Zeus Malware – Even Salesforce Has Been Targeted

Zeus Malware and its many variants has been around for quite some time. One of its many children was used in recent news making attacks on retail giants Target and Michaels. And although it was primarily designed to specifically steal banking credentials new variants were recently caught poking around Salesforce.com.

According to Network World, a Zeus variant is targeting individual Windows-based computers in order to break into SF as the user victim logs in, “then quickly gathered up a large amount of Salesforce business data through a kind of web-crawling action.”

Laptop isolated on white

“It grabbed 2 gigabytes of data in less than 10 minutes,” explains Vice President of Marketing Tal Klein of Adallom, the security company that caught the invasion while monitoring one of its customers. He also noted that it’s the first time the company has seen a variant of Zeus being put to this kind of use.

In the Target case, and likely Michaels and several other high profile data thefts, the malware didn’t get in by way of Target itself but by going after a Target vendor, first infecting that individuals network. Once there it found a direct connection to Target via the channel through which the vendor’s payments were facilitated on Target’s network.

As with any other malware the victim has to be tricked into opening an attachment to an email and getting passed any anti-malware barriers the victim’s IT folks have put in place. Lately this has been done by attaching a ZIP file containing the malware but using a “.enc” file extension. Because it is not an “.exe” or executable file extension this seems to fool security products that are in place to catch malware.

There are a number of email content variations used as bait. If the end-user has too much faith in the anti-virus/malware products in place they may go ahead and open the ZIP file. Once this happens the show is over and Zeus, or “GameOver Zeus” as its most current major variation is called, is off to find a path to bigger “targets”.

IT folks should double check the logs to see how many or if .enc files have been downloaded into their networks and regularly review information like that offered by Dell SecureWorks.

The evidence that Zeus was being used to poke around Salesforce.com and innocent SF users data should be a warning that no one is safe. Why it targeted SF type data has not been discovered yet. But if it can invade some of the biggest and most secure systems on the planet, than even small users should take steps to protect their businesses from the nasty little critter.

Take advantage of the expertise of external companies who have experience both in Salesforce and other platform products as well as expertise in methods to better secure these systems from invasion. Whether your company is the target or if it is simply the way the malware gets to its ultimate target, it will cost you if you get infected by Zeus.

Author’s Note: This is an article written for a client in the IT and Application Development industry.