topic Zeus (aka Zbot, Wsnpoem) ignored by PA ? in General Topics

Zeus (aka Zbot, Wsnpoem) ignored by PA ?

jhickey — Wed, 25 Jul 2012 13:59:42 GMT

We subscribe to an outside service that monitors our traffic. We regularly get reports about the Trojan Zeus being identified from various different internal clients. Why isn't PA blocking this ? Here is some info about the Trojan:

Regarding Zeus:

Zeus (aka Zbot, Wsnpoem) is a Trojan horse that attempts to steal

confidential information from the compromised computer. It may also

download configuration files and updates from the Internet. The Trojan

is created using a Trojan-building toolkit. [1]

[1] Trojan.Zbot

http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

Additional information:

Win32/Zbot

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fZbot

Trojan-Spy:W32/Zbot

http://www.f-secure.com/v-descs/trojan-spy_w32_zbot.shtml

Zeus: King of the Bots

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf

ZeuS Banking Trojan Report

http://www.secureworks.com/research/threats/zeus/?threat=zeus

Alert: Targeted attacks on institutional online banking

http://www.ren-isac.net/alerts/banking-attacks_cio-bo_201001.html

Re: Zeus (aka Zbot, Wsnpoem) ignored by PA ?

mharding — Wed, 25 Jul 2012 16:41:22 GMT

Look for threat ID 19871 (Bot-Zeus.Phonehome), 19870 (Bot-Zeus.Phonehome), 12611 (TROJAN PRG/wnspoem/Zeus InfoStealer post), and 12536 (Trojan.Spy.Zeus.1.Gen) in your threat logs/profile.

There are about 50 results under https://threatvault.paloaltonetworks.com/ for Zeus under virus.

Re: Zeus (aka Zbot, Wsnpoem) ignored by PA ?

jochristian — Wed, 22 Aug 2012 15:33:31 GMT

Hello,

We have noticed the same for one of our customers.

The customer get's messages from their ISP telling that hosts are infected by Zeus botnet, but the PaloAlto has not detected anything.

But this customer has not implemented SSL-decryption.

I'm not sure but maybe that is the reason for Zeus not being detected?

Re: Zeus (aka Zbot, Wsnpoem) ignored by PA ?

mikand — Fri, 24 Aug 2012 05:39:49 GMT

It could of course be a false positive from the ISP, would be great if your customers could get some more info from them like the logs or such for why they think they have Zeus.

But of course, it you dont have ssl-termination in place you will be pretty much blind for all sorts of threats. I would highly recommend to enable ssl-termination and use that for ALL ssl traffic (and then only whitelist a couple such as windowsupdate (which cannot be terminated anyway) and perhaps financial/bank sites (by url-category or statically by a custom url-category - the later doesnt need a url-category db license).

Speaking of url-categories you could also deny clients accessing known malware-sites and the other bad categories and if possible perhaps limit clients to only known sites (block sites which havent been categorized yet - however the later would also need you to enable dynamic url-db).

You should also verify that the clients really have "action:block" for the severitylevels that Zeus is included in (high and medium currently) and that those threat-profiles is attached to all allow rules.

There is some more info of Zeus at Zeus 2.0 – Zeus trojan at its best – extending its reach to Windows Vista, 7 and Mozilla Firefox - Andreas Baumhof however very little info on the C&C/phone home communications but ssl-libs is mentioned there so I wouldnt be suprised if it uses ssl for the C&C/phone home stuff.