On Oct. 12, 2010, Microsoft added detection and removal capabilities for the Zeus financial malware (also known as Zbot and Wsnpoem) to its Malicious Software Removal Tool (MSRT). MSRT, which was first introduced in 2005, is updated monthly and released on the second Tuesday of each month to scan user’ computers. It is meant to help prevent the infection and spread of the most prevalent forms of malware.

Joining the Fight Against Malicious Software

Microsoft’s decision to join the fight against financial malware is an important step. Winning the war against criminals requires the participation and cooperation of more software vendors and increased involvement by law enforcement agencies. I hope Microsoft’s efforts won’t stop here since there is still a lot more to be done.

With MSRT out in the field, our research organization decided to evaluate its effectiveness in detecting and removing Zeus. They tested MSRT against hundreds of Zeus files and found that MSRT detects Zeus 2.0 46 percent of the time, but it was unable to detect the new 2.1 version of this financial Trojan. The good news is that MSRT has been able to kill approximately half of the Zeus population and will continue to do so. This detection rate is very respectable. Most if not all antivirus solutions have a much lower detection rate; however, this low detection rate also emphasizes how hard it is to remove Zeus.

Zeus May Have the Upper Hand

Zeus also has a significant advantage over MSRT when it comes to committing fraud. Since MSRT does not operate in real time and only disinfects a machine when it is running, hackers have a golden window of opportunity between the time of a Zeus infection and the next scan by MSRT to siphon off money from the victim’s bank account. Thousands of new computers are infected with Zeus every day and are instantly analyzed by fraudsters. Our research team has found that financial fraud usually occurs shortly after a computer is infected with Zeus because sensitive information is immediately transmitted back to the criminals. In the majority of cases, the ability of MSRT to prevent Zeus-related fraud and data loss will be minimal because the damage has already been done by the time it performs its scan.

Will MSRT Do More Harm Than Good?

I believe that MSRT will actually serve to further shorten the time between a machine becoming infected and the time it is used to commit fraud. I also expect this will reduce the effectiveness of antivirus solutions because they typically cannot detect a new variant until a few days after it is released.

I also wouldn’t be surprised if some financial malware starts targeting MSRT to render it useless. Based on previous activity I have witnessed by financial malware developers, this is very likely. Zeus and other financial malware can accomplish this fairly easily since they have a distinct technical advantage over MSRT: They are already running when MSRT starts scanning. This allows the Trojan to block MSRT from running altogether. Disabling MSRT will inflict even further damage since it is effective at detecting and removing many other forms of malware.

Microsoft is working hard and making important contributions toward improving online security with their Malicious Software Removal Tool and Microsoft Security Essentials. However, in the battle against Zeus, I believe Microsoft chose the wrong weapon. What’s needed are real-time, signature-independent solutions and more operating system improvements if we want to defeat Zeus and others like it.

More from Software Vulnerabilities

X-Force releases detection & response framework for managed file transfer software

5 min read - How AI can help defenders scale detection guidance for enterprise software tools If we look back at mass exploitation events that shook the security industry like Log4j, Atlassian, and Microsoft Exchange when these solutions were actively being exploited by attackers, the exploits may have been associated with a different CVE, but the detection and response guidance being released by the various security vendors had many similarities (e.g., Log4shell vs. Log4j2 vs. MOVEit vs. Spring4Shell vs. Microsoft Exchange vs. ProxyShell vs.…

MSMQ QueueJumper (RCE Vulnerability): An in-depth technical analysis

13 min read - The security updates released by Microsoft on April 11, 2023, addressed over 90 individual vulnerabilities. Of particular note was CVE-2023-21554, dubbed QueueJumper, a remote code execution vulnerability affecting the Microsoft Message Queueing (MSMQ) service. MSMQ is an optional Windows component that enables applications to exchange messages via message queues that are reachable both locally and remotely. This analysis was performed in collaboration with the Randori and X-Force Adversary Services teams, by Valentina Palmiotti, Fabius Watson, and Aaron Portnoy. Research motivations…

X-Force prevents zero day from going anywhere

8 min read - This blog was made possible through contributions from Fred Chidsey and Joseph Lozowski. The 2023 X-Force Threat Intelligence Index shows that vulnerability discovery has rapidly increased year-over-year and according to X-Force’s cumulative vulnerability and exploit database, only 3% of vulnerabilities are associated with a zero day. X-Force often observes zero-day exploitation on Internet-facing systems as a vector for initial access however, X-Force has also observed zero-day attacks leveraged by attackers to accomplish their goals and objectives after initial access was…

Patch Tuesday -> exploit Wednesday: Pwning windows ancillary function driver for WinSock (afd.sys) in 24 hours

12 min read - ‘Patch Tuesday, Exploit Wednesday’ is an old hacker adage that refers to the weaponization of vulnerabilities the day after monthly security patches become publicly available. As security improves and exploit mitigations become more sophisticated, the amount of research and development required to craft a weaponized exploit has increased. This is especially relevant for memory corruption vulnerabilities. Figure 1 — Exploitation timeline However, with the addition of new features (and memory-unsafe C code) in the Windows 11 kernel, ripe new attack…