Name
Zeus, Zbot
Detection names
Sophos Mal/Zbot-CX, Mal/Zbot-DY, Troj/Zbot-AZB
Kaspersky Trojan-Spy.Win32.Zbot.cegt, Trojan-Spy.Win32.Zbot.blbs, Trojan-Spy.Win32.Zbot.cgmi
Avira TR/Spy.182784.39, TR/PSW.Zbot.Y.1789, TR/Spy.ZBot.VG
McAfee PWS-Zbot.gen.hb, Generic BackDoor.sw
Trend Micro TSPY_ZBOT.BUS, TSPY_ZBOT.QRE, TROJ_SPNR.15KK11
Microsoft PWS:Win32/Zbot.gen!Y, PWS:Win32/Zbot
Symantec Trojan.Gen, Trojan.Zbot, Infostealer.Banker.C
Affected OS or software
Microsoft Windows
Basic description
Zeus (also known as Zbot) is a widespread Trojan whose primary purpose is to steal information, usually financial data such as credentials for online banking. Zeus is also the name of the toolkit used to create these information stealing Trojans. The kit can be purchased on underground forums, enabling less technically able criminals to take advantage of the capabilities of Zeus.
Related links
Naked Security blog articles on Zeus
Sophos technical paper: What is Zeus?
Defending against the threat
Initial delivery of a Zeus based attack is often done by email, using social engineering techniques to encourage recipients to open the email. Training to encourage users to be suspicious of unsolicited emails can help reduce the success of this tactic. Zeus operates primarily on the endpoint, monitoring data for information to steal. So good endpoint security is a key defense to have in place.
Patches
None
Sophos technologies
Sophos Email Security and Control
Sophos Endpoint Protection
Technical description
Zeus is a malware construction kit used by prospective criminals to create their own customized version of the Zeus malware. As such the behavior of Zeus can vary greatly from version to version. Each copy of Zeus carries with it configuration information telling it where it can obtain updates, where to send stolen data and how to communicate with its controlling botnet.
Typically Zeus monitors the user's web browsing, observing which sites they visit and taking action only when they visit a specified target such as an online banking site. In addition to monitoring the login credentials used to gain access, Zeus can place additional fields in the login form, asking the user for data needed by the criminal such as ATM PIN or social security number. Zeus may also attempt to bypass two-factor authentication mechanisms by harvesting transaction authentication numbers (TANs) as the user enters them. Zeus can also search for data stored on the user's hard disk such as browser cookies and passwords stored by FTP software. Any webmaster passwords stolen in this manner can be used to compromise websites for future attacks.
Once it is active on a computer Zeus joins a botnet to receive commands controlling its activity. These include commands to update itself, download and execute other malware and trigger the data theft components.
Zeus can be installed in a number of different locations, depending on the version and the configuration used to build it. Older versions commonly use names such as ntos.exe or sdra64.exe and added files to the Windows system folder, but the latest versions use randomized names and store files in the user's Application Data area. Once installed Zeus will maintain a memory resident process and hook a number of APIs, enabling it to inject itself into new processes and steal data.
Zeus will typically add a registry entry to ensure that it is run each time the user logs on, for example:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
Zeus will monitor this registry entry and recreate it if it is deleted.