Zeus (trojan horse)
Encyclopedia
Zeus is a Trojan horse
that steals banking information by keystroke logging
and Form Grabbing
. Zeus is spread mainly through drive-by download
s and phishing
schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation
, it became more widespread in March 2009. In June 2009, security company Prevx
discovered that Zeus had compromised over 74,000 FTP
accounts on websites of such companies as the Bank of America
, NASA
, Monster, ABC
, Oracle
, Play.com, Cisco
, Amazon
, and BusinessWeek
.
The various Zeus' botnet
s are estimated to include millions of compromised computers (around 3.6 million in the United States). As of October 28, 2009 over 1.5 million phishing messages were sent on Facebook
with the purpose of spreading the Zeus' trojan. On November 3, 2009 a British couple was arrested for allegedly using Zeus to steal personal data. From November 14–15, 2009 Zeus spread via e-mails purporting to be from Verizon Wireless
. A total of nine million of these phishing e-mails were sent.
It was still active in 2010. On July 14, 2010, security firm Trusteer
filed a report, which says that the credit cards of more than 15 unnamed US banks have been compromised.
On October 1, 2010, FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m. More than 90 suspected members of the ring were arrested in the US, and arrests were also made in UK and Ukraine.
In May 2011, the then-current version of Zeus's source code was leaked.
, the United States
, Mexico
, Saudi Arabia
, and Turkey
.
Altogether, 2,411 companies and organizations are said to have been affected by the criminal operations running the botnet
.
machines, and computers running Windows Vista
make up the majority of the botnet, though Zeus' newer Version, 1.4.0.0, can also affect Windows Vista
SP1.
, e-mail accounts, online banking
or other online financial services. The top sites with stolen login credentials, according to Netwitness
' report are Facebook
, Yahoo, Hi5
, Metroflog, Sonico
and Netlog
.
Since May 2011 the source code of Zeus has been leaked.
Also the current version of the Zeus botnet uses classical copy protection mechanisms to prevent the use of unlicensed pirate copies. Security firm SecureWorks has discovered that the Zeus server only works with a system specific key. Similar to the Windows OS, the malware creates a kind of fingerprint of the respective hardware configuration when first started. The vendor then provides the user with a personalised licence key for this configuration.
s are said to be infected in the U.S. alone. Security experts are advising that businesses continue to offer training to users to prevent them from clicking hostile or suspicious links in emails or on the web while also keeping up with antivirus updates. Symantec
claims its Symantec Browser Protection can prevent "some infection attempts" but it remains unclear if modern antivirus software is effective at preventing all of its variants from taking root.
managed to infect computers around the world. The virus was disseminated in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the trojan software installed itself on the victimized computer, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.
The hackers then used this information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of “money mules.” Many of the U.S. money mules were recruited from overseas. They created bank accounts using fake documents and phony names. Once the money was in their accounts, the mules could either wire it back to their bosses in Eastern Europe, or turn it into cash and smuggle it out of the country. For their work, they were paid a commission.
More than 100 people were arrested on charges of conspiracy to commit bank fraud
and money laundering
. Of those, over 90 were in US, and the other arrests were made in UK
and Ukraine
.
Before they were caught, members of the theft ring managed to steal $70 million.
and Internet Identity
claimed that the creator of Zeus had said that he was retiring and had given the source code
and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, those same experts warned the retirement was a ruse and expect the hacker to return with new tricks.
Trojan horse (computing)
A Trojan horse, or Trojan, is software that appears to perform a desirable function for the user prior to run or install, but steals information or harms the system. The term is derived from the Trojan Horse story in Greek mythology.-Malware:A destructive program that masquerades as a benign...
that steals banking information by keystroke logging
Keystroke logging
Keystroke logging is the action of tracking the keys struck on a keyboard, typically in a covert manner so that the person using the keyboard is unaware that their actions are being monitored...
and Form Grabbing
Form Grabber
Form grabbing is an advanced method of capturing web form data within various browsers. Often confused with traditional keylogging , this method intercepts the on submit API in browsers and collects web form data before it passes over the internet...
. Zeus is spread mainly through drive-by download
Drive-by download
Drive-by download means three things, each concerning the unintended download of computer software from the Internet:# Downloads which a person authorized but without understanding the consequences Drive-by download means three things, each concerning the unintended download of computer software...
s and phishing
Phishing
Phishing is a way of attempting to acquire information such as usernames, passwords, and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites, auction sites, online payment processors or IT...
schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation
United States Department of Transportation
The United States Department of Transportation is a federal Cabinet department of the United States government concerned with transportation. It was established by an act of Congress on October 15, 1966, and began operation on April 1, 1967...
, it became more widespread in March 2009. In June 2009, security company Prevx
Prevx
Prevx is a computer application designed for the removal of and protection from malware. There are separate real-time and on-demand versions. The software downloads in a few seconds because it is 800 kilobytes. The software can remove low-risk adware for free, but the user has to purchase and enter...
discovered that Zeus had compromised over 74,000 FTP
File Transfer Protocol
File Transfer Protocol is a standard network protocol used to transfer files from one host to another host over a TCP-based network, such as the Internet. FTP is built on a client-server architecture and utilizes separate control and data connections between the client and server...
accounts on websites of such companies as the Bank of America
Bank of America
Bank of America Corporation, an American multinational banking and financial services corporation, is the second largest bank holding company in the United States by assets, and the fourth largest bank in the U.S. by market capitalization. The bank is headquartered in Charlotte, North Carolina...
, NASA
NASA
The National Aeronautics and Space Administration is the agency of the United States government that is responsible for the nation's civilian space program and for aeronautics and aerospace research...
, Monster, ABC
American Broadcasting Company
The American Broadcasting Company is an American commercial broadcasting television network. Created in 1943 from the former NBC Blue radio network, ABC is owned by The Walt Disney Company and is part of Disney-ABC Television Group. Its first broadcast on television was in 1948...
, Oracle
Oracle Database
The Oracle Database is an object-relational database management system produced and marketed by Oracle Corporation....
, Play.com, Cisco
Cisco Systems
Cisco Systems, Inc. is an American multinational corporation headquartered in San Jose, California, United States, that designs and sells consumer electronics, networking, voice, and communications technology and services. Cisco has more than 70,000 employees and annual revenue of US$...
, Amazon
Amazon.com
Amazon.com, Inc. is a multinational electronic commerce company headquartered in Seattle, Washington, United States. It is the world's largest online retailer. Amazon has separate websites for the following countries: United States, Canada, United Kingdom, Germany, France, Italy, Spain, Japan, and...
, and BusinessWeek
BusinessWeek
Bloomberg Businessweek, commonly and formerly known as BusinessWeek, is a weekly business magazine published by Bloomberg L.P. It is currently headquartered in New York City.- History :...
.
The various Zeus' botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
s are estimated to include millions of compromised computers (around 3.6 million in the United States). As of October 28, 2009 over 1.5 million phishing messages were sent on Facebook
Facebook
Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. , Facebook has more than 800 million active users. Users must register before using the site, after which they may create a personal profile, add other users as...
with the purpose of spreading the Zeus' trojan. On November 3, 2009 a British couple was arrested for allegedly using Zeus to steal personal data. From November 14–15, 2009 Zeus spread via e-mails purporting to be from Verizon Wireless
Verizon Wireless
Cellco Partnership, doing business as Verizon Wireless, is one of the largest mobile network operators in the United States. The network has 107.7 million subscribers as of 2011, making it the largest wireless service provider in America....
. A total of nine million of these phishing e-mails were sent.
It was still active in 2010. On July 14, 2010, security firm Trusteer
Trusteer
Trusteer is a privately held computer security firm responsible for the development of Rapport security software. The company has headquarters in Boston, Massachusetts in the United States.- Rapport software :...
filed a report, which says that the credit cards of more than 15 unnamed US banks have been compromised.
On October 1, 2010, FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m. More than 90 suspected members of the ring were arrested in the US, and arrests were also made in UK and Ukraine.
In May 2011, the then-current version of Zeus's source code was leaked.
Proliferation
The Zeus Trojan-controlled machines are in 196 countries. The five countries with the most significant instances of infected machines are EgyptEgypt
Egypt , officially the Arab Republic of Egypt, Arabic: , is a country mainly in North Africa, with the Sinai Peninsula forming a land bridge in Southwest Asia. Egypt is thus a transcontinental country, and a major power in Africa, the Mediterranean Basin, the Middle East and the Muslim world...
, the United States
United States
The United States of America is a federal constitutional republic comprising fifty states and a federal district...
, Mexico
Mexico
The United Mexican States , commonly known as Mexico , is a federal constitutional republic in North America. It is bordered on the north by the United States; on the south and west by the Pacific Ocean; on the southeast by Guatemala, Belize, and the Caribbean Sea; and on the east by the Gulf of...
, Saudi Arabia
Saudi Arabia
The Kingdom of Saudi Arabia , commonly known in British English as Saudi Arabia and in Arabic as as-Sa‘ūdiyyah , is the largest state in Western Asia by land area, constituting the bulk of the Arabian Peninsula, and the second-largest in the Arab World...
, and Turkey
Turkey
Turkey , known officially as the Republic of Turkey , is a Eurasian country located in Western Asia and in East Thrace in Southeastern Europe...
.
Altogether, 2,411 companies and organizations are said to have been affected by the criminal operations running the botnet
Botnet
A botnet is a collection of compromised computers connected to the Internet. Termed "bots," they are generally used for malicious purposes. When a computer becomes compromised, it becomes a part of a botnet...
.
Targeted OS
The Zeus botnet only targets Microsoft WindowsMicrosoft Windows
Microsoft Windows is a series of operating systems produced by Microsoft.Microsoft introduced an operating environment named Windows on November 20, 1985 as an add-on to MS-DOS in response to the growing interest in graphical user interfaces . Microsoft Windows came to dominate the world's personal...
machines, and computers running Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
make up the majority of the botnet, though Zeus' newer Version, 1.4.0.0, can also affect Windows Vista
Windows Vista
Windows Vista is an operating system released in several variations developed by Microsoft for use on personal computers, including home and business desktops, laptops, tablet PCs, and media center PCs...
SP1.
Targeted information
Every criminal can control which information he's interested in and fine tune his copy of Zeus to only steal those. Examples include login credentials for online social networksSocial network
A social network is a social structure made up of individuals called "nodes", which are tied by one or more specific types of interdependency, such as friendship, kinship, common interest, financial exchange, dislike, sexual relationships, or relationships of beliefs, knowledge or prestige.Social...
, e-mail accounts, online banking
Online banking
Online banking allows customers to conduct financial transactions on a secure website operated by their retail or virtual bank, credit union or building society.-Features:...
or other online financial services. The top sites with stolen login credentials, according to Netwitness
Netwitness
NetWitness is a Reston, Virginia-based network security company that provides real-time network forensics and automated threat analysis solutions. It markets its flagship product NetWitness NextGen.-History:...
' report are Facebook
Facebook
Facebook is a social networking service and website launched in February 2004, operated and privately owned by Facebook, Inc. , Facebook has more than 800 million active users. Users must register before using the site, after which they may create a personal profile, add other users as...
, Yahoo, Hi5
Hi5 (website)
hi5 is a social networking website based in San Francisco, California. The company was founded in 2003 by Ramu Yalamanchi. By 2008, comScore reported that hi5 had become the third most popular social networking site in terms of monthly unique visitors....
, Metroflog, Sonico
Sonico.com
Sonico is a free-access social networking website oriented toward a Latin American audience.Users can search and add friends, update their own personal profile, manage their privacy, upload photos and YouTube videos, organize events, challenge other users in 6 multi-player and over 200...
and Netlog
Netlog
Netlog is a Belgian social networking website specifically targeted at the European youth demographic....
.
Availability
Zeus is readily available to buy in underground forums for as little as 700 USD (if sold from a reseller) and up to 15,000 USD for the newest version with all available features. The package contains a builder that can generate a bot executable, web server files (PHP, images, SQL templates) for use as the command and control server. While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain - stealing online credentials such as FTP, email, online banking, and other online passwords. The latest public version that is available is 2.0.8.9.Since May 2011 the source code of Zeus has been leaked.
Also the current version of the Zeus botnet uses classical copy protection mechanisms to prevent the use of unlicensed pirate copies. Security firm SecureWorks has discovered that the Zeus server only works with a system specific key. Similar to the Windows OS, the malware creates a kind of fingerprint of the respective hardware configuration when first started. The vendor then provides the user with a personalised licence key for this configuration.
Removal and detection
Zeus is very difficult to detect even with up-to-date antivirus software. This is the primary reason why its malware family is considered the largest botnet on the internet: Some 3.6 million PCPersonal computer
A personal computer is any general-purpose computer whose size, capabilities, and original sales price make it useful for individuals, and which is intended to be operated directly by an end-user with no intervening computer operator...
s are said to be infected in the U.S. alone. Security experts are advising that businesses continue to offer training to users to prevent them from clicking hostile or suspicious links in emails or on the web while also keeping up with antivirus updates. Symantec
Symantec
Symantec Corporation is the largest maker of security software for computers. The company is headquartered in Mountain View, California, and is a Fortune 500 company and a member of the S&P 500 stock market index.-History:...
claims its Symantec Browser Protection can prevent "some infection attempts" but it remains unclear if modern antivirus software is effective at preventing all of its variants from taking root.
FBI crackdown
In October 2010, FBI announced that using Zeus, hackers in Eastern EuropeEastern Europe
Eastern Europe is the eastern part of Europe. The term has widely disparate geopolitical, geographical, cultural and socioeconomic readings, which makes it highly context-dependent and even volatile, and there are "almost as many definitions of Eastern Europe as there are scholars of the region"...
managed to infect computers around the world. The virus was disseminated in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the trojan software installed itself on the victimized computer, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.
The hackers then used this information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of “money mules.” Many of the U.S. money mules were recruited from overseas. They created bank accounts using fake documents and phony names. Once the money was in their accounts, the mules could either wire it back to their bosses in Eastern Europe, or turn it into cash and smuggle it out of the country. For their work, they were paid a commission.
More than 100 people were arrested on charges of conspiracy to commit bank fraud
Bank fraud
Bank fraud is the use of fraudulent means to obtain money, assets, or other property owned or held by a financial institution, or to obtain money from depositors by fraudulently representing to be a bank or financial institution. In many instances, bank fraud is a criminal offense...
and money laundering
Money laundering
Money laundering is the process of disguising illegal sources of money so that it looks like it came from legal sources. The methods by which money may be laundered are varied and can range in sophistication. Many regulatory and governmental authorities quote estimates each year for the amount...
. Of those, over 90 were in US, and the other arrests were made in UK
United Kingdom
The United Kingdom of Great Britain and Northern IrelandIn the United Kingdom and Dependencies, other languages have been officially recognised as legitimate autochthonous languages under the European Charter for Regional or Minority Languages...
and Ukraine
Ukraine
Ukraine is a country in Eastern Europe. It has an area of 603,628 km², making it the second largest contiguous country on the European continent, after Russia...
.
Before they were caught, members of the theft ring managed to steal $70 million.
Retirement
In late 2010, a number of Internet security vendors including McAfeeMcAfee
McAfee, Inc. is a computer security company headquartered in Santa Clara, California, USA. It markets software and services to home users, businesses and the public sector. On August 19, 2010, electronics company Intel agreed to purchase McAfee for $7.68 billion...
and Internet Identity
Internet Identity
For other uses, see Internet identityInternet Identity, currently referred to as IID, is a privately held Internet security company based in Tacoma, Washington. It primarily provides anti-phishing, malware and domain control security services to financial service firms, e-commerce, social...
claimed that the creator of Zeus had said that he was retiring and had given the source code
Source code
In computer science, source code is text written using the format and syntax of the programming language that it is being written in. Such a language is specially designed to facilitate the work of computer programmers, who specify the actions to be performed by a computer mostly by writing source...
and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, those same experts warned the retirement was a ruse and expect the hacker to return with new tricks.
See also
- ConfickerConfickerConficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008...
- Timeline of computer viruses and worms
- TorpigTorpigTorpig, also known as Sinowal or Anserin , is a type of botnet spread by a variety of trojan horses which can affect computers that use Microsoft Windows...
- Web 2.0 Suicide MachineWeb 2.0 Suicide MachineThe Web 2.0 Suicide Machine is a service that helps users tired of Facebook, MySpace, LinkedIn and Twitter, to "commit suicide in social networks," by automatically "removing their private content and friend relationships," .To start the suicide process, the user has to provide his login credential...
External links
- "Measuring the in-the-wild effectiveness of Antivirus against Zeus" Study by Internet security firm Trusteer.
- "A summary of the ZeuS Bot" A summary of ZeuS as a Trojan and Botnet, plus vector of attacks.
- Kneber BotNet" by Alex Cox NetWitness Whitepaper on the Kneber botnet.
- "België legt fraude met onlinebankieren bloot" Dutch news article about a banking trojan
- "Indications in affected systems" Files and registry keys created by different versions of Zeus Trojan. Zeus, le dieu des virus contre les banques
- Zeus Bot's User Guide