Thursday, April 29, 2010

Banking virus Zeus strikes back

A new survey conducted by Web security experts has revealed that Zeus, a virus that steals online banking details from infected computers, is back and more powerful than ever.

The Zeus family of malware is the number one botnet online, with an estimated 3.6 million PC infected in the U.S. alone. The malware will infect a system and wait until the user accesses one of the predefined banking URLs. Additionally, Zeus has the ability to inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s Web server.

Once the virus is installed on an affected computer, it can record users’ bank details and passwords, credit card numbers, and other personal details such as passwords for email accounts and social networking sites. This sensitive information is then relayed in real time to a remote server to be used and later sold by cyber criminals.

Earlier this year, many parts of the systems used for the Zeus botnet were destroyed when the Kazakhstani ISP that was being used to administer it was cut off. However, it has not taken long for the malware controllers to spring up elsewhere, and the battle between anti-virus software vendors and botnet developers persists.

Zeus 1.6 has the ability to infect computers using both Firefox and Internet Explorer Web browsers. Experts say the new version of Zeus is expected to significantly increase fraud losses, especially with the growing number of users who regularly bank online. What makes this virus especially dangerous is its ability to bypass even up-to-date anti-virus protections.

A recent study conducted by Trusteer, a web security company, who sampled 10,000 users on a single day, showed that 32% were not using anti-virus protection, 6% percent were using an outdated version, and 71% were using anti-virus with current updates applied. What was particularly striking is that when it came to Zeus infected systems, 31% had no anti-virus protection, 14% were running outdated anti-virus software, but the majority, 55% were using current anti-virus software. Essentially, this means that the majority of infections are going undetected, which is bad news for consumers, banks, and anti-virus providers who were only effective at preventing the virus 23% of the time.

So, what can computer users and financial institutions do to reduce the risks of becoming a victim of cyber crime, whilst continuing to utilize the benefits of online banking?

The development of pro-active technology is fast becoming an important defense mechanism and may include faster and smaller updates and global threat detection networks. More technically savvy users can check their computer’s registry key, which lists software that starts upon a user’s login to their computer. Typically Zeus will add itself to the list as ‘ntos’, but this name may change at any time.

All computer users can reduce risks by installing up-to-date anti-spyware software, updating programs and being secure on the Web by disconnecting from the Internet when not in use. The virus has the capability to inject additional pages into online banking login screens. So if you are suddenly asked for a secret question, security number or other unusual items during the login process, abort the login, and call your bank or try the login from another computer. Users should also be careful when opening attachments or following links on emails & websites, investigate new unknown software before downloading and ensuring that passwords are kept robust and secret.

(The full report can be downloaded from