World's nastiest trojan fools AV software

Discussion in 'malware problems & news' started by TheKid7, Sep 21, 2009.

Thread Status:
Not open for further replies.
  1. TheKid7

    TheKid7 Registered Member

    Joined:
    Jul 22, 2006
    Posts:
    3,469
  2. Rmus

    Rmus Exploit Analyst

    Joined:
    Mar 16, 2005
    Posts:
    3,943
    Location:
    California
    The second article notes that Zeus, aka Zbot, has been around for a number of years, and reveals that the same two tried and proven delivery methods are used:

    The drive-by download, and trick-the-user attack. Same old stuff.

    I've been interested in how successful these attacks seem to be against organizations.

    Last year I contacted a person who was investigating a banker trojan exploit that hit a bank in Croatia. It had both drive-by and social engineering components. The web exploit was an IE vulnerability, and I had someone who was testing these things with SRP try it, and of course, the exploit failed. The drive-by malware attack is the easiest to prevent, with proper security in place.

    The social engineering attack is more problematical to prevent. I noticed another article:

    Hackers steal U.S. government, corporate data from PCs
    http://www.reuters.com/article/domesticNews/idUSN1638118020070717

    The title sounds like any number of articles that have appeared this year, but would you believe this is from 2007? Has anything changed? Of course not, so why are these things still successful?

    From the article:

    Now, it turns out that many of the attacks targeting organizations use an email attachment that entices the employee to open a document and click "Run" when prompted. This, of course, will download the trojan executable file with all permissions granted.

    I asked a System Administrator why the organization couldn't enforce a policy where all new software had to be checked, approved, and installed by the Support Division. This would prevent the above targeted exploit from succeeding.

    The answer was, We would have too many disgruntled employees.

    My translation: they would be deprived of downloading games, adding applications to their social networking site, etc. In other words, the workplace computer is treated like a personal computer.

    In another thread here a few months ago, a poster who is an IT admitted that his company management permitted employees to run as Administrators, and he could do nothing about it.

    The problem of the banking trojan, Zeus/Zbot and others, will never be solved at the organization level until the company CEO decides, Enough is enough.

    Some companies have, including the Los Angeles, California, Police Department. I've cited this case study before:

    http://www.faronics.com/whitepapers/CaseStudy_LAPD.pdf
    There are many products other than those by Faronics that will accomplish the same thing.

    Another institution that said, Enough is enough, is a college where I worked. I learned much about security from the System Administrator, one of the most astute and no-nonsense people I've known. When he convinced the Provost of the college that malware could be prevented from infecting, he was permitted to put security in place, and infections dropped to 0 (that's zero). So, I know it can be done.

    Meanwhile, articles about trojans fooling AV will continue to appear, and readers will ooh and ahh and be impressed as to the growing sophistication of such malware, and the ranks of the botnets will continue to increase.

    ----
    rich
     
Loading...
Thread Status:
Not open for further replies.