Zbot evades most anti-virus programs
Updated Thursday, September 17, 2009 at 4:59 p.m. ESTThe banking trojan Zbot, which is one of today's most prevalent financially motivated trojans, is not detected or removed by most anti-virus programs because of its ability to morph, according to a report issued Wednesday by internet security firm Trusteer.
An analysis of 10,000 Zbot-infected computers, conducted this month, revealed that a majority were running an up-to-date AV program, Mickey Boodaei, CEO and founder of Trusteer, told SCMagazineUS.com on Wednesday. Fifty-five percent of Zbot-infected computers analyzed were running up-to-date AV programs, 31 percent had no AV and 14 percent had AV that was current, researchers at Trusteer found.
Even so, the company concluded that having an up-to-date AV product will only protect against Zbot 23 percent of the time. AV providers likely are having a tough time protecting users because the trojan has sophisticated morphing and rootkit mechanisms that allow it to penetrate deep into operating systems. Also, it protects itself from detection and removal, Boodaei said.
“It's been clear for years that anti-virus by itself is not enough anymore,” Patrik Runald, senior manger of security research at Websense told SCMagaizneUS.com in an email Wednesday. “It's about security in depth.”
Zbot, also commonly known as Zeus, has been circulating since at least 2006, was most recently propagated through spam messages claiming to be a critical update for Microsoft Outlook. The information-stealing trojan aims to capture infected users' banking login credentials and send them back to the malware writers.
No single AV engine was any better than another at protecting users from the trojan, Boodaei said.
“All the AV vendors have difficulties in detecting and removing Zeus," he said. "It's not limited to specific vendors."
Zulfikar Ramzan, technical director, Symantec Security Response told SCMagazineUS.com in an email Wednesday that there are “some issues” with accuracy of the study since it does not provide a breakdown of individual anti-virus companies' effectiveness of detecting ZBot.
“While the numbers produced are noteworthy, it is important to take them with a grain of salt,” Ramzan said.
