Virus that steals bank information is on the rise

The BBC is reporting that Zeus, a virus that steals your online bank account information is on the rise. Trusteer says of the 5.5 million computers that they monitor, one in 3,000 is infected with the Zeus virus.

Zeus 1.6 can infect users using both Internet Explorer and Firefox. Once infected the virus records your keystrokes when logging into your bank's website. The data is then sent to a remote server where it is used or sold by the cyber gang.

"We expect this new version of Zeus to significantly increase fraud losses, since nearly 30% of internet users bank online with Firefox and the infection is growing faster than we have ever seen before," said Amit Klein, chief technology officer at Trusteer.

In March 2010, parts of the primary control center for the Zeus botnet were taken offline when the Kazakhstani ISP that was being used to administer it was cut off. Unfortunately, though, it is back on the rise as the hackers have started to expand their botnet.

Report a problem with article
Previous Story

Average US broadband speed only 3.79Mbps

Next Story

UK Android users get Google Maps Navigation [Updated]

38 Comments

Commenting is disabled on this article.

Some people are saying that you only get viruses by like opening certain email attachments and all that stuff on social networking sites. Well I am always careful about this and never open anything like that, but I noticed when i visit the piratebay website(just there website not downloading anything from it) I get some kind of malware fake antivirus scanner installed on my computer but it doesn't happen if I use chrome!

Is this some kind of flaw/hole type thing in the browser that can allow anything to run on my computer?
Also am guessing if this malware fake anitvirus scanner can be installed and run on my computer just by visiting a website am guessing it would just be as easy to install any virus on my computer just by visiting a single website and not clicking anything?

Kasperky's virtual keyboard is an easy way to enter passwords and banking details. It's available with one click on an icon next to the search box in Firefox.

sbrads said,
Kasperky's virtual keyboard is an easy way to enter passwords and banking details. It's available with one click on an icon next to the search box in Firefox.

It probably helps a bit, but a virtual keyboard isn't going to protect you against screen captures and other methods of intercepting your input. Keyloggers are much more sophisticated than they used to be. They only true way to be safe is to not have a trojan on your system in the first place, and it's really not that hard to avoid. Just takes some common sense.

Let me guess, this virus targets Windows XP and IE6. Isn't it?
So, move on. And stop using accounts with administrator privileges unless you know exactly what you are doing.

DaveGreen said,
Let me guess, this virus targets Windows XP and IE6. Isn't it?
So, move on. And stop using accounts with administrator privileges unless you know exactly what you are doing.

No, it targets any version of Windows including 7, and any browser. It could work just as well on OS X, it's called social engineering. They send people spam emails with the trojan in an attachment and literally tell them to run it, and amazingly people do it. Ok they tell them it's an important update, or a greeting card from one of their friends or a game, whatever. It's still incredible that people still fall for this stuff after decades of being told not to.

Edited by Rigby, Apr 21 2010, 10:28pm :

TRC said,

No, it targets any version of Windows including 7, and any browser. It could work just as well on OS X, it's called social engineering. They send people spam emails with the trojan in an attachment and literally tell them to run it, and amazingly people do it. Ok they tell them it's an important update, or a greeting card from one of their friends or a game, whatever. It's still incredible that people still fall for this stuff after decades of being told not to.


Absolutely not.
My question was, obviously, ironical.
A "standard trojan" like this on windows vista/7 is almost uneffective with asrl and uac in default settings. Further more is totally uneffective in case of standard accounts instead of administrator accounts.

The costs for the banks to provide tech support for all the average users won't make this happen.
It is an unrealistic idea.

ian said,
This is one of the reasons why some banks are considering making available free Ubuntu Linux bootable "live CD" discs in their branches to all of their customers to access online banking (check http://blogs.computerworld.com..._ubuntu_save_online_banking ). Indeed, Windows can be very dangerous...

Yeah, good for hackers to know. Now they can make viruses just for Ubuntu and it's the same deal. Ubuntu uses Firefox so the flaw would still work.

Glendi said,

Yeah, good for hackers to know. Now they can make viruses just for Ubuntu and it's the same deal. Ubuntu uses Firefox so the flaw would still work.

It only affects <b>Windows</b> users using IE or Firefox.

Edited by ian, Apr 21 2010, 9:44pm :

Glendi said,

Yeah, good for hackers to know. Now they can make viruses just for Ubuntu and it's the same deal. Ubuntu uses Firefox so the flaw would still work.

As I said to your earlier post, this is not spread because of a browser flaw.

Edited by Rigby, Apr 21 2010, 9:49pm :

ian said,
This is one of the reasons why some banks are considering making available free Ubuntu Linux bootable "live CD" discs in their branches to all of their customers to access online banking (check http://blogs.computerworld.com..._ubuntu_save_online_banking ). Indeed, Windows can be very dangerous...

This is caused by the user installing the keylogger by running it's EXE file and elevating it to administrator on Vista and 7. This same **** can happen on Linux and Mac OS, I don't even know why it doesn't. All you have to do is tell the user to install the file, most will do it.

Glendi said,

Yeah, good for hackers to know. Now they can make viruses just for Ubuntu and it's the same deal. Ubuntu uses Firefox so the flaw would still work.


You really are clueless, aren't you? The point of the live CD is that it can't get infected since it doesn't save anything locally.

psionicinversion said,
Also if it's a program that records your keystrokes on your computer it doesn't matter what browser your using does it

It matters because those browsers are what allow you to get infected in the first place.

The article is very lacking in details though. It would be nice if they would at least say how people are getting infected with this and what to watch out for.

Edited by Rigby, Apr 21 2010, 9:43pm :

After doing some searching it appears most people are getting infected the same way people usually get infected; being stupid and clicking on email spam attachments. Which makes me wonder why they are bringing up Firefox and IE as those having nothing to do with a person intentionally running an exe file.

TRC said,
After doing some searching it appears most people are getting infected the same way people usually get infected; being stupid and clicking on email spam attachments. Which makes me wonder why they are bringing up Firefox and IE as those having nothing to do with a person intentionally running an exe file.

It is to make it sound like a flaw in the OS\Application.

use AutoHotkey login scripts, the recorded keystrokes sent to those parasites would be like {control}{alt}{x} strings.

Umm, if it is sending it to a remote server, shouldn't it be easy to find that remote server and the person behind it.

Seems pretty dumb to fight the virus when they could just take out the server it contacts.

Someone should figure out what server it is so we can just block it in our host file or routers.

Not that simple, im a ethical hacker myself and its not a simple setup. The file can be bounced around before going to its destination FTP, and the people behind it will be you can be will be using several VPN's and such to stay secure. Some botnets use hundreds of domains and servers.

designgears said,
Umm, if it is sending it to a remote server, shouldn't it be easy to find that remote server and the person behind it.

Seems pretty dumb to fight the virus when they could just take out the server it contacts.

Someone should figure out what server it is so we can just block it in our host file or routers.

For the most part, the servers are set up in nations that have more important problems than protecting people from other nations' wealth. They also tend to use many different networks to make them harder to take down.


Eventually these servers are discovered and, even later on, they get taken down, but it lasts long enough that it's a problem. Not to mention that the flaws are likely abused by them posting advertisements that get picked up by legitimate websites. This is also the problem with Flash advertisements.

Glendi said,

Not really. If you use anything besides IE or Firefox, the virus won't work.

The virus has nothing to do with IE, Firefox or any browser. A person gets it by running email attachments pretending to be Office updates, ecard greetings, or other such rubbish. It also comes from social networking sites where people download it and run it thinking it is something it isn't. It's not a browser flaw, it's a PEBKAC or ID-10T error.

warwagon said,
I bet keyscrambler would protect against this

Wouldnt it be an awesome solution against keyloggers if Microsoft implemented something like this into Windows?

Emil2k said,

Wouldnt it be an awesome solution against keyloggers if Microsoft implemented something like this into Windows?

This would make Windows 8 the best OS from Windows yet if it included a security such as that.. but only if you could allow certain applications to see your true text, not a scrambled version, thus keeping apps like Roboform and LastPass alive ;P

c3ntury said,

This would make Windows 8 the best OS from Windows yet if it included a security such as that.. but only if you could allow certain applications to see your true text, not a scrambled version, thus keeping apps like Roboform and LastPass alive ;P

It has, its called on-screen keyboard