July 19, 2024

Zeus Malware: Variants, Methods and History

Zeus is one of the most dangerous and globally widespread malware strains. It has allowed attackers to obtain user credentials to financial systems, and actually steal funds from the bank accounts of millions of people. In an FBI investigation of an Eastern-European Zeus-based criminal ring, investigators discovered over $70 million stolen and arrested over 100 people.

In this article you will learn:

  • What is the Zeus virus?
  • Zeus variants
  • Zeus virus infection methods
  • How the malware works
  • FBI crackdown on Zeus creators
  • All-in-one Zeus protection

What is the Zeus Virus?

Zeus/Zbot is a malware package using a client/server model. Operators of the Zeus malware use it to create massive botnets. Its main function is to gain unauthorized access to financial systems by stealing credentials, banking information and financial data, and sending it back to the attackers via the Zeus Command and Control (C&C) server.

Zeus has infected over 3 million computers in the USA, and has compromised major organizations like NASA and the Bank of America.

The original Zeus system had a single C&C server, and law enforcement cracked down on Zeus groups trying to take down these central servers. Newer variants use a domain generation algorithm (GDA) that allows Zbots (machines compromised by Zeus) to connect to one of a series of domain names of C&C servers.

Infected by Zeus malware?

InFORM XDR is a trusted partner that deploys powerful endpoint detection and response (EDR) security software on your endpoints and can help defend, mitigate and eradicate against a wide range of known and zero-day threats, including the Zeus malware. Cynet provides CyOps, an outsourced incident response team on call 24/7/365 to respond to critical incidents quickly and effectively.

Fill out the form below to get started or learn more about Cynet incident response services.

[incident response form should be embedded here]

Zeus Variants

Zeus was first detected in 2007, and many strains of the malware have been developed. Some of the most common are:

  • Zeus Gameover—a variant of the Zeus botnet with no centralized C&C.
  • SpyEye—can automatically access bank accounts and transfer funds to attackers.
  • Ice IX—controls content in a browser during a monetary transaction, and extracts credentials and private data from forms.
  • Carberp—commonly used to conduct financial cyberattacks in Russia. Uses operating system vulnerabilities to gain root access to target systems.
  • Shylock—utilizes a domain generation algorithm (DGA), allowing Zbots to connect to multiple C&C servers.

Zeus Virus Infection Methods

The most common ways Zeus infects compromised machines are:

  • Drive-by-downloads—Zeus operators compromise legitimate websites, and leverages browser and operating system vulnerabilities to install the Zeus malware when users access the site.
  • Spam messages—Zeus spreads via phishing emails and malicious social media campaigns. Because the malware has the ability to gain illicit access to credentials, it can be used to infiltrate social media accounts on compromised machines and use them to publish phishing messages. This is one of the factors that allowed Zeus to spread fast and infect millions of devices around the world.

How Does Zeus Malware Work?

Zeus creates a botnet using a secretly-formed network of compromised machines. The malware operator typically steals a large quantity of financial information, performing attacks on a large-scale.

Technically, Zeus is a Trojan, malware that pretends to be legitimate software. It steals passwords and financial data using keylogging and website tracking, which enables the malware to spot when the user is on a banking site or making a financial transaction, allowing it to record keystrokes used by the user when logging in.

The original version of Zeus only affects Windows computers, but there are now variants that can compromise Android phones, in an attempt to gain access to two-factor authentication.

FBI Crackdown on Zeus Creators

In October 2010 the US Federal Bureau of Investigation (FBI) said that Eastern European hackers had infected millions of computers around the world, compromised bank accounts and performed unauthorized transfers of tens of thousands of dollars at one time.

The money is often routed into other accounts controlled by “cash mules”, who were paid a commission. The accounts were created using fake documents and bogus names. When the money was in the account, the mules would either withdraw it and smuggle it out of the region or wire it back to their operators in Eastern Europe.

The FBI detained over a hundred people, who were charged with conspiracy to perform bank fraud and cash laundering, 90 of them in the USA and the rest in Europe.

Hamza Bendelladj was reported as the mastermind behind Zeus. He was charged by the state of Georgia with several counts of wire fraud, computer fraud and misuse, but was not caught by the authorities. In 2010 Bendelladj announced he was retiring and gave away the source code of Zeus to his competitor, creator of the SpyEye trojan. Authorities warn that the retirement may have been faked and that Bendelladj may still be active and dangerous.

All-in-One Zeus Protection

InFORM XDR is an Advanced Threat Detection and Response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.

InFORM XDR provides a multi-layered approach to stop Zeus and other trojans and malware from executing and endangering your IT systems:

  • Pre-download—applies multiple mechanisms against browser and operating system vulnerabilities, which are typically used to deploy the Zeus malware.
  • Pre-execution prevention—applies machine-learning-based static analysis to identify malware patterns in binary files before they are executed.
  • In runtime—employs behavioural analysis to identify malware-like behaviour, and kill a process if it exhibits such behaviour.
  • Threat intelligence—uses a live feed comprising over 30 threat intelligence feeds to identify known malware, including new Zeus strains.
  • Fuzzy Hash detection—employs a fuzzy hashing detection mechanism to detect automated variants of known malware.
  • Sandbox—runs any loaded file in a sandbox and blocks execution upon identification of malware-like behaviour.
  • Propagation blocking—identifies the networking activity signature generated by hosts when malware is auto-propagating and isolates the hosts from the network.