SlideShare uma empresa Scribd logo

Zeus and Antivirus

S
Scientia Groups
Tecnologia
1 de 6
Baixar para ler offline
Measuring the in-the-wild effectiveness of Antivirus against Zeus Trusteer September 14, 2009 Trusteer, Inc.142 Wooster St. New York, NY 10012Sales 646.247.5669info@trusteer.comwww.trusteer.com
Introduction There are many reports on how anti-virus products fare against malware, yet most of these reports focus on in-the-lab testing of specific malware strands against a specific antivirus configuration. Very little is said about the situation in the field – where malware distribution statistics (and to some extent, antivirus distribution statistics) are unclear. Trusteer is uniquely positioned in a way that enables it to get a comprehensive view of consumer world PCs – Trusteer Rapport is installed on millions of consumer PCs and reports statistics of malware infection and security software installed. We chose to focus on Zeus (also known as Zbot, WSNPOEM, NTOS and PRG) as it tops the list of financial Trojans. In other words, Zeus is probably the most painful financial malware out there, both in terms of infection size, and in terms of effectiveness. About Zeus Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time. Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and TANs, etc. 1 Zeus uses some rootkit techniques to evade detection and removal. http://www.networkw Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e. orld.com/news/2009/0 72209-botnets.html approximately 1% of the PCs in the US), according to a recent report1. This is backed by Trusteer’sfield figures as well, as can be seen in the following pie chart of relative financial malware distribution: Security Advisory l 2 White Paper © 2009 Trusteer, Inc.
Methodology Our research is based on statistics gathered from Rapport agents running on users’ PCs. Rapport detects Zeus through a unique fingerprint left by Zeus when it penetrates the browser process. This fingerprint is an inherent part of Zeus’s modus operandi. Rapport detects the existence of antivirus products and whether they’re up-to-date via the Windows Security Center. Note that some antivirus solutions do not report to the Windows Security Center. In this scenario we categorize the machine as not having an antivirus. This means that the real number of users who are infected with Zeus and run an up-to- date antivirus is actually bigger than the number we detected, indicating that the problem is even worse than our findings. Raw statistics The following data has been collected from consumer PCs during one day in September 2009: General Population Zeus-infected No Antivirus found 23% 31% Antivirus found but not up-to-date 6% 14% Antivirus is up-to-date 71% 55% The Zeus-infected population we sampled consisted of 10,000 machines. Security Advisory l 3 White Paper © 2009 Trusteer, Inc.
A quick glimpse at this table already reveals a disturbing phenomenon – the majority of Zeus infections occur on machines which have an installed an up-to-date anti-virus product. The distribution of antivirus products we observed on infected and clean machines is pretty constant and therefore we cannot attribute infections to a specific set of antivirus products that perform less effectively than the others. Security Advisory l 4 White Paper © 2009 Trusteer, Inc.
Quantitative Analysis The data above enables us to calculate the efficiency of anti-virus products at large, as well of that of specific products. To this end, we can employ the Bayesian theorem: AVUTD = Antivirus is up-to-date NoAV = No antivirus found p(Zeus|AVUTD)=p(AVUTD|Zeus)*p(Zeus)/p(AVUTD) p(Zeus|NoAV)=p(NoAV|Zeus)*p(Zeus)/p(NoAV) Dividing both sides, we obtain the following ratio: p(Zeus|AVUTD)/p(Zeus/NoAV)=(p(AVUTD|Zeus)*p(NoAV))/(p( AVUTD)*p(NoAV|Zeus)) We can now substitute values: p(AVUTD|Zeus)=0.55 p(NoAV|Zeus)=0.31 p(AVUTD)=0.71 p(NoAV)=0.23 This yields: Security Advisory l 5 White Paper © 2009 Trusteer, Inc.
p(Zeus|AVUTD)/p(Zeus|NoAV)=0.77 In other words, installing an anti-virus product and maintaining it up to date reduces the probability to get infected by Zeus by 23%, compared to running without an anti-virus altogether. The effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% - it’s just 23%. Conclusion We measured the efficiency of antivirus products in the wild, against Zeus. In a sense, it’s more accurate than in-the-lab experiments, since it measures the real phenomenon – the actual infections in the wild, vs. real antivirus deployment in the wild. The result we measured, efficiency level of 23%, is disturbing, and reveals that the vast majority of Zeus infections go unnoticed by antivirus products. Security Advisory l 6 White Paper © 2009 Trusteer, Inc.

Recomendados

The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
Lumension
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojan
Cyphort
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not Enough
GFI Software
 
Virus and antivirus
Virus and antivirusVirus and antivirus
Virus and antivirus
Prem Sahu
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown Threats
OPSWAT
 
Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2
Scott Brown
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
OPSWAT
 
Antivirus
AntivirusAntivirus
Antivirus
Pankaj Kumawat
 

Recomendados

The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
Lumension
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojan
Cyphort
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not Enough
GFI Software
 
Virus and antivirus
Virus and antivirusVirus and antivirus
Virus and antivirus
Prem Sahu
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown Threats
OPSWAT
 
Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2
Scott Brown
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
OPSWAT
 
Antivirus
AntivirusAntivirus
Antivirus
Pankaj Kumawat
 
Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning Technology
OPSWAT
 
Computer virus 2
Computer virus 2Computer virus 2
Computer virus 2
Nishant Reshwal
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning Worms
IOSR Journals
 
A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++
UltraUploader
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021
Alexandre Rebert
 
Defense Innovation Summit
Defense Innovation SummitDefense Innovation Summit
Defense Innovation Summit
OPSWAT
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02
Computer Science Club
 
How Antivirus detects VIRUS
How Antivirus detects VIRUSHow Antivirus detects VIRUS
How Antivirus detects VIRUS
Satyam Sangal
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & prevention
Khaleel Assadi
 
Antivirus
AntivirusAntivirus
Antivirus
ava & araf co.
 
Security Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating SystemsSecurity Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating Systems
Cisco Canada
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Josh Castellano
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendors
UltraUploader
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus security
UltraUploader
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacks
phanleson
 
Anti virus and current trends
Anti virus and current trendsAnti virus and current trends
Anti virus and current trends
Athena Catindig
 
Virus & Antivirus
Virus & AntivirusVirus & Antivirus
Virus & Antivirus
Anirudh Kannan
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension Inc.
 
Zbot/Zeus And Antivirus
Zbot/Zeus And AntivirusZbot/Zeus And Antivirus
Zbot/Zeus And Antivirus
Kim Jensen
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red Virus
mBlackwell
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red Virus
smithz
 
Code Red Worm
Code Red WormCode Red Worm
Code Red Worm
RaDe0N
 

Mais conteúdo relacionado

Mais procurados

A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++
UltraUploader
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02
Computer Science Club
 
How Antivirus detects VIRUS
How Antivirus detects VIRUSHow Antivirus detects VIRUS
How Antivirus detects VIRUS
Satyam Sangal
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Josh Castellano
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendors
UltraUploader
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus security
UltraUploader
 
Anti virus and current trends
Anti virus and current trendsAnti virus and current trends
Anti virus and current trends
Athena Catindig
 

Mais procurados (18)

Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning Technology
 
Computer virus 2
Computer virus 2Computer virus 2
Computer virus 2
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning Worms
 
A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021
 
Defense Innovation Summit
Defense Innovation SummitDefense Innovation Summit
Defense Innovation Summit
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02
 
How Antivirus detects VIRUS
How Antivirus detects VIRUSHow Antivirus detects VIRUS
How Antivirus detects VIRUS
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & prevention
 
Antivirus
AntivirusAntivirus
Antivirus
 
Security Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating SystemsSecurity Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating Systems
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendors
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus security
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacks
 
Anti virus and current trends
Anti virus and current trendsAnti virus and current trends
Anti virus and current trends
 
Virus & Antivirus
Virus & AntivirusVirus & Antivirus
Virus & Antivirus
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
 

Destaque

Code Red Virus
Code Red VirusCode Red Virus
Code Red Virus
mBlackwell
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red Virus
smithz
 
Code Red Worm
Code Red WormCode Red Worm
Code Red Worm
RaDe0N
 

Destaque (7)

Zbot/Zeus And Antivirus
Zbot/Zeus And AntivirusZbot/Zeus And Antivirus
Zbot/Zeus And Antivirus
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red Virus
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red Virus
 
Code Red Worm
Code Red WormCode Red Worm
Code Red Worm
 
Zeus
ZeusZeus
Zeus
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Computer virus
Computer virusComputer virus
Computer virus
 

Semelhante a Zeus and Antivirus

12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware
Digital Pymes
 
How to Audit
How to AuditHow to Audit
How to Audit
ayousif
 
Maranan chap2 lab2
Maranan chap2 lab2Maranan chap2 lab2
Maranan chap2 lab2
maranan_zyra
 
Antivirus program ----neri
Antivirus program ----neriAntivirus program ----neri
Antivirus program ----neri
aejay_neri
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internet
UltraUploader
 
Cataluña antivirus programs paper
Cataluña antivirus programs paperCataluña antivirus programs paper
Cataluña antivirus programs paper
Jennifer Cataluña
 

Semelhante a Zeus and Antivirus (20)

How to cure yourself of antivirus side effects @ReveeliumBlog
How to cure yourself of antivirus side effects @ReveeliumBlogHow to cure yourself of antivirus side effects @ReveeliumBlog
How to cure yourself of antivirus side effects @ReveeliumBlog
 
Protecting Against the New Wave of Malware
Protecting Against the New Wave of MalwareProtecting Against the New Wave of Malware
Protecting Against the New Wave of Malware
 
12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware
 
11 virus vs. antivirus
11 virus vs. antivirus11 virus vs. antivirus
11 virus vs. antivirus
 
Android anti virus analysis
Android anti virus analysisAndroid anti virus analysis
Android anti virus analysis
 
How to Audit
How to AuditHow to Audit
How to Audit
 
Virus and Anti virus
Virus and Anti virusVirus and Anti virus
Virus and Anti virus
 
Maranan chap2 lab2
Maranan chap2 lab2Maranan chap2 lab2
Maranan chap2 lab2
 
Stay Secure: Unveiling the Power of Antivirus Software
Stay Secure: Unveiling the Power of Antivirus SoftwareStay Secure: Unveiling the Power of Antivirus Software
Stay Secure: Unveiling the Power of Antivirus Software
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Antivirus program ----neri
Antivirus program ----neriAntivirus program ----neri
Antivirus program ----neri
 
NetWitness
NetWitnessNetWitness
NetWitness
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internet
 
How Antivirus Programming Can Shield Your Advanced World.pdf
How Antivirus Programming Can Shield Your Advanced World.pdfHow Antivirus Programming Can Shield Your Advanced World.pdf
How Antivirus Programming Can Shield Your Advanced World.pdf
 
Cataluña antivirus programs paper
Cataluña antivirus programs paperCataluña antivirus programs paper
Cataluña antivirus programs paper
 
Cataluña antivirus program
Cataluña antivirus programCataluña antivirus program
Cataluña antivirus program
 
Hamilton lara 2011
Hamilton lara 2011Hamilton lara 2011
Hamilton lara 2011
 
Securing data flow to and from organizations
Securing data flow to and from organizationsSecuring data flow to and from organizations
Securing data flow to and from organizations
 
Virus & Anti Virus ppt
Virus & Anti Virus pptVirus & Anti Virus ppt
Virus & Anti Virus ppt
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 

Mais de Scientia Groups

Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected Setup
Scientia Groups
 
Delivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiDelivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefi
Scientia Groups
 
NSA Best Practices Datasheets
NSA Best Practices DatasheetsNSA Best Practices Datasheets
NSA Best Practices Datasheets
Scientia Groups
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online banking
Scientia Groups
 
Partners Guide - System Center
Partners Guide - System CenterPartners Guide - System Center
Partners Guide - System Center
Scientia Groups
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the Cloud
Scientia Groups
 
2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating Deck2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating Deck
Scientia Groups
 
Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10
Scientia Groups
 

Mais de Scientia Groups (14)

System Center 2012 R2 - Enterprise Automation
System Center 2012 R2 - Enterprise AutomationSystem Center 2012 R2 - Enterprise Automation
System Center 2012 R2 - Enterprise Automation
 
System Center 2012 Orchestrator R2 - Enterprise IT Automation
System Center 2012 Orchestrator R2 - Enterprise IT AutomationSystem Center 2012 Orchestrator R2 - Enterprise IT Automation
System Center 2012 Orchestrator R2 - Enterprise IT Automation
 
System Center Endpoint Protection
System Center Endpoint ProtectionSystem Center Endpoint Protection
System Center Endpoint Protection
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected Setup
 
NIST Definition of Cloud Computing
NIST Definition of Cloud ComputingNIST Definition of Cloud Computing
NIST Definition of Cloud Computing
 
Delivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiDelivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefi
 
NSA Best Practices Datasheets
NSA Best Practices DatasheetsNSA Best Practices Datasheets
NSA Best Practices Datasheets
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online banking
 
Dgmdv 1
Dgmdv 1Dgmdv 1
Dgmdv 1
 
Partners Guide - System Center
Partners Guide - System CenterPartners Guide - System Center
Partners Guide - System Center
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the Cloud
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
 
2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating Deck2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating Deck
 
Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10
 

Último

Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Drew Madelung
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
Igalia
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 

Último (20)

Developing An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of BrazilDeveloping An App To Navigate The Roads of Brazil
Developing An App To Navigate The Roads of Brazil
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
Advantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your BusinessAdvantages of Hiring UIUX Design Service Providers for Your Business
Advantages of Hiring UIUX Design Service Providers for Your Business
 
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemkeProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
ProductAnonymous-April2024-WinProductDiscovery-MelissaKlemke
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 

Zeus and Antivirus

  • 1. Measuring the in-the-wild effectiveness of Antivirus against Zeus Trusteer September 14, 2009 Trusteer, Inc.142 Wooster St. New York, NY 10012Sales 646.247.5669info@trusteer.comwww.trusteer.com
  • 2. Introduction There are many reports on how anti-virus products fare against malware, yet most of these reports focus on in-the-lab testing of specific malware strands against a specific antivirus configuration. Very little is said about the situation in the field – where malware distribution statistics (and to some extent, antivirus distribution statistics) are unclear. Trusteer is uniquely positioned in a way that enables it to get a comprehensive view of consumer world PCs – Trusteer Rapport is installed on millions of consumer PCs and reports statistics of malware infection and security software installed. We chose to focus on Zeus (also known as Zbot, WSNPOEM, NTOS and PRG) as it tops the list of financial Trojans. In other words, Zeus is probably the most painful financial malware out there, both in terms of infection size, and in terms of effectiveness. About Zeus Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time. Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and TANs, etc. 1 Zeus uses some rootkit techniques to evade detection and removal. http://www.networkw Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e. orld.com/news/2009/0 72209-botnets.html approximately 1% of the PCs in the US), according to a recent report1. This is backed by Trusteer’sfield figures as well, as can be seen in the following pie chart of relative financial malware distribution: Security Advisory l 2 White Paper © 2009 Trusteer, Inc.
  • 3. Methodology Our research is based on statistics gathered from Rapport agents running on users’ PCs. Rapport detects Zeus through a unique fingerprint left by Zeus when it penetrates the browser process. This fingerprint is an inherent part of Zeus’s modus operandi. Rapport detects the existence of antivirus products and whether they’re up-to-date via the Windows Security Center. Note that some antivirus solutions do not report to the Windows Security Center. In this scenario we categorize the machine as not having an antivirus. This means that the real number of users who are infected with Zeus and run an up-to- date antivirus is actually bigger than the number we detected, indicating that the problem is even worse than our findings. Raw statistics The following data has been collected from consumer PCs during one day in September 2009: General Population Zeus-infected No Antivirus found 23% 31% Antivirus found but not up-to-date 6% 14% Antivirus is up-to-date 71% 55% The Zeus-infected population we sampled consisted of 10,000 machines. Security Advisory l 3 White Paper © 2009 Trusteer, Inc.
  • 4. A quick glimpse at this table already reveals a disturbing phenomenon – the majority of Zeus infections occur on machines which have an installed an up-to-date anti-virus product. The distribution of antivirus products we observed on infected and clean machines is pretty constant and therefore we cannot attribute infections to a specific set of antivirus products that perform less effectively than the others. Security Advisory l 4 White Paper © 2009 Trusteer, Inc.
  • 5. Quantitative Analysis The data above enables us to calculate the efficiency of anti-virus products at large, as well of that of specific products. To this end, we can employ the Bayesian theorem: AVUTD = Antivirus is up-to-date NoAV = No antivirus found p(Zeus|AVUTD)=p(AVUTD|Zeus)*p(Zeus)/p(AVUTD) p(Zeus|NoAV)=p(NoAV|Zeus)*p(Zeus)/p(NoAV) Dividing both sides, we obtain the following ratio: p(Zeus|AVUTD)/p(Zeus/NoAV)=(p(AVUTD|Zeus)*p(NoAV))/(p( AVUTD)*p(NoAV|Zeus)) We can now substitute values: p(AVUTD|Zeus)=0.55 p(NoAV|Zeus)=0.31 p(AVUTD)=0.71 p(NoAV)=0.23 This yields: Security Advisory l 5 White Paper © 2009 Trusteer, Inc.
  • 6. p(Zeus|AVUTD)/p(Zeus|NoAV)=0.77 In other words, installing an anti-virus product and maintaining it up to date reduces the probability to get infected by Zeus by 23%, compared to running without an anti-virus altogether. The effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% - it’s just 23%. Conclusion We measured the efficiency of antivirus products in the wild, against Zeus. In a sense, it’s more accurate than in-the-lab experiments, since it measures the real phenomenon – the actual infections in the wild, vs. real antivirus deployment in the wild. The result we measured, efficiency level of 23%, is disturbing, and reveals that the vast majority of Zeus infections go unnoticed by antivirus products. Security Advisory l 6 White Paper © 2009 Trusteer, Inc.