FROM THE COMODO LABS: Comodo Containment vs. Zeus/MitB

The security engineers and IT experts from the Comodo Threat Research Labs are constantly analyzing the thousands of malware families that are trying to cause destruction and chaos to IT infrastructures large and small – and ensuring the customers of Comodo stay protected and secure from these malware families.

In an ongoing series of posts here at blogs.comodo.com, the security experts at Comodo will look at a specific malware family and stack it up against Comodo’s advanced endpoint protection and containment technology, and talk about the how why Comodo’s technology defeats all malware. Comodo Senior Vice President of Engineering Egemen Tas and Director of Threat Research Igor Demihovskiy offered their perspectives for this edition, as told to Senior Product Marketing Manager Paul Mounkes.

Overview

First reported in 2007, Zeus is a man-in-the-browser malware that generally targets users of online banking applications. The creator and operator of Zeus developed a massive botnet of 3.6 million machines infected in the US alone, and built up a large global network of hackers and money mules in the US, UK and Ukraine. They made off with at least $70 million before the FBI finally dismantled the organization in 2010.

Is Zeus still a threat?

If you think Zeus is dead, think again. Successful malware never dies; it just changes, becomes more sophisticated and/or is used in different ways. Zeus itself has spawned multiple wildly successful variants, and is believed to have been used as part of Advanced Persistent Threat (APT) attacks like Carbanak. Zeus gained even more notoriety when its components were used to create the Gameover Zeus botnet that distributed the dreaded Cryptolocker ransomware.

Banks and security technologies have gotten better at thwarting MitB attacks, but the world of cybercrime is a complex chess game full of moves and counter-moves. Is Zeus just old, tired news? Are you safe from Zeus? You be the judge. Below are just two of the headlines to come out in the last year.

January 29, 2015: “New Zeus Variant Uses Sophisticated Control Panel”

August 24, 2015: “Sphinx: New Zeus Variant for Sale on the Black Market”

What does Zeus do?

Zeus is dropped onto systems using typical social engineering attacks like phishing and drive-by-downloads. Once installed, it uses key logging and form grabbing/”hooking” techniques to steal login codes and personal data from users; but that’s not what makes it special. After all, viruses have been doing that since long before Zeus was born.

Zeus’ genius lies in its ability to 1) hijack the Document Object Model Module Interface to inject custom code into the browser’s HTTP traffic, giving the hacker enough control over user sessions that they can intercept and change the user’s actions so that the bank receives the hacker’s instructions instead. And 2) manipulate what the user sees onscreen in order to hide malicious activity. This means that, while the hacker is stealing money, the user still sees their normal pre-theft account balances, and the record of the transaction is hidden from them. This type of trickery creates a comparatively massive window of opportunity for cybercriminals to plan and operate.

Zeus is Insidious

According to Trusteer, fully up-to-date traditional antivirus software has a tested success rate of only 23% against Zeus. So when it comes to this particular Trojan, antivirus software performance is far worse than its usual hit-or-miss ratio. It’s more like miss-miss-miss-hit. That means it’s important to have AV, but it isn’t nearly enough.

Once detected, Zeus can be removed with difficulty. However, by that time it has probably already done damage to the user because in many cases a single day of infection is enough to empty out a bank account. That’s why it’s imperative to prevent Zeus from ever gaining a foothold on your systems.

How does Comodo defeat Zeus?

With Comodo One Client Advanced Endpoint Protection, the Zeus executable is either immediately recognized as malware and quarantined, or designated as an unknown file and forced to run in secure virtual containment. The installer will attempt to create a folder and two files – a config file and a file to store stolen data. Comodo One Client’s container denies access to the system’s hard drive, redirecting the action to a virtual drive that is wholly isolated from the protected system.

The executable will also try to inject itself into multiple services, such as winlogon.exe, explorer.exe and svchost.exe. Because these services are virtualized, no harm is done to the protected system.

As previously mentioned, Zeus attempts to access the Document Object Module interface in order to inject custom code into browser processes to change the data the user transmits as well as what the user sees onscreen. With the executable running in containment, it is blind to all user and system processes. It is unable to locate what it needs to carry out its attack, and fails.

But it’s unlikely the executable will be allowed to run in containment even long enough to make these attempts. The file is sandboxed and analyzed using Comodo One multi-layered approach. Local and cloud-based Specialized Threat Analysis and Protection (STAP) engines combine with intelligent interpretation to return a verdict of Known Bad. The executable it terminated and dealt with per administrator policy, and the container is deleted as if nothing ever happened.

Only with Comodo is Zeus truly “dead.”

If you feel your company’s IT environment is under attack from phishing, malware, spyware or cyberattacks, contact the security consultants at Comodo’ Threat Research Labs: https://enterprise.comodo.com/contact-us.php