business customer who has modified account details through your own login and authorised the payments to them, your options for recourse are limited. Paying the wages twice is not a prospect many business would relish in the current climate.

We’ve talked about ‘the’ Zeus Trojan here but the reality is there isn’t one. It would be more correct to talk about ‘a’ Trojan built using the Zeus Toolkit. This is partly what makes it so hard to detect and in fact it has been successfully evading Virus Scanners and malware sweepers for over 5 years.

So why are we mentioning it now? In five years the cybercrime processes exploiting Zeus have evolved and being ‘owned’ by it is far more serious than just an inconvenience. It is also evolving so as in addition to targeting Windows PCs, new variants exploit Blackberry and Android devices, again specifically targeting on-line banking. But there is a solution.

We have mentioned ThreatSTOP repeatedly for blocking outside threats coming in to your network. Actually, the standard use-case is to neutralise Zeus and other malware in an office environment. We have seen it successfully neutralise Zeus, protecting the host business from significant loss.

So how does it work? Whilst Zeus is clever and uses peer-to-peer technology, nobody has yet developed malware which is 100% peer-to-peer. It all needs to make a call-home to somewhere to report infection, take instructions, or simply make itself available for remote control. The hosts that are contacted don’t change much and each Trojan will have a play-list of different ways to call home, maybe a HTTP request, maybe HTTPS if that is blocked, possibly using IRC if that doesn’t work. Malware labs identify these by repeatedly infecting thousands of lab machines, seeing how and where it tries to call home. The result is a list of the IP addresses involved which is continually changing as the threat evolves albeit relatively slowly.

ThreatSTOP is a block list loaded on your firewall which gets updated every two hours. It takes data from multiple sources including Government agencies, security specialists and community sources. In the VoIP space Simwood is a source of data with our Honeypot and Darknet, both of which have evidentially saved users from compromise. Of note here though, it also includes feeds from malware laboratories who are continually analysing Zeus and friends. Data is cross-referenced and analysed, white-lists applied to remove false-positives. The result is a sanitised list of addresses that are safe to block on your firewall, although you can further select whether to apply each list or not and even apply additional lists such as geographic areas.

Put simply, if you block malware making its call home, you neutralise it. If you block known sources of infection, you might not have got it in the first place! Naturally, there is no substitute for common sense and on-line hygiene and no solution can offer 100% protection but ThreatSTOP is presently about the most potent solution available and would be of substantial value to your customers.

If you or your customers would like to try ThreatSTOP free for 30-days, please let us know. Alternatively, you may wish to send us a PCAP of traffic for an hour or so and we can advise what would have been blocked had ThreatSTOP been installed.  We’re so confident you’ll be alarmed at what is on your network that if nothing is detected, you can have the service free for a year!!


Related posts