The crimeware application Zeus is loose on the web with a new version, 1.4, and is attacking computers across the globe. As of April 21, Zeus 1.4 has infected every 1 in 3000 computers monitored in North America and the United Kingdom, and Symantec's latest Internet Security Threat Report showed that nearly 90,000 unique variants of the Zeus toolkit were observed in 2009. Zeus is specifically designed to steal login credentials to online banking sites and similar secure web sites.
Zeus's Core Features
The latest version of Zeus is the most advanced and powerful yet. Once Zeus infects a computer, it employs nearly every tool in the hacking arsenal to steal data from the infected computer. In
addition to the core methods listed below, the latest version uses polymorphic encryption to effectively re-invent and re-disguise itself each time it infects a new computer, making detection even more
- Steals data submitted in HTTP forms
- Steals account credentials stored in the Windows Protected Storage
- Steals client-side X.509 public key infrastructure (PKI) certificates
- Steals FTP and POP account credentials
- Steals/deletes HTTP and Flash cookies
- Modifies the HTML pages of target websites for information stealing purposes
- Redirects victims from target web pages to attacker controlled ones
- Takes screenshots and scrapes HTML from target sites Searches for and uploads files from the infected computer
- Modifies the local hosts file (%systemroot%\system32\drivers\etc\hosts)
- Downloads and executes arbitrary programs
- Deletes crucial registry keys, rendering the computer unable to boot into Windows
The authors also offer a VNC module for Zeus that will allow a hacker to take full control of an infected user's computer without any indication to the owner of the PC and allow real
-time screen and keyboard capture, as well as access to local hardware devices, such as USB ports and smart card devices. The application is widely distributed on the black market for prices ranging from $3,000 to over $20,000, depending on the modules purchased.
How MemberProtect Helps
The newest version of MemberProtect allows programmers to issue unique logon tokens to a user's smart phone, cell phone or email address. These tokens can be combined with an application's other logon methods to prevent a remote login even if the user's other login credentials are stolen. Programmers can configure the unique token to expire immediately after the first use, thus making them useless to a hacker.
By combining MemberProtect authentication tokens with several other MemberProtect multi-factor authentication functions, programmers can make their applications significantly less vulnerable to Zeus's attack arsenal.
Apr 25, 2010 • by Jason Sherrill
