Zeus Found Crawling through Salesforce.com


The infamous banking Trojan Zeus has been spotted on Salesforce.com.  This interesting discovery has just been made by SaaS security firm Adallom, who has since shared the information with Salesforce.  As yet, the investigation ongoing.

What is known so far is that Zeus was used to target a single Windows PC.  Adallom provides security by monitoring cloud traffic, and the firm noticed the attack when they saw about 2 gigabytes of data being downloaded to the victim’s computer, in less than 10 minutes.  Adallom has yet to publish a report, but in a brief interview with Techworld their spokesperson mentioned the variant having web crawling capabilities.  It is believed the malware is being used to grab sensitive business data from the massive CRM.

Zeus Evolving in 2014

This is the first time Zeus has been used to attack a CRM, but it is far from the Trojan’s Internet debut.  In 2013, Zeus’s Gameover variant was responsible for approximately one-third of all computerized attacks on financial institutions.  Early last year, Zeus was also found connecting to LinkedIn.

It would seem that 2014 is shaping up to be a year of transformation for the Trojan.  Late last week, reports emerged of yet another variant, ZeusVM, which is being steganographically concealed in .JPG image files.  Stenographic coding techniques allow hackers to append malicious code to an otherwise harmless file, without altering the file’s appearance.  .JPG files are therefore being used to hide ZuesVM’s configuration file, which sneaks in as users download what they think is just an image.

Over the last year, the Zeus Trojan has been so effective because it enables man in the middle attacks.  Essentially, Zeus can recognize when users log on to major banking sites, and when they do it ‘wakes up.’  Once awoken, attackers can then use Zeus to gain direct access to an account, since the user has already provided verification using their credentials. Such access can be used to steal sensitive data, or even schedule a wire transfer to the attacker’s bank account.

As Adallom’s discovery has shown, this same man in the middle technique is now being leveraged to download data from CRMs.   In theory, the same technique could be used to harvest sensitive information from any SaaS website.

Exacerbating the situation, is the fact that Zeus’s code is widely available on the dark web, and is modified into new variants quite often.

 Threat Mitigation

  • Keep an eye on your Salesforce account.  It is likely the company will release an official statement in the next few hours or days.
  • Be wary of all files you download on the Internet.  Just because it’s an image file, doesn’t mean it’s innocuous.
  • Use an Antivirus solution with a good behavior blocker, such as Emsisoft Anti-Malware.  Traditional signature-based detection alone is ineffective against malware like Zeus, as it is constantly evolving into new variants.
  • If you are worried that you have become a victim of this exploit and need help cleaning your computer, our experts in the Help, my PC is infected! Emsisoft Forum are always ready and willing to offer additional help. Our removal service is free, even if you are not an Emsisoft customer yet.

Have a Great (Malware-Free) Wednesday…and if you’re using Salesforce.com: Go Make Some Sales!

UPDATE 2/20/2014:

Adallom has published a report of their findings on their blog.