Zeus is one of the most dangerous and globally widespread network security threats. It has allowed attackers to obtain user credentials to financial systems, and actually steal funds from the bank accounts of millions of people. In an FBI investigation of an Eastern-European Zeus-based criminal ring, investigators discovered over $70 million stolen and arrested over 100 people.
This is part of an extensive series of guides about malware protection.
Zeus/Zbot is a malware package using a client/server model. Operators of the Zeus malware use it to create massive botnets. Its main function is to gain unauthorized access to financial systems by stealing credentials, banking information and financial data, and sending it back to the attackers via the Zeus Command and Control (C&C) server.
Zeus has infected over 3 million computers in the USA, and has compromised major organizations like NASA and the Bank of America.
The original Zeus system had a single C&C server, and law enforcement cracked down on Zeus groups trying to take down these central servers. Newer variants use a domain generation algorithm (GDA) that allows Zbots (machines compromised by Zeus) to connect to one of a series of domain names of C&C servers.
Infected by Zeus malware?
Cynet is a trusted partner that deploys powerful endpoint detection and response (EDR) security software on your endpoints, and can help defend, mitigate and eradicate against a wide range of known and zero-day threats, including the Zeus malware. Cynet provides CyOps, an outsourced incident response team on call 24/7/365 to respond to critical incidents quickly and effectively.
Learn more about Cynet incident response services.
Zeus was first detected in 2007, and many strains of the malware have been developed. Some of the most common are:
The most common ways Zeus infects compromised machines are:
Zeus creates a botnet using a secretly-formed network of compromised machines. The malware operator typically steals a large quantity of financial information, performing attacks on a large-scale.
Technically, Zeus is a Trojan, malware that pretends to be legitimate software. It steals passwords and financial data using keylogging and website tracking, which enables the malware to spot when the use is on a banking site or making a financial transaction, allowing it to record keystrokes used by the user when logging in.
The original version of Zeus only affects Windows computers, but there are now variants that can compromise Android phones, in an attempt to gain access to two-factor authentication.
In October 2010 the US Federal Bureau of Investigation (FBI) said that Eastern European hackers had infected millions of computers around the world, compromised bank accounts and performed unauthorized transfers of tens of thousands of dollars at one time.
The money was often routed the money into other accounts controlled by “cash mules”, who were paid a commission. The accounts were created using fake documents and bogus names. When the money was in the account, the mules would either withdraw it and smuggle it out of the region, or wire it back to their operators in Eastern Europe.
The FBI detained over a hundred people, who were charged with conspiracy to perform bank fraud and cash laundering, 90 of them in the USA and the rest in Europe.
Hamza Bendelladj was reported as the mastermind behind Zeus. He was charged by the state of Georgia with several counts of wire fraud, computer fraud and misuse, but was not caught by the authorities. In 2010 Bendelladj announced he was retiring and gave away the source code of Zeus to his competitor, creator of the SpyEye trojan. Authorities warn that the retirement may have been faked and that Bendelladj may still be active and dangerous.
Cynet 360 is an Advanced Threat Detection and Response platform that provides protection against threats, including ransomware, zero-day attacks, advanced persistent threats (APT), and trojans that can evade signature-based security measures.
Cynet provides a multi-layered approach to stop Zeus and other trojans and malware from executing and endangering your IT systems:
Learn more about how Cynet 360 can protect your organization against ransomware and other advanced threats.
Let’s get started
Ready to extend visibility, threat detection and response?