World’s nastiest trojan fools AV software

September 20, 2009 at 11:55 pm Brett A. Scudder No comments

World’s nastiest trojan fools AV software

Pounces on banking passwords

By Dan Goodin in San Francisco | http://www.theregister.co.uk/2009/09/18/zeus_evades_detection/

Posted in Anti-Virus, 18th September 2009 00:37 GMT

Watch the Application Security Regcast, right here

One of the world’s nastiest password-stealing trojans evades detection by the majority PCs running anti-virus programs, according to a study that examined 10,000 machines.

Zeus, a stealthy piece of malware that sits on a PC and waits for users to log in to bank websites, is detected just 23 per cent of time by AV programs, according to the study (PDF) (http://www.trusteer.com/files/Zeus_and_Antivirus.pdf) released by security firm Trusteer. Even AV programs with up-to-date malware signatures were unable to identify the infection a majority of the time, the authors said.

Zeus, which also goes by the name Zbot and PRG, escapes detection using sophisticated techniques such as root-kit technology, the Trusteer report said. The company is able to detect it by examining the fingerprint Zeus leaves when it penetrates an infected PC’s browser process.

A recent report estimated that Zeus is the No. 1 trojan, with 3.6 million infections in the US alone, or about 1 per cent of the installed base of PCs. Trusteer’s study, which found Zeus accounted for 44 per cent of the banking malware infections, was consistent with that finding. After sneaking onto a PC, it sits quietly in the background until a user logs on to a financial website. It then sends the login credentials to a remote server in real time, sometimes by use of instant messaging (http://www.theregister.co.uk/2009/08/27/zeus_adopts_instant_messaging/) programs.

Of Zeus-infected machines, about 31 per cent don’t run AV at all and 14 percent run AV that’s out of date. The remaining 55 per cent had AV programs that were up to date. ®

Related stories

Malvertisers slapped by Microsoft lawsuits (18 September 2009)

http://www.theregister.co.uk/2009/09/18/microsoft_legalaction_malvertising/

Malware lingers months on infected PCs (15 September 2009)

http://www.theregister.co.uk/2009/09/15/malware_persistence/

Trojan zaps banking credentials via IM (27 August 2009)

http://www.theregister.co.uk/2009/08/27/zeus_adopts_instant_messaging/

Hackers pwn Macca site with banking malware (8 April 2009)

http://www.theregister.co.uk/2009/04/08/macca_malware_attack/

Crimeware giants form botnet tag team (5 September 2008)

http://www.theregister.co.uk/2008/09/05/rock_phish_and_asprox_team_up/

Crimeware grifters scamming naive phishers (7 August 2008)