Get Started

In this article

Zeus Malware: Variants, Methods and History


January 28, 2020
Last Updated: September 18, 2024
Share on:

Zeus is one of the most dangerous and globally widespread network security threats. It has allowed attackers to obtain user credentials to financial systems, and actually steal funds from the bank accounts of millions of people. In an FBI investigation of an Eastern-European Zeus-based criminal ring, investigators discovered over $70 million stolen and arrested over 100 people.

This is part of an extensive series of guides about malware protection.

What is the Zeus Virus?

Zeus/Zbot is a malware package using a client/server model. Operators of the Zeus malware use it to create massive botnets. Its main function is to gain unauthorized access to financial systems by stealing credentials, banking information and financial data, and sending it back to the attackers via the Zeus Command and Control (C&C) server.

Zeus has infected over 3 million computers in the USA, and has compromised major organizations like NASA and the Bank of America.

The original Zeus system had a single C&C server, and law enforcement cracked down on Zeus groups trying to take down these central servers. Newer variants use a domain generation algorithm (GDA) that allows Zbots (machines compromised by Zeus) to connect to one of a series of domain names of C&C servers.

Infected by Zeus malware?

Cynet is a trusted partner that deploys powerful endpoint detection and response (EDR) security software on your endpoints, and can help defend, mitigate and eradicate against a wide range of known and zero-day threats, including the Zeus malware. Cynet provides CyOps, an outsourced incident response team on call 24/7/365 to respond to critical incidents quickly and effectively.

Learn more about Cynet incident response services.

Stop advanced cyber
threats with one solution

Cynet’s All-In-One Security Platform

  • Full-Featured EDR and NGAV
  • Anti-Ransomware & Threat Hunting
  • 24/7 Managed Detection and Response

Achieved 100% detection in 2023

review stars

Rated 4.8/5

review stars

2024 Leader

Zeus Variants

Zeus was first detected in 2007, and many strains of the malware have been developed. Some of the most common are:

  • Zeus Gameover—a variant of the Zeus botnet with no centralized C&C.
  • SpyEye—can automatically access bank accounts and transfer funds to attackers.
  • Ice IX—controls content in a browser during a monetary transaction, and extracts credentials and private data from forms.
  • Carberp—commonly used to conduct financial cyberattacks in Russia. Uses operating system vulnerabilities to gain root access to target systems.
  • Shylock—utilizes a domain generation algorithm (DGA), allowing Zbots to connect to multiple C&C servers.

Tips From the Expert

In my experience, here are tips that can help you better defend against Zeus and other similar banking malware threats:

  1. Apply multi-layered authentication for banking transactions While two-factor authentication (2FA) is a great step, use more sophisticated multi-factor authentication (MFA) methods that involve biometric or hardware tokens, especially for financial systems. Ensure that 2FA is resistant to Zeus’s attempts to intercept SMS-based authentication.
  2. Integrate behavioral biometrics to detect fraud Add behavioral biometric solutions to detect anomalies in user behavior, such as typing patterns and mouse movement, to detect if a session has been hijacked by malware like Zeus or its variants.
  3. Utilize real-time keylogging detection tools Since Zeus relies heavily on keylogging to steal credentials, employ anti-keylogging tools that can detect unauthorized keylogging attempts or prevent keylogging from recording sensitive input on banking sites.
  4. Regularly check for Zeus-related IOCs (Indicators of Compromise) Proactively search for indicators of compromise (IOCs) related to Zeus, such as known malicious domains, IP addresses, or file hashes. Keep threat intelligence feeds updated to ensure your systems are protected from emerging variants.
  5. Harden endpoint configurations Disable unnecessary services and features such as macros in Microsoft Office or JavaScript in browsers, as these are commonly exploited by Zeus through drive-by-downloads. Additionally, apply strong security policies like application whitelisting to prevent untrusted software from executing.

Eyal Gruner is the Co-Founder and CEO of Cynet. He is also Co-Founder and former CEO of BugSec, Israel’s leading cyber consultancy, and Versafe, acquired by F5 Networks. Gruner began his career at age 15 by hacking into his bank’s ATM to show the weakness of their security and has been recognized in Google’s security Hall of Fame.

Zeus Virus Infection Methods

The most common ways Zeus infects compromised machines are:

  • Drive-by-downloads—Zeus operators compromise legitimate websites, and leverages browser and operating system vulnerabilities to install the Zeus malware when users access the site.
  • Spam messages—Zeus spreads via phishing emails and malicious social media campaigns. Because the malware has the ability to gain illicit access to credentials, it can be used to infiltrate social media accounts on compromised machines and use them to publish phishing messages. This is one of the factors that allowed Zeus to spread fast and infect millions of devices around the world.

How Does Zeus Malware Work?

Zeus creates a botnet using a secretly-formed network of compromised machines. The malware operator typically steals a large quantity of financial information, performing attacks on a large-scale.

Technically, Zeus is a Trojan, malware that pretends to be legitimate software. It steals passwords and financial data using keylogging and website tracking, which enables the malware to spot when the use is on a banking site or making a financial transaction, allowing it to record keystrokes used by the user when logging in.

The original version of Zeus only affects Windows computers, but there are now variants that can compromise Android phones, in an attempt to gain access to two-factor authentication.

FBI Crackdown on Zeus Creators

In October 2010 the US Federal Bureau of Investigation (FBI) said that Eastern European hackers had infected millions of computers around the world, compromised bank accounts and performed unauthorized transfers of tens of thousands of dollars at one time.

The money was often routed the money into other accounts controlled by “cash mules”, who were paid a commission. The accounts were created using fake documents and bogus names. When the money was in the account, the mules would either withdraw it and smuggle it out of the region, or wire it back to their operators in Eastern Europe.

The FBI detained over a hundred people, who were charged with conspiracy to perform bank fraud and cash laundering, 90 of them in the USA and the rest in Europe.

Hamza Bendelladj was reported as the mastermind behind Zeus. He was charged by the state of Georgia with several counts of wire fraud, computer fraud and misuse, but was not caught by the authorities. In 2010 Bendelladj announced he was retiring and gave away the source code of Zeus to his competitor, creator of the SpyEye trojan. Authorities warn that the retirement may have been faked and that Bendelladj may still be active and dangerous.

Stop advanced cyber
threats with one solution

Cynet’s All-In-One Security Platform

  • Full-Featured EDR and NGAV
  • Anti-Ransomware & Threat Hunting
  • 24/7 Managed Detection and Response

Achieved 100% detection in 2023

review stars

Rated 4.8/5

review stars

2024 Leader

All-in-One Zeus Protection with Cynet

Cynet 360 is an Advanced Threat Detection and Response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.

Cynet provides a multi-layered approach to stop Zeus and other trojans and malware from executing and endangering your IT systems:

  • Pre-download—applies multiple mechanisms against browser and operating system vulnerabilities, which are typically used to deploy the Zeus malware.
  • Pre-execution prevention—applies machine-learning-based static analysis to identify malware patterns in binary files before they are executed.
  • In runtime—employs behavioral analysis to identify malware-like behavior, and kill a process if it exhibits such behavior.
  • Threat intelligence—uses a live feed comprising over 30 threat intelligence feeds to identify known malware, including new Zeus strains.
  • Fuzzy Hash detection—employs a fuzzy hashing detection mechanism to detect automated variants of known malware.
  • Sandbox—runs any loaded file in a sandbox and blocks execution upon identification of malware-like behavior.
  • Propagation blocking—identifies the networking activity signature generated by hosts when malware is auto-propagating, and isolates the hosts from the network.

Learn more about how Cynet 360 can protect your organization against ransomware and other advanced threats.

Let’s get started!

Ready to extend visibility, threat detection and response?

Get a Demo

Search results for: