ZeuS (aka Zbot, PRG, Wsnpoem and Gorhax) is a Trojan kit designed to generate a binary that installs a suite of data theft tools on a victim’s system. ZeuS is most often spread via drive-by downloads or phishing attacks. Once infected with ZeuS, the victim system:
• Performs keystroke logging for HTTPS, HTTP, FTP, and POP3 traffic.
• Takes screen shots at relevant times to capture supplemental login data.
• Modifies web page content on-the-fly to hide its illicit activity.
• Transmits collected data via Jabber IM to the attacker’s servers, providing real-time credential data, circumventing one-time password access controls.
• Generates SPAM.
• Monitors a pool of Command and Control (C&C) servers on the Internet for new instructions, including software updates.
If you’re concerned about ZeuS, I recommend the following:
1) Browse smart. Check what you’re clicking on, make sure any links or attachments you’re provided are from trusted sources, and when they arrive without warning, check with the sender that they are kosher. Keep your browser, e-mail, and anti-virus patched and up-to-date.
2) Check for signs of infection. ZeuS is normally detected post infection either by communication with its C&C servers or by anti-spyware software.
• In a home or small business environment – Examine the host for signs of compromise by running anti-spyware software. I recommend scanning with both Malwarebytes Anti-Malware (http://www.malwarebytes.org/mbam.ph) and SUPERAntiSpyware (http://www.superantispyware.com/superantispyware.html?rid=3596). If both scan as clean, odds are that you’re clean. If you’re still concerned, you can also run GMER (http://www.gmer.net/), a rootkit detection tool, and HijackThis (http://free.antivirus.com/hijackthis/), a windows configuration and integrity checker.
• In a corporate environment – Since checking every host may not be feasible, examine any available network logs for any unexplained network connectivity. If suspect traffic is discovered, you can compare the suspect IP against the list of known infections at https://zeustracker.abuse.ch/monitor.php. If that’s inconclusive, you can scan the suspect host with the above anti-spyware software.
3) Eliminate the infection. Perform the remediation recommended by Malwarebytes Anti-Malware and SUPERAntiSpyware, followed up by a full-system AV scan. Once all infections have been addressed, repeat the antimalware and AV scans until clean.
JUN
A Best-Practices Guide to Information Security Attestation
Risky Business Blog
Techno Blog
In The News
RSS Feed
About the Author:
Marc Silverman, CISSP - Senior Security Consultant