I suppose with the Olympics dominating the sports pages this week, it is a logical parallel that the Zeus Trojan is headlining security news. The Wall Street Journal reported on the Zeus Trojan, aka Kneber botnot, infecting thousands of companies and computers. And a story not gathering quite so many headlines is the recent Zeus attack on .gov and .mil addresses.
The Zeus Trojan isn't new. As Mary Landesman wrote in her ScanSafe Stat Blog:
The Zeus botnet has been active on the Web for over a year. In our 1Q08 Global Threat Report, ScanSafe reported on the surge of Zeus-related activity via the Web and specifically it's joining forces with the LuckySploit framework.
Zeus malware is known for browser traffic sniffing, intercepting POST data and keystrokes associated with the active browser session, as well as clipboard data passed to the browser. Zeus malware also typically disables firewalls and other security software on infected systems, as well as blocking access to security vendor websites and services. For example, Zeus can prevent antivirus signatures from being updated. Zeus trojans also employ rootkits to remain hidden on infected systems.
Atif Mushtaq explained that the Zeus Trojan is part of a new breed of attacks, a Man in the Browser. In his blog at FireEye Malware Intelligence Lab, he wrote:
Man in the Browser a.k.a MITB is a new breed of attacks whose primary objective is to spy on browser sessions (mostly banking) and in that process intercept and modify the web page contents transparently in the background. In a classic MITB attack, it's very likely that what the user is seeing on his/her browser window is not something the actual server sent. Similarly, what the server sees on the other end might not be what user was intending to send.https://o1.qnsr.com/log/p.gif?;n=203;c=204663295;s=11915;x=7936;f=201904081034270;u=j;z=TIMESTAMP;a=20410779;e=i
The banking industry appears to be the main target of many of these new attacks. The Zeus Trojan bypasses the Security Pass level of security and essentially tricks customers into believing an honest transaction took place, when it was actually a breach. And again, it shows how difficult -- yet how important -- it is to stay one step ahead of the bad guys.