Fake Patch Tuesday - Zeus computer virus

Ah summer is nearly upon us. Time to get off the PC and enjoy the great outdoors; or maybe just get away from the PC because you just got infected with yet another nasty virus.

If you are a security-minded individual who stays abreast of the latest threats in the wild, you have no doubt read several articles about the Zeus exploit. Zeus (a.k.a. Zbot, PRG, Wsnpoem, or Gorhax, etc.) is a Trojan virus designed to infect a machine and glean sensitive information (e.g., bank accounts, user names, passwords, etc.) from unsuspecting users; usually via malware. Zeus (and similar other exploits) just won't go away, nor will it die any time soon. Malicious individuals and organizations keep modifying this exploit and creating variants to match up with whatever is the flavor of the day. For example, the fake Osama bin Laden videos and images that circulated in mass last week. They know people are going to click those links, so they take advantage.

Everyone knows and trusts Microsoft(R) and they are constantly used as an attack vector because of it. The latest in these modified exploits tries to take advantage of user's trust in the Windows(R) update process. This time, they selected the second Tuesday of the month because many organizations and individual users know new security updates will be available. The attackers know many people will just click-through without carefully examining the content. When a user comes in contact with an infected file via e-mail or a link on the Internet, the exploit presents itself to the user as if was an official Microsoft critical update they should install. It's that one click that starts it all.

Here's a link with details about this particular variant:http://www.net-security.org/malware_news.php?id=1717

As long as organizations' IT departments are carefully reviewing the updates and testing them before rolling them out to their user base, this exploit can be easily avoided. If you do not have a Windows Update Server to push updates to your users, you should communicate this exploit to your user-base so they understand how serious this threat can be.

Rather than go into all the gory details about the cause and effect, and how to avoid infections, you can visit many of our past blogs for the details:

"Client-Side Attacks and Exploitation" -http://www.solutionary.com/resources/blog/2011/04/client-side-attacks-and-exploitation/

(Expletive deleted)Malware and Alt-F4" -http://www.solutionary.com/resources/blog/2010/03/expletive-deleted-malware-and-alt-f4/

Osama News Creates Cyber Threats" -http://www.solutionary.com/resources/blog/2011/05/osama-news-creates-cyber-threats/

APT - The Battle Continues!" -http://www.solutionary.com/resources/blog/2011/01/apt-the-battle-continues/

Bad Security Actors Improve Over Time" -http://www.solutionary.com/resources/blog/2010/09/bad-security-actors-improve-over-time/

APT from the MSSP Perspective" -http://www.solutionary.com/resources/blog/2010/03/apt-from-the-mssp-perspective/

Malvertising and corporate security a no-win situation right now' http://www.solutionary.com/resources/blog/2010/02/malvertising-and-corporate-security-a-no-win-situation-right-now/

And Now You Have It" -http://www.solutionary.com/resources/blog/2010/09/and-now-you-have-it/

Ok, on the surface, posting all the above blog links may seem a bit like a self-serving plug; the real point is, we've talked about this many times because this issue will not go away. Why won't it go away you ask? Because it's effective. Why is it effective? Because people still open attachments from people they don't know, click on links from questionable Web sites, and almost every kid over 10 years old has a Facebook or other social media account; the bad guys know this!

Until next time, safe and happy surfing.