One in Five Infected Computers Had a ZeuS Variant

  MSRT cleans ZeuS from 274,873 PCs
One week after ZBot detection was added to Microsoft's Malicious Software Removal Tool (MSRT), the company reports that the threat was found on one in five infected computers.

One week after ZBot detection was added to Microsoft's Malicious Software Removal Tool (MSRT), the company reports that the threat was found on one in five infected computers.

ZeuS is a crimeware kit sold on the underground market. Its modular architecture makes it very flexible and many third-party plug-ins extending its capabilities can be bought separately.

The kit is used to generate customized versions of an information stealing trojan called ZBot (ZeuS Bot) and the associated command and control (C&C) Web application.

There are multiple variants of ZBot in the wild at any given time, generated with different versions of the toolkit, with or without additional plug-ins and possible customized packing.

This wide variety of samples makes it very hard to antivirus vendors to keep up with the threat. According to the ZeuS Tracker project, the average signature-based detection for ZBot binaries is somewhere around 40 percent.

Of course, full-fledged antivirus programs are multi-layered and if the threat escapes signature-based detection it can be caught by behavioral sensors, for example.

However, since MSRT is a signature-only tool, to detect and remove ZeuS reliably Microsoft had to make significant changes to it.

"This is a complex threat with techniques employed to make removal by AV challenging and which necessitated advances in the technology we use," said Jeff Williams, director of Microsoft's Malware Protection Center (MMPC).

During the past week, the new MSRT version removed 281,491 ZBot infections from 274,873 unique computers, suggesting that a relatively low number of systems were affected by multiple variants.

During the same period, Microsoft's tool cleaned malware from a total number of 1,344,669 computers, which means that one in five compromised machines was infected with ZBot.

ZeuS is commonly used by fraudsters to steal sensitive financial information from victims, such as online banking credentials or credit card details.

Last month, authorities dismantled an international network of criminals, who used the trojan to steal over $70 millions from US companies and organizations. However, this was just one of the many ZeuS gangs out there.

Comments

By    19 Oct 2010, 08:35 GMT