SlideShare una empresa de Scribd logo

Zeus and Antivirus

S
Scientia Groups
Tecnología
1 de 6
Descargar para leer sin conexión
Measuring the in-the-wild effectiveness of Antivirus against Zeus Trusteer September 14, 2009 Trusteer, Inc.142 Wooster St. New York, NY 10012Sales 646.247.5669info@trusteer.comwww.trusteer.com
Introduction There are many reports on how anti-virus products fare against malware, yet most of these reports focus on in-the-lab testing of specific malware strands against a specific antivirus configuration. Very little is said about the situation in the field – where malware distribution statistics (and to some extent, antivirus distribution statistics) are unclear. Trusteer is uniquely positioned in a way that enables it to get a comprehensive view of consumer world PCs – Trusteer Rapport is installed on millions of consumer PCs and reports statistics of malware infection and security software installed. We chose to focus on Zeus (also known as Zbot, WSNPOEM, NTOS and PRG) as it tops the list of financial Trojans. In other words, Zeus is probably the most painful financial malware out there, both in terms of infection size, and in terms of effectiveness. About Zeus Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time. Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and TANs, etc. 1 Zeus uses some rootkit techniques to evade detection and removal. http://www.networkw Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e. orld.com/news/2009/0 72209-botnets.html approximately 1% of the PCs in the US), according to a recent report1. This is backed by Trusteer’sfield figures as well, as can be seen in the following pie chart of relative financial malware distribution: Security Advisory l 2 White Paper © 2009 Trusteer, Inc.
Methodology Our research is based on statistics gathered from Rapport agents running on users’ PCs. Rapport detects Zeus through a unique fingerprint left by Zeus when it penetrates the browser process. This fingerprint is an inherent part of Zeus’s modus operandi. Rapport detects the existence of antivirus products and whether they’re up-to-date via the Windows Security Center. Note that some antivirus solutions do not report to the Windows Security Center. In this scenario we categorize the machine as not having an antivirus. This means that the real number of users who are infected with Zeus and run an up-to- date antivirus is actually bigger than the number we detected, indicating that the problem is even worse than our findings. Raw statistics The following data has been collected from consumer PCs during one day in September 2009: General Population Zeus-infected No Antivirus found 23% 31% Antivirus found but not up-to-date 6% 14% Antivirus is up-to-date 71% 55% The Zeus-infected population we sampled consisted of 10,000 machines. Security Advisory l 3 White Paper © 2009 Trusteer, Inc.
A quick glimpse at this table already reveals a disturbing phenomenon – the majority of Zeus infections occur on machines which have an installed an up-to-date anti-virus product. The distribution of antivirus products we observed on infected and clean machines is pretty constant and therefore we cannot attribute infections to a specific set of antivirus products that perform less effectively than the others. Security Advisory l 4 White Paper © 2009 Trusteer, Inc.
Quantitative Analysis The data above enables us to calculate the efficiency of anti-virus products at large, as well of that of specific products. To this end, we can employ the Bayesian theorem: AVUTD = Antivirus is up-to-date NoAV = No antivirus found p(Zeus|AVUTD)=p(AVUTD|Zeus)*p(Zeus)/p(AVUTD) p(Zeus|NoAV)=p(NoAV|Zeus)*p(Zeus)/p(NoAV) Dividing both sides, we obtain the following ratio: p(Zeus|AVUTD)/p(Zeus/NoAV)=(p(AVUTD|Zeus)*p(NoAV))/(p( AVUTD)*p(NoAV|Zeus)) We can now substitute values: p(AVUTD|Zeus)=0.55 p(NoAV|Zeus)=0.31 p(AVUTD)=0.71 p(NoAV)=0.23 This yields: Security Advisory l 5 White Paper © 2009 Trusteer, Inc.
p(Zeus|AVUTD)/p(Zeus|NoAV)=0.77 In other words, installing an anti-virus product and maintaining it up to date reduces the probability to get infected by Zeus by 23%, compared to running without an anti-virus altogether. The effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% - it’s just 23%. Conclusion We measured the efficiency of antivirus products in the wild, against Zeus. In a sense, it’s more accurate than in-the-lab experiments, since it measures the real phenomenon – the actual infections in the wild, vs. real antivirus deployment in the wild. The result we measured, efficiency level of 23%, is disturbing, and reveals that the vast majority of Zeus infections go unnoticed by antivirus products. Security Advisory l 6 White Paper © 2009 Trusteer, Inc.

Recomendados

The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...Lumension
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanCyphort
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
Virus and antivirus
Virus and antivirusVirus and antivirus
Virus and antivirusPrem Sahu
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown ThreatsOPSWAT
 
Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Scott Brown
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Antivirus
AntivirusAntivirus
AntivirusPankaj Kumawat
 

Recomendados

The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...
The True Cost of Anti-Virus: How to Ensure More Effective and Efficient Endp...Lumension
 
Malware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanMalware's most wanted-zberp-the_financial_trojan
Malware's most wanted-zberp-the_financial_trojanCyphort
 
Why One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughWhy One Virus Engine is Not Enough
Why One Virus Engine is Not EnoughGFI Software
 
Virus and antivirus
Virus and antivirusVirus and antivirus
Virus and antivirusPrem Sahu
 
Preventing Known and Unknown Threats
Preventing Known and Unknown ThreatsPreventing Known and Unknown Threats
Preventing Known and Unknown ThreatsOPSWAT
 
Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Colby_Sawyer_white_paper final 2
Colby_Sawyer_white_paper final 2Scott Brown
 
Using Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureUsing Multiple Antivirus Engine Scanning to Protect Critical Infrastructure
Using Multiple Antivirus Engine Scanning to Protect Critical InfrastructureOPSWAT
 
Antivirus
AntivirusAntivirus
AntivirusPankaj Kumawat
 
Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning TechnologyOPSWAT
 
Computer virus 2
Computer virus 2Computer virus 2
Computer virus 2Nishant Reshwal
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsIOSR Journals
 
A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++UltraUploader
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Alexandre Rebert
 
Defense Innovation Summit
Defense Innovation SummitDefense Innovation Summit
Defense Innovation SummitOPSWAT
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02Computer Science Club
 
How Antivirus detects VIRUS
How Antivirus detects VIRUSHow Antivirus detects VIRUS
How Antivirus detects VIRUSSatyam Sangal
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
Antivirus
AntivirusAntivirus
Antivirusava & araf co.
 
Security Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating SystemsSecurity Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating SystemsCisco Canada
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Josh Castellano
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsUltraUploader
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityUltraUploader
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacksphanleson
 
Anti virus and current trends
Anti virus and current trendsAnti virus and current trends
Anti virus and current trendsAthena Catindig
 
Virus & Antivirus
Virus & AntivirusVirus & Antivirus
Virus & AntivirusAnirudh Kannan
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
 
Zbot/Zeus And Antivirus
Zbot/Zeus And AntivirusZbot/Zeus And Antivirus
Zbot/Zeus And AntivirusKim Jensen
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red VirusmBlackwell
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red Virussmithz
 
Code Red Worm
Code Red WormCode Red Worm
Code Red WormRaDe0N
 

Más contenido relacionado

La actualidad más candente

Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning TechnologyOPSWAT
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsIOSR Journals
 
A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++UltraUploader
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Alexandre Rebert
 
Defense Innovation Summit
Defense Innovation SummitDefense Innovation Summit
Defense Innovation SummitOPSWAT
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02Computer Science Club
 
How Antivirus detects VIRUS
How Antivirus detects VIRUSHow Antivirus detects VIRUS
How Antivirus detects VIRUSSatyam Sangal
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & preventionKhaleel Assadi
 
Security Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating SystemsSecurity Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating SystemsCisco Canada
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Josh Castellano
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsUltraUploader
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityUltraUploader
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacksphanleson
 
Anti virus and current trends
Anti virus and current trendsAnti virus and current trends
Anti virus and current trendsAthena Catindig
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension Inc.
 

La actualidad más candente (18)

Metascan Multi-scanning Technology
Metascan Multi-scanning TechnologyMetascan Multi-scanning Technology
Metascan Multi-scanning Technology
 
Computer virus 2
Computer virus 2Computer virus 2
Computer virus 2
 
Modeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning WormsModeling and Containment of Uniform Scanning Worms
Modeling and Containment of Uniform Scanning Worms
 
A generic virus scanner in c++
A generic virus scanner in c++A generic virus scanner in c++
A generic virus scanner in c++
 
Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021Increasing DevSecOps Maturity Level in 2021
Increasing DevSecOps Maturity Level in 2021
 
Defense Innovation Summit
Defense Innovation SummitDefense Innovation Summit
Defense Innovation Summit
 
20111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture0220111204 intro malware_livshits_lecture02
20111204 intro malware_livshits_lecture02
 
How Antivirus detects VIRUS
How Antivirus detects VIRUSHow Antivirus detects VIRUS
How Antivirus detects VIRUS
 
Network virus detection & prevention
Network virus detection & preventionNetwork virus detection & prevention
Network virus detection & prevention
 
Antivirus
AntivirusAntivirus
Antivirus
 
Security Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating SystemsSecurity Vulnerabilities in Modern Operating Systems
Security Vulnerabilities in Modern Operating Systems
 
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
Ast 0052862 Sophos Stopping Fake Antivirus Wpna Sept11
 
Antivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendorsAntivirus update reaction times of major antivirus vendors
Antivirus update reaction times of major antivirus vendors
 
Beyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus securityBeyond layers and peripheral antivirus security
Beyond layers and peripheral antivirus security
 
Ch03 Network and Computer Attacks
Ch03 Network and Computer AttacksCh03 Network and Computer Attacks
Ch03 Network and Computer Attacks
 
Anti virus and current trends
Anti virus and current trendsAnti virus and current trends
Anti virus and current trends
 
Virus & Antivirus
Virus & AntivirusVirus & Antivirus
Virus & Antivirus
 
Next Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA ComplianceNext Dimension and Veeam | Solutions for PIPEDA Compliance
Next Dimension and Veeam | Solutions for PIPEDA Compliance
 

Destacado

Zbot/Zeus And Antivirus
Zbot/Zeus And AntivirusZbot/Zeus And Antivirus
Zbot/Zeus And AntivirusKim Jensen
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red VirusmBlackwell
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red Virussmithz
 
Code Red Worm
Code Red WormCode Red Worm
Code Red WormRaDe0N
 
Computer virus
Computer virusComputer virus
Computer virusRa Bia
 

Destacado (7)

Zbot/Zeus And Antivirus
Zbot/Zeus And AntivirusZbot/Zeus And Antivirus
Zbot/Zeus And Antivirus
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red Virus
 
Code Red Virus
Code Red VirusCode Red Virus
Code Red Virus
 
Code Red Worm
Code Red WormCode Red Worm
Code Red Worm
 
Zeus
ZeusZeus
Zeus
 
Computer Worms
Computer WormsComputer Worms
Computer Worms
 
Computer virus
Computer virusComputer virus
Computer virus
 

Similar a Zeus and Antivirus

12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malwareDigital Pymes
 
Protecting Against the New Wave of Malware
Protecting Against the New Wave of MalwareProtecting Against the New Wave of Malware
Protecting Against the New Wave of MalwareGFI Software
 
11 virus vs. antivirus
11 virus vs. antivirus11 virus vs. antivirus
11 virus vs. antivirussinghhp10699
 
How to Audit
How to AuditHow to Audit
How to Auditayousif
 
Virus and Anti virus
Virus and Anti virusVirus and Anti virus
Virus and Anti virusFaisal Hassan
 
Maranan chap2 lab2
Maranan chap2 lab2Maranan chap2 lab2
Maranan chap2 lab2maranan_zyra
 
Stay Secure: Unveiling the Power of Antivirus Software
Stay Secure: Unveiling the Power of Antivirus SoftwareStay Secure: Unveiling the Power of Antivirus Software
Stay Secure: Unveiling the Power of Antivirus SoftwareSoftwareDeals
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareTeodoro Cipresso
 
Antivirus program ----neri
Antivirus program ----neriAntivirus program ----neri
Antivirus program ----neriaejay_neri
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internetUltraUploader
 
How Antivirus Programming Can Shield Your Advanced World.pdf
How Antivirus Programming Can Shield Your Advanced World.pdfHow Antivirus Programming Can Shield Your Advanced World.pdf
How Antivirus Programming Can Shield Your Advanced World.pdfBlogger
 
Cataluña antivirus programs paper
Cataluña antivirus programs paperCataluña antivirus programs paper
Cataluña antivirus programs paperJennifer Cataluña
 
Securing data flow to and from organizations
Securing data flow to and from organizationsSecuring data flow to and from organizations
Securing data flow to and from organizationsOPSWAT
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksDiane M. Metcalf
 

Similar a Zeus and Antivirus (20)

How to cure yourself of antivirus side effects @ReveeliumBlog
How to cure yourself of antivirus side effects @ReveeliumBlogHow to cure yourself of antivirus side effects @ReveeliumBlog
How to cure yourself of antivirus side effects @ReveeliumBlog
 
12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware
 
Protecting Against the New Wave of Malware
Protecting Against the New Wave of MalwareProtecting Against the New Wave of Malware
Protecting Against the New Wave of Malware
 
11 virus vs. antivirus
11 virus vs. antivirus11 virus vs. antivirus
11 virus vs. antivirus
 
Android anti virus analysis
Android anti virus analysisAndroid anti virus analysis
Android anti virus analysis
 
How to Audit
How to AuditHow to Audit
How to Audit
 
Virus and Anti virus
Virus and Anti virusVirus and Anti virus
Virus and Anti virus
 
Maranan chap2 lab2
Maranan chap2 lab2Maranan chap2 lab2
Maranan chap2 lab2
 
Stay Secure: Unveiling the Power of Antivirus Software
Stay Secure: Unveiling the Power of Antivirus SoftwareStay Secure: Unveiling the Power of Antivirus Software
Stay Secure: Unveiling the Power of Antivirus Software
 
Identifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting MalwareIdentifying, Monitoring, and Reporting Malware
Identifying, Monitoring, and Reporting Malware
 
Antivirus program ----neri
Antivirus program ----neriAntivirus program ----neri
Antivirus program ----neri
 
NetWitness
NetWitnessNetWitness
NetWitness
 
A generic virus detection agent on the internet
A generic virus detection agent on the internetA generic virus detection agent on the internet
A generic virus detection agent on the internet
 
How Antivirus Programming Can Shield Your Advanced World.pdf
How Antivirus Programming Can Shield Your Advanced World.pdfHow Antivirus Programming Can Shield Your Advanced World.pdf
How Antivirus Programming Can Shield Your Advanced World.pdf
 
Cataluña antivirus programs paper
Cataluña antivirus programs paperCataluña antivirus programs paper
Cataluña antivirus programs paper
 
Hamilton lara 2011
Hamilton lara 2011Hamilton lara 2011
Hamilton lara 2011
 
Cataluña antivirus program
Cataluña antivirus programCataluña antivirus program
Cataluña antivirus program
 
Securing data flow to and from organizations
Securing data flow to and from organizationsSecuring data flow to and from organizations
Securing data flow to and from organizations
 
Virus & Anti Virus ppt
Virus & Anti Virus pptVirus & Anti Virus ppt
Virus & Anti Virus ppt
 
Viruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise NetworksViruses & Malware: Effects On Enterprise Networks
Viruses & Malware: Effects On Enterprise Networks
 

Más de Scientia Groups

System Center 2012 R2 - Enterprise Automation
System Center 2012 R2 - Enterprise AutomationSystem Center 2012 R2 - Enterprise Automation
System Center 2012 R2 - Enterprise AutomationScientia Groups
 
System Center 2012 Orchestrator R2 - Enterprise IT Automation
System Center 2012 Orchestrator R2 - Enterprise IT AutomationSystem Center 2012 Orchestrator R2 - Enterprise IT Automation
System Center 2012 Orchestrator R2 - Enterprise IT AutomationScientia Groups
 
System Center Endpoint Protection
System Center Endpoint ProtectionSystem Center Endpoint Protection
System Center Endpoint ProtectionScientia Groups
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupScientia Groups
 
NIST Definition of Cloud Computing
NIST Definition of Cloud ComputingNIST Definition of Cloud Computing
NIST Definition of Cloud ComputingScientia Groups
 
Delivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiDelivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiScientia Groups
 
NSA Best Practices Datasheets
NSA Best Practices DatasheetsNSA Best Practices Datasheets
NSA Best Practices DatasheetsScientia Groups
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online bankingScientia Groups
 
Partners Guide - System Center
Partners Guide - System CenterPartners Guide - System Center
Partners Guide - System CenterScientia Groups
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudScientia Groups
 
2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating Deck2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating DeckScientia Groups
 
Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10Scientia Groups
 

Más de Scientia Groups (14)

System Center 2012 R2 - Enterprise Automation
System Center 2012 R2 - Enterprise AutomationSystem Center 2012 R2 - Enterprise Automation
System Center 2012 R2 - Enterprise Automation
 
System Center 2012 Orchestrator R2 - Enterprise IT Automation
System Center 2012 Orchestrator R2 - Enterprise IT AutomationSystem Center 2012 Orchestrator R2 - Enterprise IT Automation
System Center 2012 Orchestrator R2 - Enterprise IT Automation
 
System Center Endpoint Protection
System Center Endpoint ProtectionSystem Center Endpoint Protection
System Center Endpoint Protection
 
Brute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected SetupBrute forcing Wi-Fi Protected Setup
Brute forcing Wi-Fi Protected Setup
 
NIST Definition of Cloud Computing
NIST Definition of Cloud ComputingNIST Definition of Cloud Computing
NIST Definition of Cloud Computing
 
Delivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefiDelivering a secure and fast boot experience with uefi
Delivering a secure and fast boot experience with uefi
 
NSA Best Practices Datasheets
NSA Best Practices DatasheetsNSA Best Practices Datasheets
NSA Best Practices Datasheets
 
Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online banking
 
Dgmdv 1
Dgmdv 1Dgmdv 1
Dgmdv 1
 
Partners Guide - System Center
Partners Guide - System CenterPartners Guide - System Center
Partners Guide - System Center
 
Projecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the CloudProjecting Enterprise Security Requirements on the Cloud
Projecting Enterprise Security Requirements on the Cloud
 
CISO Survey Report 2010
CISO Survey Report 2010CISO Survey Report 2010
CISO Survey Report 2010
 
2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating Deck2010 1 22 Partner Marketing Call Welcome Rotating Deck
2010 1 22 Partner Marketing Call Welcome Rotating Deck
 
Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10Quarterly Marketing Call Presentation 1 22 10
Quarterly Marketing Call Presentation 1 22 10
 

Último

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfAddepto
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Enterprise Knowledge
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024Lorenzo Miniero
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brandgvaughan
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii SoldatenkoFwdays
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesZilliz
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Mattias Andersson
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsMemoori
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationRidwan Fadjar
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsMark Billinghurst
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostZilliz
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek SchlawackFwdays
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Mark Simos
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clashcharlottematthew16
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationSlibray Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsRizwan Syed
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsSergiu Bodiu
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLScyllaDB
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Manik S Magar
 

Último (20)

Gen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdfGen AI in Business - Global Trends Report 2024.pdf
Gen AI in Business - Global Trends Report 2024.pdf
 
Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024Designing IA for AI - Information Architecture Conference 2024
Designing IA for AI - Information Architecture Conference 2024
 
SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024SIP trunking in Janus @ Kamailio World 2024
SIP trunking in Janus @ Kamailio World 2024
 
WordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your BrandWordPress Websites for Engineers: Elevate Your Brand
WordPress Websites for Engineers: Elevate Your Brand
 
"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko"Debugging python applications inside k8s environment", Andrii Soldatenko
"Debugging python applications inside k8s environment", Andrii Soldatenko
 
Vector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector DatabasesVector Databases 101 - An introduction to the world of Vector Databases
Vector Databases 101 - An introduction to the world of Vector Databases
 
Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?Are Multi-Cloud and Serverless Good or Bad?
Are Multi-Cloud and Serverless Good or Bad?
 
AI as an Interface for Commercial Buildings
AI as an Interface for Commercial BuildingsAI as an Interface for Commercial Buildings
AI as an Interface for Commercial Buildings
 
DMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special EditionDMCC Future of Trade Web3 - Special Edition
DMCC Future of Trade Web3 - Special Edition
 
My Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 PresentationMy Hashitalk Indonesia April 2024 Presentation
My Hashitalk Indonesia April 2024 Presentation
 
Human Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR SystemsHuman Factors of XR: Using Human Factors to Design XR Systems
Human Factors of XR: Using Human Factors to Design XR Systems
 
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage CostLeverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
Leverage Zilliz Serverless - Up to 50X Saving for Your Vector Storage Cost
 
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
"Subclassing and Composition – A Pythonic Tour of Trade-Offs", Hynek Schlawack
 
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
Tampa BSides - Chef's Tour of Microsoft Security Adoption Framework (SAF)
 
Powerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time ClashPowerpoint exploring the locations used in television show Time Clash
Powerpoint exploring the locations used in television show Time Clash
 
Connect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck PresentationConnect Wave/ connectwave Pitch Deck Presentation
Connect Wave/ connectwave Pitch Deck Presentation
 
Scanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL CertsScanning the Internet for External Cloud Exposures via SSL Certs
Scanning the Internet for External Cloud Exposures via SSL Certs
 
DevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platformsDevEX - reference for building teams, processes, and platforms
DevEX - reference for building teams, processes, and platforms
 
Developer Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQLDeveloper Data Modeling Mistakes: From Postgres to NoSQL
Developer Data Modeling Mistakes: From Postgres to NoSQL
 
Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!Anypoint Exchange: It’s Not Just a Repo!
Anypoint Exchange: It’s Not Just a Repo!
 

Zeus and Antivirus

  • 1. Measuring the in-the-wild effectiveness of Antivirus against Zeus Trusteer September 14, 2009 Trusteer, Inc.142 Wooster St. New York, NY 10012Sales 646.247.5669info@trusteer.comwww.trusteer.com
  • 2. Introduction There are many reports on how anti-virus products fare against malware, yet most of these reports focus on in-the-lab testing of specific malware strands against a specific antivirus configuration. Very little is said about the situation in the field – where malware distribution statistics (and to some extent, antivirus distribution statistics) are unclear. Trusteer is uniquely positioned in a way that enables it to get a comprehensive view of consumer world PCs – Trusteer Rapport is installed on millions of consumer PCs and reports statistics of malware infection and security software installed. We chose to focus on Zeus (also known as Zbot, WSNPOEM, NTOS and PRG) as it tops the list of financial Trojans. In other words, Zeus is probably the most painful financial malware out there, both in terms of infection size, and in terms of effectiveness. About Zeus Zeus is a financial malware. It infects consumer PCs, waits for them to log onto a list of targeted banks and financial institutions, and then steals their credentials and sends them to a remote server in real time. Additionally, it may inject HTML into the pages rendered by the browser, so that its own content is displayed together (or instead of) the genuine pages from the bank’s web server. Thus, it is able to ask the user to divulge more personal information, such as payment card number and PIN, one time passwords and TANs, etc. 1 Zeus uses some rootkit techniques to evade detection and removal. http://www.networkw Zeus is the #1 botnet, with 3.6 million PCs infected in the US alone (i.e. orld.com/news/2009/0 72209-botnets.html approximately 1% of the PCs in the US), according to a recent report1. This is backed by Trusteer’sfield figures as well, as can be seen in the following pie chart of relative financial malware distribution: Security Advisory l 2 White Paper © 2009 Trusteer, Inc.
  • 3. Methodology Our research is based on statistics gathered from Rapport agents running on users’ PCs. Rapport detects Zeus through a unique fingerprint left by Zeus when it penetrates the browser process. This fingerprint is an inherent part of Zeus’s modus operandi. Rapport detects the existence of antivirus products and whether they’re up-to-date via the Windows Security Center. Note that some antivirus solutions do not report to the Windows Security Center. In this scenario we categorize the machine as not having an antivirus. This means that the real number of users who are infected with Zeus and run an up-to- date antivirus is actually bigger than the number we detected, indicating that the problem is even worse than our findings. Raw statistics The following data has been collected from consumer PCs during one day in September 2009: General Population Zeus-infected No Antivirus found 23% 31% Antivirus found but not up-to-date 6% 14% Antivirus is up-to-date 71% 55% The Zeus-infected population we sampled consisted of 10,000 machines. Security Advisory l 3 White Paper © 2009 Trusteer, Inc.
  • 4. A quick glimpse at this table already reveals a disturbing phenomenon – the majority of Zeus infections occur on machines which have an installed an up-to-date anti-virus product. The distribution of antivirus products we observed on infected and clean machines is pretty constant and therefore we cannot attribute infections to a specific set of antivirus products that perform less effectively than the others. Security Advisory l 4 White Paper © 2009 Trusteer, Inc.
  • 5. Quantitative Analysis The data above enables us to calculate the efficiency of anti-virus products at large, as well of that of specific products. To this end, we can employ the Bayesian theorem: AVUTD = Antivirus is up-to-date NoAV = No antivirus found p(Zeus|AVUTD)=p(AVUTD|Zeus)*p(Zeus)/p(AVUTD) p(Zeus|NoAV)=p(NoAV|Zeus)*p(Zeus)/p(NoAV) Dividing both sides, we obtain the following ratio: p(Zeus|AVUTD)/p(Zeus/NoAV)=(p(AVUTD|Zeus)*p(NoAV))/(p( AVUTD)*p(NoAV|Zeus)) We can now substitute values: p(AVUTD|Zeus)=0.55 p(NoAV|Zeus)=0.31 p(AVUTD)=0.71 p(NoAV)=0.23 This yields: Security Advisory l 5 White Paper © 2009 Trusteer, Inc.
  • 6. p(Zeus|AVUTD)/p(Zeus|NoAV)=0.77 In other words, installing an anti-virus product and maintaining it up to date reduces the probability to get infected by Zeus by 23%, compared to running without an anti-virus altogether. The effectiveness of an up to date anti virus against Zeus is thus not 100%, not 90%, not even 50% - it’s just 23%. Conclusion We measured the efficiency of antivirus products in the wild, against Zeus. In a sense, it’s more accurate than in-the-lab experiments, since it measures the real phenomenon – the actual infections in the wild, vs. real antivirus deployment in the wild. The result we measured, efficiency level of 23%, is disturbing, and reveals that the vast majority of Zeus infections go unnoticed by antivirus products. Security Advisory l 6 White Paper © 2009 Trusteer, Inc.