ZeuS Delivers New Security Bolt

Wayne Rash

Most of the talk among security professionals lately has been about the Stuxnet worm. This was a well-crafted, probably government sponsored, attack designed to seriously inconvenience Iran's government.

Unfortunately, it spread beyond Iran, but its scope was limited and it appears that it was built to attack Siemens industrial controllers. However brilliant the design, and it was brilliant, it didn't pose a huge threat. On the other hand, its method of delivery and its ability to find ways to transmit itself even within very secure networks was remarkable. Fortunately, Microsoft has released a series of patches and security updates that are designed to fight Stuxnet.

Meanwhile, ZeuS has been getting relatively little attention. This is a worm designed to infect a computer and make it part of a botnet, and in addition run a keylogger and trying to spread itself as best it can. ZeuS hasn't made the kind of impact that it might have, first because it wasn't that successful in transmitting itself, and second because everyone was focused on other things. But it's still out there and it has started showing up in a new way.

Perhaps you've seen e-mails, most likely in your spam filter, that tell you that your tax payment has been rejected. It's pretty obvious that this is a phishing scam. What's not obvious is that this phishing scam also contains a ZeuS botnet payload. If you open it, even if it's just to see what's up or perhaps to fill it out with bogus information, you're immediatelyl infected.

According to the folks at Solera Networks, a company that runs a real-time network forensics service, the new approach is snagging some big targets. Solera Networks is able to track these infections back to their source and determine just how these malware efforts are making their way into your enterprise. In this case, Solera uses what it calls its 'Security Camera on the Network' to record events as they happen, and replay the entire infection scenario. This is how they figured out what was happening.

This is, of course, a very clever sort of social engineering. Phishing e-mails are nothing new, but few people regard them as a serious threat. Often they're opened, perhaps sent to the abuse address of the organization they claim to represent, and then erased. Some people fill in bogus data and send it back. In this case, both efforts can result in your computer being infected, and as a result your network being hijacked by this botnet.

Obviously, you need to make sure that your copies of Windows are up to date, and you need to do the same with your security software. Hopefully you've tuned your spam filter to get these e-mails before they even get to your users at work, but you still have to worry about their laptops when they leave the office, so you'll have to stay vigilant.

But you also have to let people know this is happening. Social engineering doesn't work as well if your employees know that e-mails about tax problems are certain to be malware (the IRS doesn't send tax communications by e-mail), and should be erased without opening. If they're caught by a spam filter, people shouldn't go opening them to see what's inside. The ZeuS attack works precisely because people worry about tax problems, and the creators count on a certain number of people being dumb enough to look. Hopefully they won't be on your network.

Add Comment      Leave a comment on this blog post
Oct 17, 2010 10:10 PM Gerald Anthro Gerald Anthro  says:
I don't think your right about getting infected by just, opening an email, to my knowledge thats not possible. Please educate me, how is that possible? I await your reply. Gerald Anthropologist Tactical Internet Systems analyst. Reply

Post a comment





(Maximum characters: 1200). You have 1200 characters left.




Subscribe to our Newsletters

Sign up now and get the best business technology insights direct to your inbox.