Members
  • Total Members: 14176
  • Latest: toxxxa
Stats
  • Total Posts: 42872
  • Total Topics: 16081
  • Online Today: 3976
  • Online Ever: 51419
  • (01. January 2010., 10:27:49)









Author Topic: 100,000 UK Computers Infected With Zeus Malware  (Read 9287 times)

0 Members and 1 Guest are viewing this topic.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
100,000 UK Computers Infected With Zeus Malware
« on: 04. August 2010., 17:30:12 »


At least 100,000 computers in the U.K. are infected with the Zeus malware, an advanced piece of spying software that is regularly defeating most antivirus software suites, according security vendor Trusteer.

Researchers at Trusteer managed to analyze a server used to collect details from the hacked PCs, which likely became infected by visiting Web sites engineered to attack computers and install Zeus, said Mickey Boodaei, Trusteer's CEO.

What they found was startling. Zeus is designed to monitor computers and collect information, but the operators of this group of infected computers have taken data collection to a higher level.

For these hacked computers, Zeus was recording all traffic sent through a browser, including that transmitted using SSL (Secure Sockets Layer), a method used to encrypt sensitive data between two points. Boodaei said Zeus grabs the information before it has been encrypted or just after it has been decrypted.

"Anything the user sees from the browser or anything they type in the browser is being captured by the malware," Boodaei said.

All of the data captured by Zeus is sent to a remote a database, which the Trusteer researchers were able to access. They found that the command-and-control software for Zeus is capable of doing keyword searches in that database, Boodaei said.

Since Zeus can see any data in the browser, it means that the cybercriminals know exactly when a person last accessed their bank account and the account balance without even needing to log into the account.

The Zeus database also holds a lot of other information, such as company e-mail, log-ins for social networking sites and financial credentials, Boodaei said.

Boodaei said the Metropolitan police have been alerted about Trusteer's findings. Trusteer will share gigabytes of data it has collected with the police in addition with the banks whose customers have been compromised, he said.

Zeus has been so successful due to the high number of variants that have been modified to evade security software. At any one point, Boodaei said that most antivirus software suites only detect Zeus about 10 percent of the time.

"The reason is that Zeus is so sophisticated it keeps changing its behavior," Boodaei said.

That's also a problem for Trusteer, which makes a widely used product called Rapport: http://www.trusteer.com/product/trusteer-rapport , which many U.K. banks have distributed to their customers for free. Rapport is designed to harden browsers against malware and lock out malware trying to interfere with data exchanged between, for example, a bank and a customer.

Malware will often try to disable security software. Trusteer's Rapport will alert a bank if it is uninstalled. At that point, the bank could forbid the customer in question from performing transactions or tell them their computer is apparently infected. Trusteer is soon adding a component that will allow it to detect and remove certain types of malware from an infected computer.

(PCW)

Samker's Computer Forum - SCforum.info

100,000 UK Computers Infected With Zeus Malware
« on: 04. August 2010., 17:30:12 »

Fintech

  • SCF VIP Member
  • *****
  • Posts: 367
  • KARMA: 49
  • Gender: Male
Re: 100,000 UK Computers Infected With Zeus Malware
« Reply #1 on: 05. August 2010., 00:25:46 »
What is best way fight off this malware? ??? Any idea! :(

testuser

  • SCF Member
  • **
  • Posts: 32
  • KARMA: 4
Re: 100,000 UK Computers Infected With Zeus Malware
« Reply #2 on: 05. August 2010., 06:42:21 »
Best way to protect yourself from this type of attack is to browse the web using a VM session. I run VMware on my pc and only browse the web using a locked down M$ build in the VM. If I suspect that it is compromised I just recopy the original VM image files. I also ensure that I have a clean VM instance that I use only for Internet banking.

Unfortunately AV software won't detect 0 day malware etc..... Another alternative is to lock your PC down (e.g. use McAfee 8.7i and enable some of the maximum protection features). However it means that you need to disable "Access Protection" when you want to install new software etc which can be a real pain....but that is the price for protection.

Another handy tip...don't browse the web with IE. Use a different browser.....it does help.

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Zeus Malware (trojan, worm, virus, help, remove, clean, fix, delete)
« Reply #3 on: 05. August 2010., 07:47:09 »
What is best way fight off this malware? ??? Any idea! :(



My first recommendation is Good and Updated AntiVirus.


Additional tools for removing:

1. Microsoft Removal Tool: http://scforum.info/index.php/topic,4510.0.html

2. SUPERAntiSpyware: http://scforum.info/index.php/topic,116.0.html

3. Malwarebytes' Anti-Malware: http://scforum.info/index.php/topic,2201.0.html




Fintech

  • SCF VIP Member
  • *****
  • Posts: 367
  • KARMA: 49
  • Gender: Male
Re: 100,000 UK Computers Infected With Zeus Malware
« Reply #4 on: 05. August 2010., 09:37:44 »
Thanx guys,

I have Panda Internet Security 2010 and It's up to date all the time!
I've SuperAntiSpyware too and it works great together with Panda!
Yet one thing, I use Firefox.. never IE Browser that's all!
I think that I am rather very protected!  ;D

Samker's Computer Forum - SCforum.info

Re: 100,000 UK Computers Infected With Zeus Malware
« Reply #4 on: 05. August 2010., 09:37:44 »

testuser

  • SCF Member
  • **
  • Posts: 32
  • KARMA: 4
Re: 100,000 UK Computers Infected With Zeus Malware
« Reply #5 on: 05. August 2010., 23:50:39 »
Having updated AV won't save you from 0 day attacks or exploits.....especially ones that morph. Updated AV will help once the code or signature has been identified....but if it morphs again, then it can go undetected.

Having a patched / updated browser other than IE can help as most exploits are for IE vulnerabilities. Just remember that if you browse the web...even with AV and AntiSpyware (which is updated).....you are vulnerable unless you have a locked down system.

testuser

  • SCF Member
  • **
  • Posts: 32
  • KARMA: 4
Re: 100,000 UK Computers Infected With Zeus Malware
« Reply #6 on: 05. August 2010., 23:56:40 »
http://vil.nai.com/vil/content/v_143802.htm  Details from McAfee

A new variant of this threat is being used to steal login/password information from infected machines. This new variant shows the following behavior:


The malicious program has the ability to steal login/password information from several services and program, including:

    * FTP communication
    * HTTP authentication
    * HTTP cookies
    * user digital certificates
    * FTP clients configuration (FlashFXP, SmartFTP, WinSCP, Far Manager, WS_FTP, etc)
    * can capture screenshots


It drops a copy of itself in %WINDIR%\system32\sdra64.exe


It add or modify the following registry keys:

    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network\UID = "MACHINE_NAME"
    * HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "%WINDIR%\system32\userinit.exe,%WINDIR%\system32\sdra64.exe,"


The program inject malicious code into the winlogon.exe and svchost.exe processes


The Windows firewall is disabled.


The following files are created, which contain encrypted version of data stolen from the user:

    * %WINDIR%\system32\lowsec\local.ds
    * %WINDIR%\system32\lowsec\user.ds
    * %WINDIR%\system32\lowsec\user.ds.lll


It creates a MUTEX named _AVIRA_2108 inside svchost.exe and _AVIRA_2109 inside winlogon.exe


It tries to download the following page:

    * hxxp://hiho[removed].com/httpd/loc.so


The malware also listen for connections on a high TCP port. The following ports have been observed in this variant:

    * TCP/21957
    * TCP/16629

testuser

  • SCF Member
  • **
  • Posts: 32
  • KARMA: 4
Re: 100,000 UK Computers Infected With Zeus Malware
« Reply #7 on: 06. August 2010., 00:00:49 »
An interesting article on password stealing: Inside the Password-Stealing Business: the Who and How of Identity Theft

http://www.mcafee.com/us/local_content/reports/6622rpt_password_stealers_0709_en.pdf

Samker

  • SCF Administrator
  • *****
  • Posts: 7528
  • KARMA: 322
  • Gender: Male
  • Whatever doesn't kill us makes us stronger.
    • SCforum.info - Samker's Computer Forum
Re: 100,000 UK Computers Infected With Zeus Malware
« Reply #8 on: 06. August 2010., 06:01:30 »
Having updated AV won't save you from 0 day attacks or exploits.....especially ones that morph. Updated AV will help once the code or signature has been identified....but if it morphs again, then it can go undetected.

Having a patched / updated browser other than IE can help as most exploits are for IE vulnerabilities. Just remember that if you browse the web...even with AV and AntiSpyware (which is updated).....you are vulnerable unless you have a locked down system.

Correct! :thumbsup: I was "forget" to notice this part.

We all need to be very carefully when browsing, open new files, click on links... for some exploit it's even enough to visit certain site...

Fireberg

  • SCF Advanced Member
  • ***
  • Posts: 176
  • KARMA: 22
Re: 100,000 UK Computers Infected With Zeus Malware
« Reply #9 on: 08. August 2010., 13:27:36 »
place your bets!!

1.000.000 is my bet!!

Tkanx for posting

Samker's Computer Forum - SCforum.info

Re: 100,000 UK Computers Infected With Zeus Malware
« Reply #9 on: 08. August 2010., 13:27:36 »

 

With Quick-Reply you can write a post when viewing a topic without loading a new page. You can still use bulletin board code and smileys as you would in a normal post.

Name: Email:
Verification:
Type the letters shown in the picture
Listen to the letters / Request another image
Type the letters shown in the picture:
Second Anti-Bot trap, type or simply copy-paste below (only the red letters):www.scforum.info:

Enter your email address to receive daily email with 'SCforum.info - Samker's Computer Forum' newest content:

Terms of Use | Privacy Policy | Advertising