Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revision Previous revision
en:it:the_zeus_malware_incident [2017-10-22 16:29]
Heikki Siltala
en:it:the_zeus_malware_incident [2017-10-22 16:44] (current)
Heikki Siltala Polishing.
Line 1: Line 1:
 ====== The ZeuS malware incident ====== ====== The ZeuS malware incident ======
  
-<wrap info>​This report was written in 2014. [[fi:​tietotekniikka:​zeus_haittahohjelma_koneella|Summary in Finnish]].</​wrap>​+<wrap info>​This report was written in 2014, latest update 2017-10-22. [[fi:​tietotekniikka:​zeus_haittahohjelma_koneella|Summary in Finnish]].</​wrap>​
  
 My Windows 7 desktop computer was hit by [[http://​www.securelist.com/​en/​blog/​208214171/​The_inevitable_move_64_bit_ZeuS_has_come_enhanced_with_Tor|ZeuS malware]] or some variant of it. It wasn't detected by virus scanners and so it lived on the computer at least over a month, maybe much longer. Here is the full story. My Windows 7 desktop computer was hit by [[http://​www.securelist.com/​en/​blog/​208214171/​The_inevitable_move_64_bit_ZeuS_has_come_enhanced_with_Tor|ZeuS malware]] or some variant of it. It wasn't detected by virus scanners and so it lived on the computer at least over a month, maybe much longer. Here is the full story.
Line 37: Line 37:
  
   * Where did the malware came from? I have no idea. I'm trying to be careful, use a separate plug-ins disabled browser for general surfing and use three virus scanners (two of them offer real time protection). These precautions didn't help.   * Where did the malware came from? I have no idea. I'm trying to be careful, use a separate plug-ins disabled browser for general surfing and use three virus scanners (two of them offer real time protection). These precautions didn't help.
-  * Did the malware steal or break anything? I have no idea. So far I have not noticed any suspicious transactions on my credit cards or bank accounts. ZeuS and its variants are **potentially** capable to steal anything you have on your computer or you type with your keyboard like files, usernames and passwords, credit card numbers etc. By using Tor they can also use you computer as a node on a network carrying out illegal activities like sending spam or distributing illegal porn.+  * Did the malware steal or break anything? I have no idea. So far I have not noticed any suspicious transactions on my credit cards or bank accounts. ZeuS and its variants are **potentially** capable to steal anything you have on your computer or you type with your keyboard like files, usernames and passwords, credit card numbers etc. By using Tor they can also use you computer as a node on a network carrying out illegal activities like sending spam, drug business ​or distributing illegal porn.
   * Is the computer now 100 percent clean? I can't tell. It appears that there are no longer suspicious programs starting on Windows boot and there are no Tor related files on my computer. But it is impossible to say if the computer is really clean or not.   * Is the computer now 100 percent clean? I can't tell. It appears that there are no longer suspicious programs starting on Windows boot and there are no Tor related files on my computer. But it is impossible to say if the computer is really clean or not.
   * Why ZeuS caused TCP socket flooding that finally made you detect it? I assume that this happened because of some sort of malfunction on ZeuS or because of the fact that I had an active firewall that blocked the sockets causing ZeuS to open more and more sockets. But all this is purely speculation. I was lucky to have that TCP socket flooding happening. Without it I might have been running ZeuS like forever. It is also possible that this ZeuS variant was just acting annoying on purpose. But I think this is unlikely: nowdays malware is mostly to do something beneficial without getting noticed by the user, not to act annoying and dropping network connections.   * Why ZeuS caused TCP socket flooding that finally made you detect it? I assume that this happened because of some sort of malfunction on ZeuS or because of the fact that I had an active firewall that blocked the sockets causing ZeuS to open more and more sockets. But all this is purely speculation. I was lucky to have that TCP socket flooding happening. Without it I might have been running ZeuS like forever. It is also possible that this ZeuS variant was just acting annoying on purpose. But I think this is unlikely: nowdays malware is mostly to do something beneficial without getting noticed by the user, not to act annoying and dropping network connections.
  
-{{tag>IT 2013 2014 Tor malware virus ZeuS Opera svchost Windows}} +{{tag>IT 2013 2014 2017 Tor malware virus ZeuS Opera svchost Windows}}