Risk
6/5/2013
01:01 PM
Connect Directly
RSS
E-Mail
50%
50%

ZeuS Malware Returns, Targets SMBs

ZeuS banking Trojan again puts small and midsize businesses at high risk. Here's what you need to know.

The Syrian Electronic Army: 9 Things We Know
(click image for larger view)
The Syrian Electronic Army: 9 Things We Know
Even criminals need to periodically retool their operations for current market conditions.

The ZeuS/ZBot malware has resurfaced "with a vengeance," according to Trend Micro security researchers. The "new" ZeuS is ultimately a matter of economics, according to Symantec Security Response director Kevin Haley. The data-stealing malware hadn't been eradicated, per se -- it was just getting a profit-minded makeover.

"Like legitimate software, malware goes through revisions and new releases," Haley said in an email to InformationWeek. "These new releases include improvements or new features that make them popular and increase their prevalence. ZeuS is no different."

ZeuS's second verse is much the same as the first; though technically a new threat, the fundamentals here should all sound familiar. The malware is good at stealing data off of infected machines. Banking credentials are the favorite target. And while ZeuS doesn't discriminate, smaller companies are especially vulnerable to its fallout.

[ Read more about ZeuS's renewed presence on Facebook: Zeus Bank Malware Surges On Facebook. ]

"Small businesses have a bulls-eye on their back," Haley said. The reasoning is the stuff of sound -- albeit illegal -- market research: Small and midsize businesses (SMBs) have more money than the average individual, but often have less security protection than large enterprises. Bank accounts typically top the list of security risks inside SMBs, and Haley doesn't expect that to change any time soon.

Like phishing and other "old" scams, ZeuS is back because it works -- very well, in some cases. In 2009, for example, hackers lifted $588,000 from a Maine construction company's bank account before the theft was detected. A ZeuS variant was later found on an employee's computer, according to court documents. The company, Patco, sued its bank for the $345,000 it couldn't recover, a watershed case for determining financial responsibility in such instances of online fraud. (Business accounts don't come with the same regulatory protections as consumer accounts.) Patco lost, but a federal appeals court later overturned the verdict.

The advice for defending against the ZeuS reboot and similar threats should also sound familiar. (If not, you've got work to do.) Use strong security technologies. Educate, train and test employees on security policies and risks; don't assume common sense rules the day, nor that "everyone" knows a phishing email or malicious Facebook link when they see one. Everyone does not, and even those that do make mistakes. In a case similar to Patco's, the controller at a midsize business clicked on a link in an email that appeared to be from Comerica, the company's bank. After entering the corporate username and password, crooks initiated offshore wire transfers totaling more than $1.9 million -- and ultimately made off with more than $560,000 after the bank's fraud protocols kicked into gear.

Symantec's Haley recommends spending extra training time with finance pros and any other employees with access to corporate financial accounts or other high-risk credentials. Such access should be granted judiciously, too. Every employee with access is a data breach-in-waiting, especially with ubiquitous social media usage and growing social engineering threats.

"Limit the number of people who have login and password access to bank accounts," Haley said. "And seriously consider dedicating machines to only banking. Email and Web browsing are popular infection vectors for Zeus, so avoiding those activities will significantly lower the risk of a machine used for online banking from getting infected."

The extra security effort is worth it, lest you log in one morning to find the corporate coffers have been cleaned out. "An infection like ZeuS can be devastating to a small business," Haley said.

Comment  | 
Print  | 
More Insights
Comments
Oldest First  |  Newest First  |  Threaded View
sandydoll
50%
50%
sandydoll,
User Rank: Apprentice
6/6/2013 | 3:26:53 AM
re: ZeuS Malware Returns, Targets SMBs
While the "dedicated PC" may be be better than doing nothing, there are numerous problems with this advice. First it only takes one forgetful moment of PC use for an employee to compromise the Gǣdedicated PCGǥ with a drive-by download. Sadly, this happens too often as even trained security experts are vulnerable to human error.
Secondly, most PCs will be configured with local network sharing enabled which permit machines on the same LAN already infected to launch attacks on the Gǣdedicated PCGǥ used for banking. And third, the data shows anti-virus software is only about 5% effective protecting the user from the latest malware.

There is far better security for online banking and fortunately it's free. CyberShield-OS is a bootable Linux designed specifically to protect online banking and it runs on any Intel PC. It delivers better security than the "dedicated PC" and doesn't require buying another PC. It functions as a "read-only" "self-destroying" OS so every bank session gets an exact unaltered copy of the code on the bootable USB. Further, it has an auto-configuring firewall which permits access to and from the Internet while blocking local LAN access and preventing attack by infected machines on the same network. There are additional security measures.

CyberShield-OS is used in over 70 countries and is available as a free download. The site has video tutorials that explain everything. www.cybershieldsolutions.com
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the security connected approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-0334
Published: 2014-10-31
Bundler before 1.7, when multiple top-level source lines are used, allows remote attackers to install arbitrary gems by creating a gem with the same name as another gem in a different source.

CVE-2014-2334
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2335
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2336.

CVE-2014-2336
Published: 2014-10-31
Multiple cross-site scripting (XSS) vulnerabilities in the Web User Interface in Fortinet FortiManager before 5.0.7 and FortiAnalyzer before 5.0.7 allow remote attackers to inject arbitrary web script or HTML via unspecified vectors, a different vulnerability than CVE-2014-2334 and CVE-2014-2335.

CVE-2014-3366
Published: 2014-10-31
SQL injection vulnerability in the administrative web interface in Cisco Unified Communications Manager allows remote authenticated users to execute arbitrary SQL commands via a crafted response, aka Bug ID CSCup88089.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.