Talk:Zeus (malware)

Zeus/Kneber 2010
Latest Media Frenzy 18 Feb 2010: http://www.msnbc.msn.com/id/35456838/ns/technology_and_science-security

Stemming from this Announcement at NetWitness stating that NetWitness discovered the breach in January 2010 and has named it the "Kneber botnet": http://www.netwitness.com//resources/pressreleases/feb182010.aspx

Note that Symantec identified this same threat as gaining in prevalence in Aug 2009 as evidenced by their forum (and they're not the only ones): http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits

I would edit it in, but I'm short on time. Note too that I didn't even log in for this ;) User:VulpineLady —Preceding unsigned comment added by 74.4.91.87 (talk) 16:20, 18 February 2010 (UTC)

No mention of the big web hosts that were hacked?
The Koobface/Hilary Kneber gang have hacked Network Solutions (twice), GoDaddy, BlueHost, the list goes on and on. Yet there's no mention of this in the article? —Preceding unsigned comment added by 78.144.84.72 (talk) 19:10, 1 August 2010 (UTC)

Top10 countries image
Chup kr warna pitega bhut.Dubara mat dekhio issey varna you will be in jail. t--vvarkey (talk) 19:19, 12 december 2018 (UTC)

Removal and Detection
The war has been over for several years and the AV companies have lost. Let me give you the picture as one who has watched how Zeus and FakeAV have progressed. Many of the people using a Zeus bot-kit or FakeAV have new binaries every day where they twiddled the variables and if the detection has ever crawled up over 12/42 at VirusTotal that drops it back down to 6-/32 at VirusTotal. Many frequently use a completely new binary every 1-2 weeks. If they use redirect links stabbed into normal web-site pages, you are taken through a series of 2-3 more hosts with all but the first coming into DNS and leaving DNS eight hours later. Ergo, hosts lists are useless. I did add rules to my PAC filter (at hostsfile.org & securemecca.com) but it is getting old and long in tooth. The interference of Comcast and the constant thrashing of Linux and the browsers made me stop identifying my OS as Windows XP with no security patches and Firefox as IE 6. The new version of Flash will not be provided for Linux. The pseudo-scans showing so many malware in my Documents and Setting / Users (Win 7) frequently ran in the past anyway with no attempt to identify my OS & browser as something else anyway. I humorously was identified as Android the other day. IOW, OS detection is now used by most malware and if they see Linux they do nothing.

In short, your only sure protection against both Zeus and FakeAV is to use a Macintosh or Linux or iPhone. Just make sure you run Macintosh as normal user, not as an administrator. For all Mac accounts make it so the Safari browser doesn't oh so helpfully open DMG and ZIP files. For the Administrator accounts it would be nice if Apple made them require a password before installing anything into privileged file space. So what can people using Windows do?

1. Install Firefox and use the NoScript add-on. Most of the Zeus and FakeAV infections start with some scripting. By allowing only a subset of the Internet to script you reduce your exposure. 2. Intall my PAC filter and tune it to your needs (not for the newbies and faint of heart). 3. Turn on certain aspects of Windows 7 & 8 that does about the same as the PAC filter.

In short, the only protection for the ducks is to not fly any place near the hunters. This article needs to be scrapped or updated to reflect these new realities. I have been searching for Zeus removal tools and other than Microsoft's MSRT there really is no adequate sure fire protection for either Zeus or FakeAV. Make sure you do not run Microsoft Windows without MSRT installed and running. It is not enough but everything helps. If you want verification from me via email do NOT use my securemecca.com account. Presently a spammer is doing a direct attack by having his Microsoft Windows bots sending me 100+ messages a day direct plus about 1/4 of that via bounces purportedly from hashed users at the securemecca.com domain to users that no longer exist. I am generating 200+ new host names per day from their activity. Many normal messages are now missed. Do you get the picture? We need a paradigm shift and Microsoft needs to introduce users and groups into the file system via a DACL (Discretionary Acccess Control List) with permissions of what files can do and those that are downloaded not having execute protection no matter what their extension is. hhhobbit (talk) 23:07, 14 September 2012 (UTC)

Semi-protected edit request on 16 July 2016
103.233.84.103 (talk) 14:50, 16 July 2016 (UTC)

Note: We can't make a change to the article if you don't tell us what you want changed. —C.Fred (talk) 14:58, 16 July 2016 (UTC)

External links modified
Hello fellow Wikipedians,

I have just modified 1 one external link on Zeus (malware). Please take a moment to review my edit. If you have any questions, or need the bot to ignore the links, or the page altogether, please visit this simple FaQ for additional information. I made the following changes:
 * Added archive http://web.archive.org/web/20120120004836/http://www.antisource.com:80/article.php/zeus-botnet-summary to http://www.antisource.com/article.php/zeus-botnet-summary
 * Added tag to http://www.netwitness.com/resources/kneber.aspx

When you have finished reviewing my changes, please set the checked parameter below to true or failed to let others know (documentation at ).

Cheers.— InternetArchiveBot  (Report bug) 12:04, 21 July 2016 (UTC)

Semi-protected edit request on 27 July 2016
add about tech support scammers taking advantage with fake pop ups such as"The Zeus virus name is currently being used to convince victims of tech support scams that they have the virus and get control of their to make them pay to remove the virus even if they do not have it Plaindinks (talk) 23:23, 27 July 2016 (UTC)

Semi-protected edit request on 12 August 2016
Samsmith000122 (talk) 21:37, 12 August 2016 (UTC)
 * No actual edit requested. Boing! said Zebedee (talk) 21:48, 12 August 2016 (UTC)

Semi-protected edit request on 11 September 2016
Add some type of warning to people that are being tricked by tech support scammers. Something like "Warning: if a tech support personnel brought you here, they may be a scammer." Many of them trick people into thinking they have Zeus on their computer then bring them to this page.

Ty55101 (talk) 17:21, 11 September 2016 (UTC)
 * The scam is already listed in the first part of the article. -- Dane 2007  talk 22:08, 11 September 2016 (UTC)

Semi-protected edit request on 24 January 2017
Shubham david (talk) 06:34, 24 January 2017 (UTC) Please request your change in the form "Please replace XXX with YYY" or "Please add ZZZ between PPP and QQQ". Please also cite reliable sources to back up your request, without which no information should be added to, or changed in, any article. - Arjayay (talk) 10:16, 24 January 2017 (UTC)
 * Red information icon with gradient background.svg Not done: as you have not requested a change.

Semi-protected edit request on 2 June 2017
14.141.83.62 (talk) 16:48, 2 June 2017 (UTC)


 * Red question icon with gradient background.svg Not done: it's not clear what changes you want to be made. Please mention the specific changes in a "change X to Y" format.  Paine Ellsworth   put'r there  00:19, 3 June 2017 (UTC)