It seems that recently the Zeus Trojan has been getting plenty of press coverage and has been causing more than its usual share of trouble.
A banking Trojan that is mainly spread via drive-by downloads and phishing campaigns, its most recent activity has involved raiding around £700,000 from UK banks and infecting more than 100,000 computers via a botnet that was detected and named as ‘Zeus version 2'.
Also, Trend Micro advanced threats researcher Robert McArdle wrote about a Zeus variant that is targeting US military personnel. The target receives an email that informs them of an ‘update required for your Bank of America military bank account'. By clicking a link the recipients are brought to a page that is almost identical to the real login page of the bank that is hosted in Russia.
They are then taken to a page hosting an Update Tool ‘which must be installed onto his/her system to ensure that his/her account is not locked', allowing the Zeus variant to be downloaded.
It really is as simple as that, and as McArdle said: “Unfortunately, most people who fall for this scam will not even be given the opportunity to manually download the executable file, as this attack first runs a whole suite of browser exploits on the target systems first. This leaves manually downloading the file as a last-resort attack vector.”
Every day SC Magazine talks about malware variants and what sort of technology is best placed to protect against them. However, Zeus has now reportedly been a threat for more than three years and seems to be making more of an impact than ever.
I caught up with Iain Chidgey, managing director of EMEA at ArcSight, who claimed that the theft of almost £700,000 happened because some banks have not been able to spot fraudulent account activity quickly enough.
Asked if banking fraud is likely to continue to gain at this pace, Chidgey said: “I read a report recently that said fraud is going down and 14 per cent of people are the victim of online banking fraud, but it is all malware in the environment.
“The real issue for me is the ‘wait until factor'. We know that malware hits websites, but none of the banks linked to it and I do not know of a bank that has been hit. Banks do not believe that it is happening and will wait to change it when they are hit by a virus. We need to get something to the notification law in the US, which highlighted the TJX breach.
“There are two aspects to it, we need more education but the reality is that we need to have a responsibility to customers to know what viruses there are and what malware is. You've got two aspects – to make sure that you are looking for it and that they know about it, and then the aspect of protecting the consumer side. We can identify the Zeus virus but if a bank is looking at notifying, they can notify them with information so that they can put two and two together.”
I asked if in his view, are banks doing enough to drive awareness and protect users? He said: “I think that they are doing enough, a bank will look at it as a risk assessment. The £675,000 was across several bank accounts and they want the cost of it to protect their systems.
“I don't know if they should do more, if there was a directive to notify it may highlight issue if they are doing everything they can to protect against it happening. It is an interesting proposition for banks to give them a market lead.”
Looking specifically at the discovery made by M86 Security, Laura Mather, founder and VP of product marketing at Silver Tail Systems, claimed that attack shows that banks need to look at both authentication information and at the behaviour of user sessions to detect these types of attacks.
She said: “These types of attacks are occurring more and more frequently now. It is critical for banks and other online organisations to understand the behaviour of their web sessions to detect these sophisticated types of threats.”
So what is the solution to instructing people about the threat posed, and more importantly are users even aware of how the malware gets on to a desktop and what it does?
Eric Olson, vice president of solutions assurance at Cyveillance, said: “You can spot Zeus as an example as evidence that people do not know about Zeus, the industry has spent two years trying to work out what it is, they can explain it but nothing works.
“In my personal experience it is hitting people and what is most interesting is not the inner workings of a banking Trojan, it is how it gets on a machine. There is some social engineering of users, it is manipulating users and giving someone permission to do something on your computer. You can put 16 locks on your door but it is no good if someone cons you out of the 16 keys.”
I asked Chidgey what the best option is for users to prevent infection and protect themselves? He said: “When I get my bank statement I generally look at the bottom line and if that is about right I leave it, if you see a transaction you don't recognise then it could be a payment processor for a legitimate purchase.
“You cannot force people and they only get a statement once a month so there is a window of opportunity for an account to be hit without the person knowing about it, where do you draw the line?”
The debate here is do we treat Zeus as a different threat to others out there, or generalise warnings on malware in order to best protect users and ensure that they protect themselves? Again the simple solutions of deploying anti-virus and ensuring your patches are applied are appropriate, but if this is being done correctly then why does this threat persist?