The limits of anti-virus restated
The Zbot Trojan's ability to evade anti-virus engines is bothering security company Trusteer, although whether their depressing detection numbers tell us much about the effectiveness of AV is moot.The company collected data from 10,000 PCs using...
The company collected data from 10,000 PCs using the ‘Rapport' browser agent that can not only detect the presence of the malware using its own fingerprinting technique but whether the PC in question was reporting itself as having up-to-date anti-virus to Windows Security Centre.
Crunching the numbers for a single day in September 2009, the company found that 55 percent of PCs it detected as having up-to-date AV also had been infected with Zbot/Zeus, which is to say the security products were not doing a great job of stopping the threat.
We don't know which security products were in this group, but it in a sample of this size it must include a wide range of brands. Zbot's secret is not that original. It is just able to morph very quickly, which makes spotting it through signatures alone a matter of keeping an infection window as short as possible.
As the company explains with some eloquence, Zbot is not just any malware but one of the most prodigious keylogging Trojans currently out there, with a successful if unquantified track record of being used to break into online bank accounts. It's been around for at least 6 months in one guise or another, and can also be used to steal logins for just about anything, including FTPs, servers, you name it.
Just to make life more confusing for everyone, Zbot has a number of names, including Zeus, Infostealer, and Wsnpoem, and a couple I wasn't even aware of, Ntos and PRG.
None of this is that surprising although it would be more frightening perhaps if we had more information on the number of victims, as opposed to infections. Zbot is like a bank robber with a sawn off that can raid thousands of branches barely anyone in the financial services industry having even heard of it.
Trusteer specialises in detecting this type of malware using its plug-in technology and tries to flog it to banks, most of which have tended to ignore the problem as much as they can get away with.
It seems to me that the main protection against Zbot is not to get infected with it in the first place - anti-virus is only the last line of protection, a sort of final insurance policy, one that people probably over-rely upon. Better not employ decent anti-spam (the main infection route is via clicking on email links) or some kind of URL whitelisting. Additionally, banks need to stop relying on simple user name and password logins.