Posted on Mon, Jun 21, 2010 @ 09:08 AM
Authored by Marc Silverman, Sr. Security Consultant at Pivot Point Security 
ZeuS (aka Zbot, PRG, Wsnpoem and Gorhax) is a Trojan kit designed to generate a binary that installs a suite of data theft tools on a victim's system. ZeuS is most often spread via drive-by downloads or phishing attacks. Once infected with ZeuS, the victim system:
• Performs keystroke logging for HTTPS, HTTP, FTP, and POP3 traffic.
• Takes screen shots at relevant times to capture supplemental login data.
• Modifies web page content on-the-fly to hide its illicit activity.
• Transmits collected data via Jabber IM to the attacker's servers, providing real-time credential data, circumventing one-time password access controls.
• Generates SPAM.
• Monitors a pool of Command and Control (C&C) servers on the Internet for new instructions, including software updates.
If you're concerned about ZeuS, I recommend the following:
1) Browse smart. Check what you're clicking on, make sure any links or attachments you're provided are from trusted sources, and when they arrive without warning, check with the sender that they are kosher. Keep your browser, e-mail, and anti-virus patched and up-to-date.
2) Check for signs of infection. ZeuS is normally detected post infection either by communication with its C&C servers or by anti-spyware software.
• In a home or small business environment - Examine the host for signs of compromise by running anti-spyware software. I recommend scanning with both Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam.ph) and SUPERAntiSpyware (http://www.superantispyware.com/superantispyware.html?rid=3596). If both scan as clean, odds are that you're clean. If you're still concerned, you can also run GMER (http://www.gmer.net/), a rootkit detection tool, and HijackThis (http://free.antivirus.com/hijackthis/), a windows configuration and integrity checker.
• In a corporate environment - Since checking every host may not be feasible, examine any available network logs for any unexplained network connectivity. If suspect traffic is discovered, you can compare the suspect IP against the list of known infections at https://zeustracker.abuse.ch/monitor.php. If that's inconclusive, you can scan the suspect host with the above anti-spyware software.
3) Eliminate the infection. Perform the remediation recommended by Malwarebytes Anti-Malware and SUPERAntiSpyware, followed up by a full-system AV scan. Once all infections have been addressed, repeat the antimalware and AV scans until clean.
Posted on Sun, Mar 28, 2010 @ 08:06 AM
Authored by Mike Gargiullo, Sr. Security Consultant at Pivot Point Security.
With all the information out there on the Zeus bot and malware like it, we made a decision at home not to use Windows to access any of our online banking sites. Now to be honest, we probably had a head start in that arena as we only run Windows on our Work laptops. The home laptops and desktop all run Linux of one flavor or another. One evening not too long ago we were at my parents' house and the discussion of these bots and their method of operation came up. I'll skip the part of the conversation where we discussed how they "protect" themselves now with changing their complex passwords often, etc. The conversation wound up with the question of what to do. Do you discontinue the use of online banking and roll back the convenience clock or do you find a safer way to do these things?
I showed my parents the Ubuntu Live USB key I have in my bag and grabbed my father's laptop. A live CD (or USB key in this case) allows you to run another operating system without altering the Windows operating system. If you like it, there are menu options that will auto-install Ubuntu on either the whole hard drive or in the free space. That, however, is for another blog article. A few seconds after turning on the laptop with my Live USB key in, we were looking at the Gnome desktop. 
My mother was the first to recognize the Firefox icon on the top menu bar and within seconds she was surfing the web with Ubuntu. They decided that this was an easy way to stay safer while using their bank's web portal. You can download your own live CD from http://www.ubuntulinux.org/getubuntu/download .
One last note before I go. While you are less likely to get "infected" while using Linux, it is not impossible. It's all a numbers game, once Linux gains more popularity; the bad guys will start writing malware for Linux... Until then, happy computing.
Find further help at our blog posting on Creating an Ubuntu USB Live Drive