Microsoft ill equipped for Zeus

A security firm has highlighted concerns over Microsoft’s protection against financial fraud, announcing findings that the Malicious Software Removal Tool is ill-equipped to defend against the Zeus Trojan.

Microsoft announced last month that its MRST now has the capacity to detect and remove malware such as Zeus, however private firm Trusteer has tested the tool which apparently has major flaws in its protection.

Trusteer claim to have tested MSRT against hundreds of Zeus files, detecting only 46 percent of Zeus 2.0 files, while the new 2.1 version of the financial Trojan failed to be picked up at all.

Mickey Boodaei, CEO of Trusteer, has stated that Zeus also has a significant advantage over MSRT as the tool does not operate in real-time and only disinfects a machine when it is running. Therefore hackers have a “golden window of opportunity” between the time of a Zeus infection and the next scan by MSRT to siphon off money from the victim’s bank account, writes SC Magazine.

“I believe that MSRT will actually serve to further shorten the time between a machine becoming infected and the time it is used to commit fraud. I also expect this will reduce the effectiveness of anti-virus solutions, since they typically cannot detect a new variant until a few days after it is released,” said Trusteer.

“Microsoft is working hard and making important contributions towards improving online security with MSRT and Microsoft Security Essentials. However, in the battle against Zeus, I believe Microsoft chose the wrong weapon. What’s needed are real-time, signature-independent solutions and more operating system improvements, if we want to defeat Zeus and others like it.”

“Zeus and other financial malware can accomplish this fairly easily since they have a distinct technical advantage over MSRT, as they are already running when MSRT starts scanning,” he added.

“This allows the Trojan to easily block MSRT from running altogether. Disabling MSRT will inflict even further damage, since it is effective at detecting and removing many other forms of malware.”

However it as a private security firm it does appear Trusteer could have a vested interest in knocking Microsoft’s security software.  According to Graham Cluley at Sophos it is no surprise that Trusteer have said this, and that while the results of Trusteer’s test may well be useful in the fight against malware it would be better to have an independent review.

“As a private firm like Microsoft, Trusteer may well have their own motives for conducting such tests.  It would certainly be of more value to the general public if an independent firm such as AV-Test or West Coast Labs was to look at the reliability of MRST instead,” Cluley told TechEye.

“It is a constant battle to provide defence against malware, with a new example coming up every one and a half seconds.  However Microsoft’s MSRT is essentially a scanning tool – it added detection and removal to the software almost in an altruistic sense.  Microsoft already has a free antivirus software that is available, Microsoft Security Essentials, that runs in real time and would be effective against Zeus. ”