Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
The security engineers and IT experts from the Comodo Threat Research Labs are constantly analyzing the thousands of malware families that are trying to cause destruction and chaos to IT infrastructures large and small – and ensuring the customers of Comodo stay protected and secure from these malware families.
In an ongoing series of posts here at blogs.comodo.com, the security experts at Comodo will look at a specific malware family and stack it up against Comodo’s advanced endpoint protection and containment technology, and talk about the how why Comodo’s technology defeats all malware. Comodo Senior Vice President of Engineering Egemen Tas and Director of Threat Research Igor Demihovskiy offered their perspectives for this edition, as told to Senior Product Marketing Manager Paul Mounkes.
First reported in 2007, Zeus is a man-in-the-browser malware that generally targets users of online banking applications. The creator and operator of Zeus developed a massive botnet of 3.6 million machines infected in the US alone, and built up a large global network of hackers and money mules in the US, UK and Ukraine. They made off with at least $70 million before the FBI finally dismantled the organization in 2010.
Is Zeus still a threat?
If you think Zeus is dead, think again. Successful malware never dies; it just changes, becomes more sophisticated and/or is used in different ways. Zeus itself has spawned multiple wildly successful variants, and is believed to have been used as part of Advanced Persistent Threat (APT) attacks like Carbanak. Zeus gained even more notoriety when its components were used to create the Gameover Zeus botnet that distributed the dreaded Cryptolocker ransomware.
Banks and security technologies have gotten better at thwarting MitB attacks, but the world of cybercrime is a complex chess game full of moves and counter-moves. Is Zeus just old, tired news? Are you safe from Zeus? You be the judge. Below are just two of the headlines to come out in the last year.
January 29, 2015: “New Zeus Variant Uses Sophisticated Control Panel”
August 24, 2015: “Sphinx: New Zeus Variant for Sale on the Black Market”
What does Zeus do?
Zeus is dropped onto systems using typical social engineering attacks like phishing and drive-by-downloads. Once installed, it uses key logging and form grabbing/”hooking” techniques to steal login codes and personal data from users; but that’s not what makes it special. After all, viruses have been doing that since long before Zeus was born.
Zeus’ genius lies in its ability to 1) hijack the Document Object Model Module Interface to inject custom code into the browser’s HTTP traffic, giving the hacker enough control over user sessions that they can intercept and change the user’s actions so that the bank receives the hacker’s instructions instead. And 2) manipulate what the user sees onscreen in order to hide malicious activity. This means that, while the hacker is stealing money, the user still sees their normal pre-theft account balances, and the record of the transaction is hidden from them. This type of trickery creates a comparatively massive window of opportunity for cybercriminals to plan and operate.
Zeus is Insidious
According to Trusteer, fully up-to-date traditional antivirus software has a tested success rate of only 23% against Zeus. So when it comes to this particular Trojan, antivirus software performance is far worse than its usual hit-or-miss ratio. It’s more like miss-miss-miss-hit. That means it’s important to have AV, but it isn’t nearly enough.
Once detected, Zeus can be removed with difficulty. However, by that time it has probably already done damage to the user because in many cases a single day of infection is enough to empty out a bank account. That’s why it’s imperative to prevent Zeus from ever gaining a foothold on your systems.
How does Comodo defeat Zeus?
With Comodo One Client Advanced Endpoint Protection, the Zeus executable is either immediately recognized as malware and quarantined, or designated as an unknown file and forced to run in secure virtual containment. The installer will attempt to create a folder and two files – a config file and a file to store stolen data. Comodo One Client’s container denies access to the system’s hard drive, redirecting the action to a virtual drive that is wholly isolated from the protected system.
The executable will also try to inject itself into multiple services, such as winlogon.exe, explorer.exe and svchost.exe. Because these services are virtualized, no harm is done to the protected system.
As previously mentioned, Zeus attempts to access the Document Object Module interface in order to inject custom code into browser processes to change the data the user transmits as well as what the user sees onscreen. With the executable running in containment, it is blind to all user and system processes. It is unable to locate what it needs to carry out its attack, and fails.
But it’s unlikely the executable will be allowed to run in containment even long enough to make these attempts. The file is sandboxed and analyzed using Comodo One multi-layered approach. Local and cloud-based Specialized Threat Analysis and Protection (STAP) engines combine with intelligent interpretation to return a verdict of Known Bad. The executable it terminated and dealt with per administrator policy, and the container is deleted as if nothing ever happened.
Only with Comodo is Zeus truly “dead.”
If you feel your company’s IT environment is under attack from phishing, malware, spyware or cyberattacks, contact the security consultants at Comodo’ Threat Research Labs: https://enterprise.comodo.com/contact-us.php
Tags: Comodo Auto-Containment,stap,zeus trojan
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats
Advanced Endpoint Protection, Endpoint Detection and Response Built On Zero Trust Architecture available on our SaaS EPP