Zeus Malware: Variants, Methods and History

What is the Zeus Virus?

Zeus/Zbot is a malware package using a client/server model. Operators of the Zeus malware use it to create massive botnets. Its main function is to gain unauthorized access to financial systems by stealing credentials, banking information and financial data, and sending it back to the attackers via the Zeus Command and Control (C&C) server.

Zeus has infected over 3 million computers in the USA, and has compromised major organizations like NASA and the Bank of America.

The original Zeus system had a single C&C server, and law enforcement cracked down on Zeus groups trying to take down these central servers. Newer variants use a domain generation algorithm (GDA) that allows Zbots (machines compromised by Zeus) to connect to one of a series of domain names of C&C servers.

Infected by Zeus malware?

Cynet is a trusted partner that deploys powerful endpoint detection and response (EDR) security software on your endpoints, and can help defend, mitigate and eradicate against a wide range of known and zero-day threats, including the Zeus malware. Cynet provides CyOps, an outsourced incident response team on call 24/7/365 to respond to critical incidents quickly and effectively.

Learn more about Cynet incident response services.

Zeus Variants

Zeus was first detected in 2007, and many strains of the malware have been developed. Some of the most common are:

• Zeus Gameover—a variant of the Zeus botnet with no centralized C&C.
• SpyEye—can automatically access bank accounts and transfer funds to attackers.
• Ice IX—controls content in a browser during a monetary transaction, and extracts credentials and private data from forms.
• Carberp—commonly used to conduct financial cyberattacks in Russia. Uses operating system vulnerabilities to gain root access to target systems.
• Shylock—utilizes a domain generation algorithm (DGA), allowing Zbots to connect to multiple C&C servers.

Zeus Virus Infection Methods

The most common ways Zeus infects compromised machines are:

• Drive-by-downloads—Zeus operators compromise legitimate websites, and leverages browser and operating system vulnerabilities to install the Zeus malware when users access the site.
• Spam messages—Zeus spreads via phishing emails and malicious social media campaigns. Because the malware has the ability to gain illicit access to credentials, it can be used to infiltrate social media accounts on compromised machines and use them to publish phishing messages. This is one of the factors that allowed Zeus to spread fast and infect millions of devices around the world.

How Does Zeus Malware Work?

Zeus creates a botnet using a secretly-formed network of compromised machines. The malware operator typically steals a large quantity of financial information, performing attacks on a large-scale.

Technically, Zeus is a Trojan, malware that pretends to be legitimate software. It steals passwords and financial data using keylogging and website tracking, which enables the malware to spot when the use is on a banking site or making a financial transaction, allowing it to record keystrokes used by the user when logging in.

The original version of Zeus only affects Windows computers, but there are now variants that can compromise Android phones, in an attempt to gain access to two-factor authentication.

FBI Crackdown on Zeus Creators

In October 2010 the US Federal Bureau of Investigation (FBI) said that Eastern European hackers had infected millions of computers around the world, compromised bank accounts and performed unauthorized transfers of tens of thousands of dollars at one time.

The money was often routed the money into other accounts controlled by “cash mules”, who were paid a commission. The accounts were created using fake documents and bogus names. When the money was in the account, the mules would either withdraw it and smuggle it out of the region, or wire it back to their operators in Eastern Europe.

The FBI detained over a hundred people, who were charged with conspiracy to perform bank fraud and cash laundering, 90 of them in the USA and the rest in Europe.

Hamza Bendelladj was reported as the mastermind behind Zeus. He was charged by the state of Georgia with several counts of wire fraud, computer fraud and misuse, but was not caught by the authorities. In 2010 Bendelladj announced he was retiring and gave away the source code of Zeus to his competitor, creator of the SpyEye trojan. Authorities warn that the retirement may have been faked and that Bendelladj may still be active and dangerous.

All-in-One Zeus Protection with Cynet

Cynet 360 is an Advanced Threat Detection and Response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.

Cynet provides a multi-layered approach to stop Zeus and other trojans and malware from executing and endangering your IT systems:

• Pre-download—applies multiple mechanisms against browser and operating system vulnerabilities, which are typically used to deploy the Zeus malware.
• Pre-execution prevention—applies machine-learning-based static analysis to identify malware patterns in binary files before they are executed.
• In runtime—employs behavioral analysis to identify malware-like behavior, and kill a process if it exhibits such behavior.
• Threat intelligence—uses a live feed comprising over 30 threat intelligence feeds to identify known malware, including new Zeus strains.
• Fuzzy Hash detection—employs a fuzzy hashing detection mechanism to detect automated variants of known malware.
• Sandbox—runs any loaded file in a sandbox and blocks execution upon identification of malware-like behavior.
• Propagation blocking—identifies the networking activity signature generated by hosts when malware is auto-propagating, and isolates the hosts from the network.

Learn more about how Cynet 360 can protect your organization against ransomware and other advanced threats.