Monday, September 21, 2009

Effectiveness of the antivirus front ZeuS

After the release of the code of ZeuS in 2007, no doubt, besides being one of the largest botnets, the trojan has become one that has a higher infection rate globally.

In my blog we discussed some features of this botnet, which more than 20 versions from his recent appearance has become more important in the specialized media through a series of reports describing some of its most important aspects

For example RSA, recently published a report on online fraud describing the incorporation of a Jabber component that instantly alerts when your botmaster has recruited a new zombie. S21Sec recently conducted an online seminar on the evolution of ZeuS in the patterns they described their most important among other technical details.

Adding to this wave of company Trusteer, according to a short but interesting report recently released ZeuS presents a different perspective. Titled "Measuring the in-the-wild effectiveness of antivirus against ZeuS" shows clearly the effectiveness of antivirus security solutions against malicious code that spreads in this particular botnet.

There are some interesting facts that emerge from the report. According to it, ZeuS currently has under his command about 3.6 million PCs in the U.S. alone and globally for 44% of the zombies that are part of botnets, which means that and makes it clear that now is the network of zombies larger.

In this sense, the answer could give strong foundation to these data may be due to the popularity of our ZeuS on clandestine marketing environment of the Russian market thanks to its low cost, crimeware in general, and the release of his first versions in different forums from which you can get them for free.

In fact, two generations of ZeuS (version 1 and 2) a high percentage of botnets in-the-wild belong to the first generation with a wide range of versions ranging from 1.0.x.x to 1.1.x.x.

Currently, ZeuS is its public version 1.2.5 although there are private versions with some modifications (improvements to botmasters) that at present not available in hiding under but nevertheless is in-the-wild as the case version 1.2.7.

But most important of this report, as I mentioned above, is channeled into the effectiveness of antivirus as the index showing detection of trojan.

While the data reported by Trusteer are very interesting there are a number of issues to consider. One of them, and that it should be clarified is that ZeuS has an internal application in which the binary is generated and propagated from the configuration file that takes the information for fraudulent phishing attacks and other. But it also lets you run other attacks through exploits designed to exploit vulnerabilities in applications using Flash and PDF readers by .pdf and .swf files.

Moreover, the sample for analysis was 10,000 zombies, although they don't reflect a real data from systems infected with ZeuS and accurate information enables a sufficiently precise about the risk of security represented by the malware.

Of most concern, according to the report infection data collected are based on three factors that directly involve the antivirus programs and which reveals the following levels of effectiveness:
  • Computers without antivirus: 31% infected
  • Computers with outdated antivirus: 14% infected
  • Computers with updated anti-virus with 55% infected
This means that the effectiveness of antivirus programs is low because the detection rate of ZeuS is low. ZeuS is a complex malicious code from the beginning that incorporates a cryptographic module and this must be borne in mind.

Every binary distribution of a new variant means that wide again the response time of the AV adding new victims and increasing their family. More complex still, if we consider that the binary can be (and is) subjected to anti-analysis processes that are offered in bulk online.

Related information
Especial!! ZeuS Botnet for Dummies
Fusión. Un concepto adoptado por el crimeware actual
Botnet. Securización en la nueva versión de ZeuS
ZeuS Carding World Template. (...) la cara de la botnet
Entidades financieras en la mira de la botnet Zeus II
Entidades financieras en la mira de la botnet Zeus I
LuckySploit, la mano derecha de Zeus
ZeuS Botnet. Masiva propagación de su troyano II
ZeuS Botnet. Masiva propagación de su troyano I

Other packages to control botnets
Phoenix Exploit’s Kit
Hybrid Botnet Control System
Botnet Open Source
Liberty Exploit System
TRiAD HTTP Control System
Eleonora Exploit Pack
Unique Sploits Pack
YES Exploit System

Botnet Activities
Waledac/Storm. Pasado y presente de una amenaza latente
Simbiosis del malware actual. Koobface
Entendiendo las redes Fast-Flux
Danmec Bot, redes Fast-Flux y reclutamiento de Zombies PCs

Jorge Mieres

No comments: