Zeus

Superuser

Zeus

I have some friends who's ISP has informed them that they have detected a virus in the Zeus family on a computer with their IP address.

They don't have F-Secure (due to ineffective parental controls), but my question is, would F-Secure, and most big brand AV products, detect and remove the Zeus family of malware?

They have scanned their main machine with KIS and Malwarebytes, which both came up with nothing, except for a couple of PUPs from MBAM, but I've read that this virus is notoriously stealthy and difficult to detect and remove.
1 ACCEPTED SOLUTION

Accepted Solutions
Superuser

Re: Zeus

Well, it was all to do with a press release that appeared in the UK later that week, regarding the 'take-down' of the servers that were distributing the virus and (I believe) subsequently activating it on infected machines. We were told by the press that everyone had a two week safety window in which to secure their machines! I can't locate the original news story right now, but this relates:

http://www.bbc.co.uk/news/technology-27681996

The machine in question was scanned by numerous scanners, none of which found anything, and there have been no indications of problems since.

View solution in original post

13 REPLIES 13
Superuser

Re: Zeus

F-Secure and many others can do that (if I normal understand your words... it's not really most trouble).

And also can not do that.

 

Related with "sample"  and "other background" :) It's can be different now.

 

Also detect/remove not always can be totally helpful. What about "clean/treat" - I not sure.. that know any proteciton-software, which can be "greatest" on current time.

 

That MBAM can not to detect it- not surprise and logical. MBAM ignored a lot of malware, viruses and trojans.

About other protection-software - it's, of course, strange - but they also time to time ignored most "dangerous" samples.. which already all other detected.

 

But current... words.... can be with a lot of "background"-settings, which will be more important for any "words" around.

 

 

"Little added" - does it mean that systems still need help?! If yes - here can be a lot of steps to checking system.

And also about "background"-settings... I not just mean "indeed background for current situations", but also... with another points around - when "detection" can be already just like "generic" (and it's close to "often");

 

And like "common adition about main-theme" - one of reason for any multi-layers protections and pro-active technologies... and with cloud-reputation-based (which still not really "best);

Superuser

Re: Zeus

Sorry, I'm not sure that I understand a lot of that. Smiley Sad

What I'm saying is, as the infection hasn't been detected by MBAM and another 'big brand' AV product, is it safe to assume that the machine is NOT infected, or can Zeus hide itself from detection from most security products.

Unfortunately, I'm not able to get to the machine myself, and the friends who's machine it is have little understanding. I even had to instruct them how to scan the machine in the first place.
Superuser

Re: Zeus

MBAM and current "big brand" AV close to situation, when any malware can to "be hidden" for them.

when it's close to "high-skilled" malware or based on current-theme... it's more close to "can be".

 

Here just one point can be "close" to safe and not infected...    current "information" comes by IPS. They can be detect that situation time to time by "generic"-descriptions, when it's not really like that.

But if it's comes - system can to have troubles - which already can be missing.. after PUPs removed (other).

 

Current "trouble" - some kind of "big". It's can be various of "samples"/"examples" - and already current information will be related... how many companies.. can be "tricked" by that.

Superuser

Re: Zeus

The machine has now been scanned with:

 

Kaspersky Internet Security

MalwareBytes Anti Malware

Hitman Pro

Kaspersky TDSSKiller

 

Nothing has been detected except for a few tracking cookies, and an Incredimail toolbar, all of which have been removed.

 

I'm finding it hard to believe that the machine can still be infected after all this, but they do have another laptop still to scan, plus about 4 tablets (2 Andoid and 2 iPads).  I think it's unlikely that the infection is on any of the tablets, but apparently there is a version of Zeus which can attack Android devices.

 

Oh, and sorry to be posting this here, as I know it's not strictly an F-Secure issue, but I'm not a member on the KIS forums.  Smiley Very Happy

Senior Advisor

Re: Zeus

@Simon 

 

you seem to have used the major recommended scanners.

 

Some more choices listed in this post; http://malwaretips.com/blogs/zeus-trojan-virus/

 

Even if a false detection, worth suggesting they think about changing any passwords for online accounts and checking their bank accounts for any unusual activity of late. 

 

EDIT; NoVirusThanks has a specific Zeus Trojan Remover, "which detects and remove all known variants of the very dangerous ZeuS banking trojan". Worth a shot, as the developer has a range of very useful anti-malware programs.  

 

 http://www.novirusthanks.org/products/zeus-trojan-remover/

Highlighted
Superuser

Re: Zeus

Potentially.. if system with troubles... normal malware can to "prevent" any actions by current software or scanners.

But it's just potentially. For my opinion... if here without "I'm sure... all OK" - able to use any Rescue CD (Live CD with scanners inside) - potentially current step without "bonuses", but why not.

 

If IPS alerted about situation... maybe it's just proxy-settings or around start be broken. Maybe it's related with any other software. Anyway - re-check any default settings/place like "drivers/etc/hosts" and settings around proxy;

Setting around network connection (DNS-settings - maybe here will be added something wrong);

 

Most of that places.. current protection-software ignored in some situations.

 

Also.... if it's outdate machines (I mean - operation systems) - here also can be hidden suprises :)

 

Another things.. was in reply by Blackcat :)

Superuser

Re: Zeus

Thanks @Blackcat and @Ukko

They have scanned with all of the above and nothing can be found. I think perhaps they need to go back to the ISP who flagged it and ask for further information.
Senior Advisor

Re: Zeus

@Simon 

 

Since it appears that the "infection" is not on the system as such but on the server / ISP or parent IP address level, you will not be able to fix it.  

 

Their service provider will probably blacklist their IP address, if they have not done so already, so they need to talk with their ISP to get their IP('s) cleared.

 

They can use the CBL Lookup Utility; http://cbl.abuseat.org/lookup.cgi?ip=XX.XX.XX.12&.pubmit=Lookup

 

Inform their ISP that their systems are clean, according to all the tools you have ran. 

 

 

Superuser

Re: Zeus

Hi @Blackcat 

 

The IP address is not listed in the CBL.

 

In addition to the above, they have now also scanned with AdwCleaner and Junkware Removal Tool (JRT), neither of which found anything.  With regards their two Android tablets, they have installed and scanned both with Bitdefender Mobile Antivirus and Malwarebytes Mobile Anti Malware, all of which came up clean.

 

The only other computer on their network is a laptop which hasn't been used since last October, so I can't see that as being the culprit, which leads me to the conclusion that either you are correct, and the "infection" is at the parent IP address level, or the ISP have simply made an error.

 

I will be contacting the ISP, on my friend's behalf, after the Bank Holiday, to see what they have to say, but as the alert came from the Managing Director, who I know personally, I considered that it should be taken seriously.