Re: zeus virus

[Todd Haverkos <infosec () haverkos com>]

enquiries () globalart4u com writes:

> according to the papers today a bank has been hacked and over £680k has
> been stolen from customers accounts.  Does anyone know which bank and
> also i understand only 10% of anti-virus / malware software can detect
> this zeus virus as it keeps changing.  What is the best preventation
> currently?  Is there such a thing as a smart anti-virus like the zeus
> that can detect these changes or are they all still static?

Preventing these goodies is tantamount to saying "how do I secure my
network?"  You need multiple layers and as always, there's no silver
bullet.   

The answer to your last question is "No, antivirus definitely won't save
you."  AV is dead in a lot of ways and as you've noted is of very
limited help with this sort of thing.  It's just too easy to evade AV
with repackers, modifying the code, randomization, etc.  AV is always
playing catch up and processing thousands of new variants and malware
samples every day.  While there are AV engines with heuristic detection
based on behaviors, the rub is that they can be prone to false
positives.

Network and host based IDS have a shot at detecting the network activity
the botnet generates..but are also evade-able with similar techniques.

Damballa (damballa.com) has an intriguing solution that leverages their
research and knowledge of various botnet's command and control to detect
Zeus and other botnet activity.  Their aim is at large corporate
environments though, and you'll need your checkbook.  :-)

To prevent initial infection, you will need strong patch management,
strong security configuration on your endpoints, and user training to be
doing a best practices job at managing the risk of modern malware like
Zeus. 

Application whitelisting is also a technology worth looking into, but
there are limited places where it makes much sense without becoming a
maintenance nightmare. 

--
Todd Haverkos, LPT MsCompE
http://haverkos.com/

------------------------------------------------------------------------
Securing Apache Web Server with thawte Digital Certificate
In this guide we examine the importance of Apache-SSL and who needs an SSL certificate.  We look at how SSL works, how 
it benefits your company and how your customers can tell if a site is secure. You will find out how to test, purchase, 
install and use a thawte Digital Certificate on your Apache web server. Throughout, best practices for set-up are 
highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates.

http://www.dinclinx.com/Redirect.aspx?36;4175;25;1371;0;5;946;e13b6be442f727d1
------------------------------------------------------------------------