Learn about Zero Trust Architecture
Impenetrable cybersecurity without sacrificing usability
Gain detailed visibility into all your endpoints activities
Harden applications and hardware environments
Immediate and continuous response to incidents
Close the window of time your data could be exposed
Get your Comodo solutions setup, deployed or optimized
Control access to malicious websites
Defend from any internet based threats
Stop email threats before it enters your inbox
Preserve and protect your sensitive data
Keep your website running fast and malware free
Add encryption to your websites
Automated certificate mgmt. platform
Secure private intranet environments
Digital signature solutions for cloud apps
Encrypt emails for senders and recipients
Stay compliant with PCI DSS
Trusted authentication for IoT devices
Francisco Partners a leading technology-focused private equity fund, has acquired a majority stake in Comodo’s certificate authority business. Newly renamed from Comodo CA Limited to Sectigo Limited. Privacy Policies, Trademarks, Patents and Terms & Conditions are available on Sectigo Limited’s web site.
Meet the people behind the direction for Comodo
Get the latest news about Comodo
People are the key to achievement and prosperity
Stay up to date with our on-demand webinars
Worldwide: Sales, Support and General Inquiries
Schedule a live demonstration of our solutions
Need immediate help? Call 1-888-551-1531
Instantly removes viruses to keep your PC virus free
Experience true mobile security on your mobile apple devices
Secure Internet Browser based on Chrome
Chrome browser internet security extension
Submit a ticket to our support team
Share any product bugs or security flaws
Collaborate with research experts on data sets
Valkyrie Threat Intelligence Plugins
Valkyrie Threat Intelligence APIs
Comodo Antivirus Labs has identified a new and extremely dangerous variant of the Zeus banking Trojan. Hackers use Zeus to launch attacks that obtain the login credentials of visitors to online banking sites and commit financial fraud. The significance of this variant is the combination of a legitimate digital signature, rootkit and malware component. Malware with a valid digital signature is an extremely dangerous situation.
A digital signature assures browsers and Antivirus for Windows 8 systems that a file is legitimate and not a threat. Versions of Zeus have been around for several years, but with a valid digital certificate antivirus systems are much less likely to take action or will give lower levels of warning.
The Comodo team identified the Zeus variant because they continuously monitor and analyze scan data from the users of Comodo’s internet security systems. They have found over 200 unique hits for this Zeus variant from our users so far.
Zeus is distributed to a wide audience, primary through infected web page components or through email phishing. The phishing emails appear to be from a trusted source, such as a major bank, but are actually from hackers.
The type of an attack launched by Zeus is called a “Man-the-Browser” (MitB) attack. The hackers are sent information required to create a remote session where they can see exactly what the victim is doing and interfere with their actions without their knowledge.
For example, if the attack victim goes to an online banking site to perform a transaction, such as transferring funds, they see everything as occurring normally. The payment information they keyed will display as expected, but behind the scenes the hackers will alter the transaction and send it to another account with possibly a larger amount.
The hackers work with “Money Mules” who establish bank accounts using false credentials and receive a commission for handling ill-gotten gains.
To stay protected from such threats, install Comodo Internet Security and make sure to keep all of its real time shields enabled.
There are three components to an attack launched by Zeus:
Comodo first learned of the variant from a sample submitted by a Comodo user. It attempts to trick the user into executing it by presenting itself as some type of Internet Explorer document, including an icon similar to the Windows browser. What is alarming about this is that the file is digitally signed with a valid certificate, making it appear trustworthy at first glance. The digital certificate is issued to “isonet ag”.
Upon running, the file copies itself into memory, adds to end of file the full path it was executed from and then writes it to %temp%\tahol.exe.
The file is then executed and installer exits.
Further, the executed file tries to download rootkit components from two web locations, lovestogarden.com/images/general/TARGT.tpl and villaveronica.it/images/general/TARGT.tpl.
After decrypting downloaded payload, the rootkit is installed within “Boot Bus Extender” to make sure it loads before other drivers. Its purpose is to protect malicious files and autorun entries from being deleted by user or antivirus software, increasing difficulty of the removal process.
The protected executable which is added into startup is a variant of the known Zbot banker trojan designed to retrieve banking and other sensitive data from user’s computer.
Sign up to our cyber security newsletter
Comodo Cybersecurity would like to keep in touch with you about cybersecurity issues, as well as products and services available. Please sign up to receive occasional communications. As a cybersecurity company, we take your privacy and security very seriously and have strong safeguards in place to protect your information.
See how your organization scores against cybersecurity threats