Banking Trojan ZeuS and ABE

[Guest]

The latest version of the Zeus botnet involves a banking Trojan with a Firefox forms capture capability. Antivirus programs are largely ineffective at blocking infection and less than 50% of ZeuS infections are even detected after they occur. Infection can occur in user accounts without administrative privileges and on the current Windows 7 64-bit machines now on the market, virtualization to kill such infections is not possible. When actively exploited zero-days occur, even those with software fully up-to-date are left wide-open to infection. There are nonetheless plenty of ways to avoid visiting dangerous URL’s and thereby likely avoid most infection vectors.

What may not be so well controlled are blockage of IP address sources of the Zeus Trojan that lack a URL, so as to defeat URL blocking methods.

To help prevent further bank account online thefts, ABE could coordinate with those fighting ZeuS to provide to NoScript users a list of the 50 or so IP addresses without URLs serving the ZeuS Trojan at any given time.
https://zeustracker.abuse.ch/

PS If the ZeuS Tracker data is good enough for Arbor Networks to use, it certainly should be of a quality sufficient for NoScript users. http://www.abuse.ch/?p=2568

[Thrawn]

ABE isn't really about malware blocking, as I understand it, but rather about protecting valuable sites (like your bank & webmail) from cross-site request forgery. For blacklisting sites, you're probably better off using something like Adblock Plus with the anti-malware subscription.

People running NoScript should be safe anyway, though, since those IP addresses should be blocked by default.

[Tom T.]

ABE isn't really about malware blocking, as I understand it, but rather about protecting valuable sites (like your bank & webmail) from cross-site request forgery. For blacklisting sites, you're probably better off using something like Adblock Plus with the anti-malware subscription.

Your description of ABE is correct as regards not being primarily anti-malware. I would just add that its original goal was to prevent Internet sites from getting inside your local network at home or office. ("Prevent WAN requests of LAN resources.") Which, of course, could have the benefit of blocking malware that could be installed by this vector, as well as preventing snooping of your LAN. The additional CSRF protection is indeed a nice bonus.

The site linked in the OP provides site-blocking lists for the HOSTS files in both Windows and Unix-like systems. If the trojan is served by third-party scripting, it would be default-denied by NoScript, unless the user were socially engineered to allow it, or to open a malicious email attachment, etc.

People running NoScript should be safe anyway, though, since those IP addresses should be blocked by default.

Again, if it's served by a script (or other executable that the user has blocked in Embeddings page), yes, everything is blocked by default, except for those listed in the Default Whitelist FAQ. As the linked site recommends, the malicious IPs should be blocked at the firewall level as well.

Replying to OP, a user could add the list of sites to ABE manually with a "Deny" rule, but since ABE is not subscription-based, a subscription-based tool would provide faster updating, as Thrawn notes. Another option is using Firefox's Tools > Options > Security > "Block reported attack sites", though this may raise some issues for the privacy-conscious user.