Two weeks ago, Microsoft started detecting the Zeus malware in its Malicious Software Removal Tool, a free piece of software that Microsoft provides to Windows users that removes malware from their computers (the MSRT is not real-time so you still need a real time antimalware software like AVG, Kaspersky or Microsoft Security Essentials). From PC World in an article dated Oct 12:
On Tuesday, Microsoft started detecting Zeus with its Malicious Software Removal Tool (MSRT) — a widely used virus removal program that’s free for Windows users. That should make it harder for the many criminals who use Zeus to keep running their software on computers that don’t have antivirus software installed — often an easy target up until now.
According to a September 2009 study by security vendor Trusteer, 45 percent of Zeus-infected machines have either no antivirus software or an out-of-date product. On the other hand, Zeus has been effective at avoiding the type of detection that Microsoft is now adding to its MSRT. According to that same report, 55 percent of Zeus infections were on machines that did have working antivirus programs installed.
In the six days since that article, ComputerWorld reports that the MSRT had cleaned Zeus from nearly a quarter-million computers:
Microsoft said its free malware cleaning tool had scrubbed the money-stealing Zeus bot from nearly 275,000 Windows computers in under a week…
Since Tuesday, MSRT has removed 281,491 copies of Zeus from 274,873 PCs, Microsoft announced in a post to a company blog Sunday. Those numbers put the Zeus bot into the top spot on MSRT’s hit list.
Zeus infections accounted for 20.4% of all machine cleanings since last Tuesday, said Jeff Williams, the director of Microsoft’s Malware Protection Center, in the blog post. "[That] ratio [is] higher than we typically see even when accounting for the normal, first-month spike which results from adding a new family," Williams said. "But not exceptionally so."
I’m not an expert in Zeus (not even in malware although I think I am pretty good and read a lot about it), but it is a versatile piece of malware that allows criminals to create their own botnets. As a result, there is not a single Zeus botnet but several hundred small ones that need to be shut down. Worse yet, Zeus allows criminals to customize spam/phishing templates to steal credentials based upon the target it is spoofing. In other words, the criminal gang behind it has invested a lot of time and resources into the underground cyber economy.
It will be interesting to see how this affects spam volumes world wide, and the botnets that we do know about that are associated with the Zeus botnet.