Security

A Guide to the Zeus Virus

The Zeus virus and other Trojans put the government at risk.

Adnan Baykal is vice president of security services for the Center for Internet Security.

When most people think of Zeus, the first thing that comes to mind is the mythological supreme ruler of Mount Olympus and the Greek gods, who used a thunderbolt to attack his targets.

For those of us in the cybersecurity space, Zeus represents an all-too-real virus that attacks sensitive information and steals data with alarming ease. While Zeus the god is no longer inflicting damage, Zeus the malicious software certainly is, and no organization, sector or geographic region is immune.

The Zeus Trojan virus is an advanced type of financial fraud malware that often appears to be something legitimate and uses back doors to bypass many common computer and financial institution security measures. Its goal is to steal financial account credentials, but other accounts that contain proprietary or high-value information also are targeted. The malware is generally propagated through exploit kits (such as Blackhole), drive-by downloads, phishing emails or social media sites. The Zeus Trojan is used by a variety of actors, including lone hackers, nation states and organized cybercriminal groups.

Perhaps the reason Zeus is so enticing for bad actors is because it allows attackers to target specific information on a compromised system through the use of web injects — site-specific codes that contain configuration instructions for the Trojan. Injects can take the form of malicious fields that ask users to enter additional information, such as a debit card number, PIN or date of birth, that typically would not be required at a particular stage of the transaction. Lists of web inject code are readily available in the underground market, for free and for sale.

Protection against the Zeus Trojan and other Trojan variants requires constant vigilance. Entities should review the following suggestions and make sure best practices are being implemented to minimize risk.

742,794

The number of users attacked by Zeus — the most widespread banking Trojan — in 2014

SOURCE: Kaspersky Labs, “Kaspersky Security Bulletin: Overall Statistics for 2014,” December 2014

Patch, Patch, Patch

Establish a regular schedule for applying security patches, not only for your operating system but also for your third-party applications such as Adobe Reader, Flash, Shockwave and Java, and browsers such as Firefox and Google Chrome.

The same should go for anti-virus and endpoint security software. A good way to remember this is by subscribing to an email alert service, which will provide real-time alerts on current vulnerabilities and patches available or the software running in an environment. Even with patches, ensure log files are monitored, especially proxy server logs, for unauthorized or suspicious Internet connections and use two-factor authentication where available for sensitive accounts.

Educate, Educate, Educate

Because infections are often distributed through phishing emails or social media sites, make sure users know how to recognize a potential scam and what steps to take to mitigate risk.

Consider adding a threat feed to your website or employee intranet so end users are informed about the latest scams and other malicious activity. That said, it never hurts to eliminate as much potential confusion for employees as possible.

Use blacklisting and white listing methods to filter out email attachments that do not have documented business needs, and block executable file types from being received by email or downloaded from the Internet.

Be sure to use a dedicated computer with a static IP address for all online financial transactions, and register that IP address with the financial institution. If you are unable to dedicate a computer for financial transactions, use a virtual machine.

If a system is infected with the Zeus Trojan, any password used on that system, including those used to log on to websites, should be considered compromised and must be changed immediately.

Perform full forensic analysis to identify the root cause of the infection, the infection vector and remediate it. Rebuild systems infected by Zeus using a clean image, because Zeus can also download additional malware.

For more cybersecurity resources, including alerts, visit the Center for Internet Security at cisecurity.org and follow @CISecurity on Twitter.

Trojan Horse of a Different Color

First seen in Europe, the Dyre (or Dyreza) banking Trojan is another credential- harvesting malware that has recently made its way to the United States. Dyre has capabilities very similar to Zeus, but largely uses phishing emails to infect.

In the last quarter of 2014, attackers ran numerous phishing campaigns in the U.S., delivering the Trojan via the Upatre downloader attached to the email as a .zip file. Once executed, Upatre downloads the Dyre Trojan and starts the credential-harvesting process.

The recent Dyre campaign, the continuous and widespread infections of the Zeus Trojan and the increase in ransomware infections in 2014 all indicate that common attack methods such as exploiting vulnerabilities in third-party applications and creative phishing campaigns will continue to cause major headaches.

Agencies should devote more resources to user awareness training as well as the necessary technologies for patching operating systems and third-party applications in a timely manner.