Same as the old boss …

A popular form of malware called ZeuS/Zbot has made a comeback and SMB’s are particularly at risk.  Initially identified in 2007,  the malware typically steals user credentials for banking activity.  SMB’s have higher risk exposure because they typically don’t have the resources for risk and security programs.  One SMB, a Maine construction company, was robbed of almost $600,000 in 2009.

ZeuS/Zbot source code is known to be readily available on underground informal networks as well as, apparently, even available for sale.

Back because it works

Once thought to be largely eradicated, ZeuS/ZBot is back because of market analysis and software upgrades.  SMB’s typically have a richer target (bigger accounts) than individuals and are also generally less protected than larger businesses.  Facebook is also providing a new and effective ‘attack vector’ for getting the malware onto user computers to steal data.

How does it work ?

ZeuS/Zbot uses a ‘Man-In-The-Browser’ (MITB) attack. Once a machine is infected, Zbot is able to monitor web activity and watch for particular banking sites.  User credentials are copied and replicated on a database maintained by the attacker. With this information, attackers or their proxies (‘mules’) can login and transfer money wherever they’d like.  By downloading a configuration file established by the attacker, the list of banking sites can be updated.

Prevention/due care activity for SMB’s includes:

• Move banking activity to dedicated machines used for no other purpose than banking
• Educate employees on threats, risks, and behavior
• Review high risk accounts (eg big balances) and access/authorization to them
• Keep antivirus/antimalware software current
• Implement a simple information risk management plan (Shocking!)

What percentage of your computers have current antivirus scanning? How do you know?