Zeus (aka Zbot, Wsnpoem) ignored by PA ?

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Zeus (aka Zbot, Wsnpoem) ignored by PA ?

L3 Networker


We subscribe to an outside service that monitors our traffic. We regularly get reports about the Trojan Zeus being identified from various different internal clients. Why isn't PA blocking this ? Here is some info about the Trojan:

Regarding Zeus:

Zeus (aka Zbot, Wsnpoem) is a Trojan horse that attempts to steal

confidential information from the compromised computer. It may also

download configuration files and updates from the Internet. The Trojan

is created using a Trojan-building toolkit. [1]

[1] Trojan.Zbot

http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99

Additional information:

Win32/Zbot

http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fZbot

Trojan-Spy:W32/Zbot

http://www.f-secure.com/v-descs/trojan-spy_w32_zbot.shtml

Zeus: King of the Bots

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bo...

ZeuS Banking Trojan Report

http://www.secureworks.com/research/threats/zeus/?threat=zeus

Alert: Targeted attacks on institutional online banking

http://www.ren-isac.net/alerts/banking-attacks_cio-bo_201001.html

3 REPLIES 3

L4 Transporter

Look for threat ID 19871 (Bot-Zeus.Phonehome), 19870 (Bot-Zeus.Phonehome), 12611 (TROJAN PRG/wnspoem/Zeus InfoStealer post), and 12536 (Trojan.Spy.Zeus.1.Gen) in your threat logs/profile.

There are about 50 results under https://threatvault.paloaltonetworks.com/ for Zeus under virus.

L4 Transporter

Hello,

We have noticed the same for one of our customers.

The customer get's messages from their ISP telling that hosts are infected by Zeus botnet, but  the PaloAlto has not detected anything.

But this customer has not implemented SSL-decryption.

I'm not sure but maybe that is the reason for Zeus not being detected?

/Jo Christian

It could of course be a false positive from the ISP, would be great if your customers could get some more info from them like the logs or such for why they think they have Zeus.

But of course, it you dont have ssl-termination in place you will be pretty much blind for all sorts of threats. I would highly recommend to enable ssl-termination and use that for ALL ssl traffic (and then only whitelist a couple such as windowsupdate (which cannot be terminated anyway) and perhaps financial/bank sites (by url-category or statically by a custom url-category - the later doesnt need a url-category db license).

Speaking of url-categories you could also deny clients accessing known malware-sites and the other bad categories and if possible perhaps limit clients to only known sites (block sites which havent been categorized yet - however the later would also need you to enable dynamic url-db).

You should also verify that the clients really have "action:block" for the severitylevels that Zeus is included in (high and medium currently) and that those threat-profiles is attached to all allow rules.

There is some more info of Zeus at Zeus 2.0 – Zeus trojan at its best – extending its reach to Windows Vista, 7 and Mozilla... however very little info on the C&C/phone home communications but ssl-libs is mentioned there so I wouldnt be suprised if it uses ssl for the C&C/phone home stuff.

  • 3655 Views
  • 3 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!