Zeus
They don't have F-Secure (due to ineffective parental controls), but my question is, would F-Secure, and most big brand AV products, detect and remove the Zeus family of malware?
They have scanned their main machine with KIS and Malwarebytes, which both came up with nothing, except for a couple of PUPs from MBAM, but I've read that this virus is notoriously stealthy and difficult to detect and remove.
Comments
-
F-Secure and many others can do that (if I normal understand your words... it's not really most trouble).
And also can not do that.
Related with "sample" and "other background"
It's can be different now.Also detect/remove not always can be totally helpful. What about "clean/treat" - I not sure.. that know any proteciton-software, which can be "greatest" on current time.
That MBAM can not to detect it- not surprise and logical. MBAM ignored a lot of malware, viruses and trojans.
About other protection-software - it's, of course, strange - but they also time to time ignored most "dangerous" samples.. which already all other detected.
But current... words.... can be with a lot of "background"-settings, which will be more important for any "words" around.
"Little added" - does it mean that systems still need help?! If yes - here can be a lot of steps to checking system.
And also about "background"-settings... I not just mean "indeed background for current situations", but also... with another points around - when "detection" can be already just like "generic" (and it's close to "often");
And like "common adition about main-theme" - one of reason for any multi-layers protections and pro-active technologies... and with cloud-reputation-based (which still not really "best);
-
Sorry, I'm not sure that I understand a lot of that.
What I'm saying is, as the infection hasn't been detected by MBAM and another 'big brand' AV product, is it safe to assume that the machine is NOT infected, or can Zeus hide itself from detection from most security products.
Unfortunately, I'm not able to get to the machine myself, and the friends who's machine it is have little understanding. I even had to instruct them how to scan the machine in the first place. -
MBAM and current "big brand" AV close to situation, when any malware can to "be hidden" for them.
when it's close to "high-skilled" malware or based on current-theme... it's more close to "can be".
Here just one point can be "close" to safe and not infected... current "information" comes by IPS. They can be detect that situation time to time by "generic"-descriptions, when it's not really like that.
But if it's comes - system can to have troubles - which already can be missing.. after PUPs removed (other).
Current "trouble" - some kind of "big". It's can be various of "samples"/"examples" - and already current information will be related... how many companies.. can be "tricked" by that.
-
The machine has now been scanned with:
Kaspersky Internet Security
MalwareBytes Anti Malware
Hitman Pro
Kaspersky TDSSKiller
Nothing has been detected except for a few tracking cookies, and an Incredimail toolbar, all of which have been removed.
I'm finding it hard to believe that the machine can still be infected after all this, but they do have another laptop still to scan, plus about 4 tablets (2 Andoid and 2 iPads). I think it's unlikely that the infection is on any of the tablets, but apparently there is a version of Zeus which can attack Android devices.
Oh, and sorry to be posting this here, as I know it's not strictly an F-Secure issue, but I'm not a member on the KIS forums.
-
you seem to have used the major recommended scanners.
Some more choices listed in this post; http://malwaretips.com/blogs/zeus-trojan-virus/
Even if a false detection, worth suggesting they think about changing any passwords for online accounts and checking their bank accounts for any unusual activity of late.
EDIT; NoVirusThanks has a specific Zeus Trojan Remover, "which detects and remove all known variants of the very dangerous ZeuS banking trojan". Worth a shot, as the developer has a range of very useful anti-malware programs.
-
Potentially.. if system with troubles... normal malware can to "prevent" any actions by current software or scanners.
But it's just potentially. For my opinion... if here without "I'm sure... all OK" - able to use any Rescue CD (Live CD with scanners inside) - potentially current step without "bonuses", but why not.
If IPS alerted about situation... maybe it's just proxy-settings or around start be broken. Maybe it's related with any other software. Anyway - re-check any default settings/place like "drivers/etc/hosts" and settings around proxy;
Setting around network connection (DNS-settings - maybe here will be added something wrong);
Most of that places.. current protection-software ignored in some situations.
Also.... if it's outdate machines (I mean - operation systems) - here also can be hidden suprises
Another things.. was in reply by Blackcat
-
Since it appears that the "infection" is not on the system as such but on the server / ISP or parent IP address level, you will not be able to fix it.
Their service provider will probably blacklist their IP address, if they have not done so already, so they need to talk with their ISP to get their IP('s) cleared.
They can use the CBL Lookup Utility; http://cbl.abuseat.org/lookup.cgi?ip=XX.XX.XX.12&.pubmit=Lookup
Inform their ISP that their systems are clean, according to all the tools you have ran.
-
Hi @Blackcat
The IP address is not listed in the CBL.
In addition to the above, they have now also scanned with AdwCleaner and Junkware Removal Tool (JRT), neither of which found anything. With regards their two Android tablets, they have installed and scanned both with Bitdefender Mobile Antivirus and Malwarebytes Mobile Anti Malware, all of which came up clean.
The only other computer on their network is a laptop which hasn't been used since last October, so I can't see that as being the culprit, which leads me to the conclusion that either you are correct, and the "infection" is at the parent IP address level, or the ISP have simply made an error.
I will be contacting the ISP, on my friend's behalf, after the Bank Holiday, to see what they have to say, but as the alert came from the Managing Director, who I know personally, I considered that it should be taken seriously.
-
Hi Simon,
"The primary payload of Trojan:W32/Zbot variants focuses on stealing online banking information. They also have limited backdoor and proxy capabilities." refer this threats descriptions page for more details. Basically this type of malware will do their best to hide and stay on the infected computer as long as possible, it is how its being designed, so it is possible that end users doesn't notice about being infected.
I would suggest to scan the computers with Online Scanner, and of course you can always install the trial version of F-Secure Mobile Security, Anti-virus or Internet Security to scan the computers and Android devices. The trial version comes with FULL product features for 30 days.
Yes, please check with the ISP to find more details on the detection with IP address. What is flagged their IP to be infected and which IP address is red flagged (WAN/LAN, IP/ranges of IP)? These informations would be very useful in dealing with this kind of situation. You might want to take a look at this website, it has some useful and interesting informations on Zbot.
Thanks.
Best Regards,
Jayson -
-
Well, it was all to do with a press release that appeared in the UK later that week, regarding the 'take-down' of the servers that were distributing the virus and (I believe) subsequently activating it on infected machines. We were told by the press that everyone had a two week safety window in which to secure their machines! I can't locate the original news story right now, but this relates:
http://www.bbc.co.uk/news/technology-27681996
The machine in question was scanned by numerous scanners, none of which found anything, and there have been no indications of problems since.
🚩 What Do You Think?
We’d love your thoughts on our fresh look! Quick survey, big impact!