- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
07-25-2012 06:59 AM
We subscribe to an outside service that monitors our traffic. We regularly get reports about the Trojan Zeus being identified from various different internal clients. Why isn't PA blocking this ? Here is some info about the Trojan:
Regarding Zeus:
Zeus (aka Zbot, Wsnpoem) is a Trojan horse that attempts to steal
confidential information from the compromised computer. It may also
download configuration files and updates from the Internet. The Trojan
is created using a Trojan-building toolkit. [1]
[1] Trojan.Zbot
http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99
Additional information:
Win32/Zbot
http://www.microsoft.com/security/portal/Threat/Encyclopedia/Entry.aspx?Name=Win32%2fZbot
Trojan-Spy:W32/Zbot
http://www.f-secure.com/v-descs/trojan-spy_w32_zbot.shtml
Zeus: King of the Bots
ZeuS Banking Trojan Report
http://www.secureworks.com/research/threats/zeus/?threat=zeus
Alert: Targeted attacks on institutional online banking
http://www.ren-isac.net/alerts/banking-attacks_cio-bo_201001.html
07-25-2012 09:41 AM
Look for threat ID 19871 (Bot-Zeus.Phonehome), 19870 (Bot-Zeus.Phonehome), 12611 (TROJAN PRG/wnspoem/Zeus InfoStealer post), and 12536 (Trojan.Spy.Zeus.1.Gen) in your threat logs/profile.
There are about 50 results under https://threatvault.paloaltonetworks.com/ for Zeus under virus.
08-22-2012 08:33 AM
Hello,
We have noticed the same for one of our customers.
The customer get's messages from their ISP telling that hosts are infected by Zeus botnet, but the PaloAlto has not detected anything.
But this customer has not implemented SSL-decryption.
I'm not sure but maybe that is the reason for Zeus not being detected?
08-23-2012 10:39 PM
It could of course be a false positive from the ISP, would be great if your customers could get some more info from them like the logs or such for why they think they have Zeus.
But of course, it you dont have ssl-termination in place you will be pretty much blind for all sorts of threats. I would highly recommend to enable ssl-termination and use that for ALL ssl traffic (and then only whitelist a couple such as windowsupdate (which cannot be terminated anyway) and perhaps financial/bank sites (by url-category or statically by a custom url-category - the later doesnt need a url-category db license).
Speaking of url-categories you could also deny clients accessing known malware-sites and the other bad categories and if possible perhaps limit clients to only known sites (block sites which havent been categorized yet - however the later would also need you to enable dynamic url-db).
You should also verify that the clients really have "action:block" for the severitylevels that Zeus is included in (high and medium currently) and that those threat-profiles is attached to all allow rules.
There is some more info of Zeus at Zeus 2.0 – Zeus trojan at its best – extending its reach to Windows Vista, 7 and Mozilla... however very little info on the C&C/phone home communications but ssl-libs is mentioned there so I wouldnt be suprised if it uses ssl for the C&C/phone home stuff.
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!