Zeus (malware) on:
[Wikipedia]
[Google]
[Amazon]
Zeus, ZeuS, or Zbot is a
In October 2010 the US FBI announced that hackers in
"Measuring the in-the-wild effectiveness of Antivirus against Zeus"
Study by Internet security firm Trusteer.
"A summary of the ZeuS Bot"
A summary of ZeuS as a Trojan and Botnet, plus vector of attacks.
"The Kneber BotNet" by Alex Cox
NetWitness Whitepaper on the Kneber botnet.
"België legt fraude met onlinebankieren bloot"
Dutch news article about a banking trojan
Files and registry keys created by different versions of Zeus Trojan.
Zeus, le dieu des virus contre les banques
Zeus source code at GitHub
Botnet Bust - SpyEye Malware Mastermind Pleads Guilty
FBI {{DEFAULTSORT:Zeus (malware) Botnets Rootkits Windows trojans Malware toolkits Cyberattacks on banking industry Hacking in the 2000s Hacking in the 2010s 2007 in computing 2008 in computing 2009 in computing 2010 in computing
Trojan horse
The Trojan Horse was a wooden horse said to have been used by the Greeks during the Trojan War to enter the city of Troy and win the war. The Trojan Horse is not mentioned in Homer's ''Iliad'', with the poem ending before the war is concluded, ...
malware
Malware (a portmanteau for ''malicious software'') is any software intentionally designed to cause disruption to a computer, server, client, or computer network, leak private information, gain unauthorized access to information or systems, de ...
package that runs on versions of Microsoft Windows. While it can be used to carry out many malicious
Malicious may refer to:
Films and video games
* ''Malicious'' (1973 film) (''Malizia''), an Italian comedy starring Laura Antonelli
* ''Malicious'' (1995 film), an American thriller starring Molly Ringwald
* ''Malicious'' (2018 film), an Americ ...
and criminal tasks, it is often used to steal banking information by man-in-the-browser
Man-in-the-browser (MITB, MitB, MIB, MiB), a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify ...
keystroke logging
Keystroke logging, often referred to as keylogging or keyboard capturing, is the action of recording (logging) the keys struck on a keyboard, typically covertly, so that a person using the keyboard is unaware that their actions are being monitored ...
and form grabbing
Form grabbing is a form of malware that works by retrieving authorization and log-in credentials from a web data form before it is passed over the Internet to a secure server. This allows the malware to avoid HTTPS encryption. This method is more e ...
. It is also used to install the CryptoLocker
The CryptoLocker ransomware attack was a cyberattack using the ''CryptoLocker'' ransomware that occurred from 5 September 2013 to late May 2014. The attack utilized a trojan that targeted computers running Microsoft Windows, and was believed t ...
ransomware
Ransomware is a type of malware from cryptovirology that threatens to publish the victim's personal data or permanently block access to it unless a ransom is paid off. While some simple ransomware may lock the system without damaging any files, m ...
. Zeus is spread mainly through drive-by download
Drive-by download is of two types, each concerning the unintended download of computer software from the Internet:
# Authorized drive-by downloads are downloads which a person has authorized but without understanding the consequences (e.g. down ...
s and phishing
Phishing is a type of social engineering where an attacker sends a fraudulent (e.g., spoofed, fake, or otherwise deceptive) message designed to trick a person into revealing sensitive information to the attacker or to deploy malicious softwar ...
schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation
The United States Department of Transportation (USDOT or DOT) is one of the executive departments of the U.S. federal government. It is headed by the secretary of transportation, who reports directly to the President of the United States an ...
, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP
The File Transfer Protocol (FTP) is a standard communication protocol used for the transfer of computer files from a server to a client on a computer network. FTP is built on a client–server model architecture using separate control and data ...
accounts on websites of such companies as the Bank of America
The Bank of America Corporation (often abbreviated BofA or BoA) is an American multinational investment bank and financial services holding company headquartered at the Bank of America Corporate Center in Charlotte, North Carolina. The bank ...
, NASA
The National Aeronautics and Space Administration (NASA ) is an independent agency of the US federal government responsible for the civil space program, aeronautics research, and space research.
NASA was established in 1958, succeedi ...
, Monster.com
Monster.com is a global employment website owned and operated by Monster Worldwide, Inc. It was created in 1999 through the merger of The Monster Board (TMB) and Online Career Centre (OCC). It is a subsidiary of Randstad Holding, a Dutch mu ...
, ABC, Oracle
An oracle is a person or agency considered to provide wise and insightful counsel or prophetic predictions, most notably including precognition of the future, inspired by deities. As such, it is a form of divination.
Description
The wor ...
, Play.com, Cisco
Cisco Systems, Inc., commonly known as Cisco, is an American-based multinational corporation, multinational digital communications technology conglomerate (company), conglomerate corporation headquartered in San Jose, California. Cisco develo ...
, Amazon
Amazon most often refers to:
* Amazons, a tribe of female warriors in Greek mythology
* Amazon rainforest, a rainforest covering most of the Amazon basin
* Amazon River, in South America
* Amazon (company), an American multinational technolog ...
, and ''BusinessWeek
''Bloomberg Businessweek'', previously known as ''BusinessWeek'', is an American weekly business magazine published fifty times a year. Since 2009, the magazine is owned by New York City-based Bloomberg L.P. The magazine debuted in New York Cit ...
''. Similarly to Koobface, Zeus has also been used to trick victims of technical support scam
A technical support scam, or tech support scam, is a type of fraud in which a scammer claims to offer a legitimate technical support service. Victims contact scammers in a variety of ways, often through fake pop-ups resembling error messages or ...
s into giving the scam artists money through pop-up messages that claim the user has a virus
A virus is a wikt:submicroscopic, submicroscopic infectious agent that replicates only inside the living Cell (biology), cells of an organism. Viruses infect all life forms, from animals and plants to microorganisms, including bacteria and ...
, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt
Command Prompt, also known as cmd.exe or cmd, is the default command-line interpreter for the OS/2, eComStation, ArcaOS, Microsoft Windows ( Windows NT family and Windows CE family), and ReactOS operating systems. On Windows CE .NET 4.2, Wi ...
or Event viewer
Event Viewer is a component of Microsoft's Windows NT operating system that lets administrators and users view the event logs on a local or remote machine. Applications and operating-system components can use this centralized log service to repo ...
to make the user believe that their computer is infected.
Detection
Zeus is very difficult to detect even with up-to-date antivirus and other security software as it hides itself using stealth techniques. It is considered that this is the primary reason why the Zeus malware has become the largest botnet on the Internet:Damballa
Damballa, also spelled Damballah, Dambala, Dambalah, among other variations ( ht, Danbala), is one of the most important of all loa, spirits in Haitian Voodoo and other African diaspora religious traditions such as Obeah. He is traditionally ...
estimated that the malware infected 3.6 million PCs in the U.S. in 2009. Security experts are advising that businesses continue to offer training to users to teach them to not to click on hostile or suspicious links in emails or Web sites, and to keep antivirus protection up to date. Antivirus software does not claim to reliably prevent infection; for example Symantec's Browser Protection says that it can prevent "some infection attempts".
FBI crackdown
In October 2010 the US FBI announced that hackers in Eastern Europe
Eastern Europe is a subregion of the European continent. As a largely ambiguous term, it has a wide range of geopolitical, geographical, ethnic, cultural, and socio-economic connotations. The vast majority of the region is covered by Russia, wh ...
had managed to infect computers around the world using Zeus. The virus was distributed in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the trojan software installed itself on the victimized computer, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.
The hackers then used this information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of money mule
Money is any item or verifiable record that is generally accepted as payment for goods and services and repayment of debts, such as taxes, in a particular country or socio-economic context. The primary functions which distinguish money are as ...
s, paid a commission. Many of the U.S. money mules were recruited from overseas. They created bank accounts using fake documents and false names. Once the money was in the accounts, the mules would either wire it back to their bosses in Eastern Europe, or withdraw it in cash and smuggle it out of the country.
More than 100 people were arrested on charges of conspiracy to commit bank fraud
Bank fraud is the use of potentially illegal means to obtain money, assets, or other property owned or held by a financial institution, or to obtain money from depositors by fraudulently posing as a bank or other financial institution. In many i ...
and money laundering
Money laundering is the process of concealing the origin of money, obtained from illicit activities such as drug trafficking, corruption, embezzlement or gambling, by converting it into a legitimate source. It is a crime in many jurisdiction ...
, over 90 in the US, and the others in the UK and Ukraine
Ukraine ( uk, Україна, Ukraïna, ) is a country in Eastern Europe. It is the second-largest European country after Russia, which it borders to the east and northeast. Ukraine covers approximately . Prior to the ongoing Russian invas ...
. Members of the ring had stolen $70 million.
In 2013 Hamza Bendelladj, known as Bx1 online, was arrested in Thailand and deported to Atlanta, Georgia
Atlanta ( ) is the capital and most populous city of the U.S. state of Georgia. It is the seat of Fulton County, the most populous county in Georgia, but its territory falls in both Fulton and DeKalb counties. With a population of 498,71 ...
, USA. Early reports said that he was the mastermind behind ZeuS. He was accused of operating SpyEye
SpyEye is a malware program that attacks users running Google Chrome, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. ...
(a bot functionally similar to ZeuS) botnets, and suspected of also operating ZeuS botnets. He was charged with several counts of wire fraud and computer fraud and abuse. Court papers allege that from 2009 to 2011 Bendelladj and others "developed, marketed, and sold various versions of the SpyEye virus and component parts on the Internet and allowed cybercriminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information". It was also alleged that Bendelladj advertised SpyEye on Internet forums devoted to cyber- and other crimes and operated Command and Control servers. The charges in Georgia relate only to SpyEye, as a SpyEye botnet control server was based in Atlanta.
Possible retirement of creator
In late 2010, a number of Internet security vendors includingMcAfee
McAfee Corp. ( ), formerly known as McAfee Associates, Inc. from 1987 to 1997 and 2004 to 2014, Network Associates Inc. from 1997 to 2004, and Intel Security Group from 2014 to 2017, is an American global computer security software company head ...
and Internet Identity claimed that the creator of Zeus had said that he was retiring and had given the source code
In computing, source code, or simply code, is any collection of code, with or without comment (computer programming), comments, written using a human-readable programming language, usually as plain text. The source code of a Computer program, p ...
and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, those same experts warned the retirement was a ruse and expect the developer to return with new tricks.
See also
*Conficker
Conficker, also known as Downup, Downadup and Kido, is a computer worm targeting the Microsoft Windows operating system that was first detected in November 2008. It uses flaws in Windows OS software and dictionary attacks on administrator pas ...
* Command and control (malware)
A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its co ...
* Gameover ZeuS
GameOverZeus is a peer-to-peer botnet based on components from the earlier ZeuS trojan. The malware was created by Russian hacker Evgeniy Mikhailovich Bogachev. It is believed to have been spread through use of the Cutwail botnet.
Unlike its pred ...
, the successor to ZeuS
* Operation Tovar
* Timeline of computer viruses and worms
A timeline is a display of a list of events in chronological order. It is typically a graphic design showing a long bar labelled with dates paralleling it, and usually contemporaneous events.
Timelines can use any suitable scale represent ...
* Tiny Banker Trojan
* Torpig
* Zombie (computer science)
In computing, a zombie is a computer connected to the Internet that has been compromised by a hacker via a computer virus, computer worm, or trojan horse program and can be used to perform malicious tasks under the remote direction of the hac ...
References
External links
"Measuring the in-the-wild effectiveness of Antivirus against Zeus"
Study by Internet security firm Trusteer.
"A summary of the ZeuS Bot"
A summary of ZeuS as a Trojan and Botnet, plus vector of attacks.
"The Kneber BotNet" by Alex Cox
NetWitness Whitepaper on the Kneber botnet.
"België legt fraude met onlinebankieren bloot"
Dutch news article about a banking trojan
Files and registry keys created by different versions of Zeus Trojan.
Zeus, le dieu des virus contre les banques
Zeus source code at GitHub
Botnet Bust - SpyEye Malware Mastermind Pleads Guilty
FBI {{DEFAULTSORT:Zeus (malware) Botnets Rootkits Windows trojans Malware toolkits Cyberattacks on banking industry Hacking in the 2000s Hacking in the 2010s 2007 in computing 2008 in computing 2009 in computing 2010 in computing