Zeus

SimonSimon Posts: 2,608 Superuser
I have some friends who's ISP has informed them that they have detected a virus in the Zeus family on a computer with their IP address.

They don't have F-Secure (due to ineffective parental controls), but my question is, would F-Secure, and most big brand AV products, detect and remove the Zeus family of malware?

They have scanned their main machine with KIS and Malwarebytes, which both came up with nothing, except for a couple of PUPs from MBAM, but I've read that this virus is notoriously stealthy and difficult to detect and remove.

Best Answer

  • SimonSimon Posts: 2,608 Superuser
    Accepted Answer
    Well, it was all to do with a press release that appeared in the UK later that week, regarding the 'take-down' of the servers that were distributing the virus and (I believe) subsequently activating it on infected machines. We were told by the press that everyone had a two week safety window in which to secure their machines! I can't locate the original news story right now, but this relates:

    http://www.bbc.co.uk/news/technology-27681996

    The machine in question was scanned by numerous scanners, none of which found anything, and there have been no indications of problems since.

Comments

  • UkkoUkko Posts: 2,995 Superuser

    F-Secure and many others can do that (if I normal understand your words... it's not really most trouble).

    And also can not do that.

     

    Related with "sample"  and "other background" :) It's can be different now.

     

    Also detect/remove not always can be totally helpful. What about "clean/treat" - I not sure.. that know any proteciton-software, which can be "greatest" on current time.

     

    That MBAM can not to detect it- not surprise and logical. MBAM ignored a lot of malware, viruses and trojans.

    About other protection-software - it's, of course, strange - but they also time to time ignored most "dangerous" samples.. which already all other detected.

     

    But current... words.... can be with a lot of "background"-settings, which will be more important for any "words" around.

     

     

    "Little added" - does it mean that systems still need help?! If yes - here can be a lot of steps to checking system.

    And also about "background"-settings... I not just mean "indeed background for current situations", but also... with another points around - when "detection" can be already just like "generic" (and it's close to "often");

     

    And like "common adition about main-theme" - one of reason for any multi-layers protections and pro-active technologies... and with cloud-reputation-based (which still not really "best);

  • SimonSimon Posts: 2,608 Superuser
    Sorry, I'm not sure that I understand a lot of that. Smiley Sad

    What I'm saying is, as the infection hasn't been detected by MBAM and another 'big brand' AV product, is it safe to assume that the machine is NOT infected, or can Zeus hide itself from detection from most security products.

    Unfortunately, I'm not able to get to the machine myself, and the friends who's machine it is have little understanding. I even had to instruct them how to scan the machine in the first place.
  • UkkoUkko Posts: 2,995 Superuser

    MBAM and current "big brand" AV close to situation, when any malware can to "be hidden" for them.

    when it's close to "high-skilled" malware or based on current-theme... it's more close to "can be".

     

    Here just one point can be "close" to safe and not infected...    current "information" comes by IPS. They can be detect that situation time to time by "generic"-descriptions, when it's not really like that.

    But if it's comes - system can to have troubles - which already can be missing.. after PUPs removed (other).

     

    Current "trouble" - some kind of "big". It's can be various of "samples"/"examples" - and already current information will be related... how many companies.. can be "tricked" by that.

  • SimonSimon Posts: 2,608 Superuser

    The machine has now been scanned with:

     

    Kaspersky Internet Security

    MalwareBytes Anti Malware

    Hitman Pro

    Kaspersky TDSSKiller

     

    Nothing has been detected except for a few tracking cookies, and an Incredimail toolbar, all of which have been removed.

     

    I'm finding it hard to believe that the machine can still be infected after all this, but they do have another laptop still to scan, plus about 4 tablets (2 Andoid and 2 iPads).  I think it's unlikely that the infection is on any of the tablets, but apparently there is a version of Zeus which can attack Android devices.

     

    Oh, and sorry to be posting this here, as I know it's not strictly an F-Secure issue, but I'm not a member on the KIS forums.  Smiley Very Happy

  • BlackcatBlackcat Posts: 511

    @Simon 

     

    you seem to have used the major recommended scanners.

     

    Some more choices listed in this post; http://malwaretips.com/blogs/zeus-trojan-virus/

     

    Even if a false detection, worth suggesting they think about changing any passwords for online accounts and checking their bank accounts for any unusual activity of late. 

     

    EDIT; NoVirusThanks has a specific Zeus Trojan Remover, "which detects and remove all known variants of the very dangerous ZeuS banking trojan". Worth a shot, as the developer has a range of very useful anti-malware programs.  

     

     http://www.novirusthanks.org/products/zeus-trojan-remover/

  • UkkoUkko Posts: 2,995 Superuser

    Potentially.. if system with troubles... normal malware can to "prevent" any actions by current software or scanners.

    But it's just potentially. For my opinion... if here without "I'm sure... all OK" - able to use any Rescue CD (Live CD with scanners inside) - potentially current step without "bonuses", but why not.

     

    If IPS alerted about situation... maybe it's just proxy-settings or around start be broken. Maybe it's related with any other software. Anyway - re-check any default settings/place like "drivers/etc/hosts" and settings around proxy;

    Setting around network connection (DNS-settings - maybe here will be added something wrong);

     

    Most of that places.. current protection-software ignored in some situations.

     

    Also.... if it's outdate machines (I mean - operation systems) - here also can be hidden suprises :)

     

    Another things.. was in reply by Blackcat :)

    Simon
  • SimonSimon Posts: 2,608 Superuser
    Thanks @Blackcat and @Ukko

    They have scanned with all of the above and nothing can be found. I think perhaps they need to go back to the ISP who flagged it and ask for further information.
  • BlackcatBlackcat Posts: 511

    @Simon 

     

    Since it appears that the "infection" is not on the system as such but on the server / ISP or parent IP address level, you will not be able to fix it.  

     

    Their service provider will probably blacklist their IP address, if they have not done so already, so they need to talk with their ISP to get their IP('s) cleared.

     

    They can use the CBL Lookup Utility; http://cbl.abuseat.org/lookup.cgi?ip=XX.XX.XX.12&.pubmit=Lookup

     

    Inform their ISP that their systems are clean, according to all the tools you have ran. 

     

     

    Simon
  • SimonSimon Posts: 2,608 Superuser

    Hi @Blackcat 

     

    The IP address is not listed in the CBL.

     

    In addition to the above, they have now also scanned with AdwCleaner and Junkware Removal Tool (JRT), neither of which found anything.  With regards their two Android tablets, they have installed and scanned both with Bitdefender Mobile Antivirus and Malwarebytes Mobile Anti Malware, all of which came up clean.

     

    The only other computer on their network is a laptop which hasn't been used since last October, so I can't see that as being the culprit, which leads me to the conclusion that either you are correct, and the "infection" is at the parent IP address level, or the ISP have simply made an error.

     

    I will be contacting the ISP, on my friend's behalf, after the Bank Holiday, to see what they have to say, but as the alert came from the Managing Director, who I know personally, I considered that it should be taken seriously.

  • JaysonJayson Posts: 595

    Hi Simon,

     

    "The primary payload of Trojan:W32/Zbot variants focuses on stealing online banking information. They also have limited backdoor and proxy capabilities." refer this threats descriptions page for more details. Basically this type of malware will do their best to hide and stay on the infected computer as long as possible, it is how its being designed, so it is possible that end users doesn't notice about being infected.

     

    I would suggest to scan the computers with Online Scanner, and of course you can always install the trial version of F-Secure Mobile Security, Anti-virus or Internet Security to scan the computers and Android devices. The trial version comes with FULL product features for 30 days.

     

    Yes, please check with the ISP to find more details on the detection with IP address. What is flagged their IP to be infected and which IP address is red flagged (WAN/LAN, IP/ranges of IP)? These informations would be very useful in dealing with this kind of situation. You might want to take a look at this website, it has some useful and interesting informations on Zbot.

     

    Thanks.

     

    Best Regards,
    Jayson

    SimonBlackcat
  • SimonSimon Posts: 2,608 Superuser
    Thanks Jayson, I will certainly pass that advice on.

    I am currently waiting to hear back from the ISP, and will update here when we have more information.
  • ChrissyChrissy Posts: 439

    Hi Simon!

     

    Just wondering, has there been any update to this situation?

This discussion has been closed.