Zeus is a
Trojan horse that steals banking information by
Man-in-the-browser keystroke logging and
Form Grabbing. Zeus is spread mainly through
drive-by downloads and
phishing schemes. First identified in July 2007 when it was used to steal information from the
United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company
Prevx discovered that Zeus had compromised over 74,000
FTP accounts on websites of such companies as the
Bank of America,
NASA,
Monster.com,
ABC,
Oracle, Play.com,
Cisco,
Amazon, and
BusinessWeek.
The various Zeus'
botnets are estimated to include millions of compromised computers (around 3.6 million in the United States).As of October 28, 2009 over 1.5 million phishing messages were sent on
Facebook
with the purpose of spreading the Zeus' trojan. On November 3, 2009 a
British couple was arrested for allegedly using Zeus to steal personal
data. From November 14–15, 2009 Zeus spread via e-mails purporting to be from
Verizon Wireless. A total of nine million of these phishing e-mails were sent.
In 2010 there were reports of various attacks, among which one, in July, disclosed by security firm
Trusteer, indicating that the credit cards of more than 15 unnamed US banks were compromised.
On October 1, 2010,
FBI
announced it had discovered a major international cyber crime network
which had used Zeus to hack into US computers and steal around $70m.
More than 90 suspected members of the ring were arrested in the US, and
arrests were also made in the UK and Ukraine.
In May 2011, the then-current version of Zeus's source code was leaked and in October the
abuse.ch blog reported about a new custom build of the trojan that relies on more sophisticated
peer-to-peer capabilities.
Proliferation
The Zeus Trojan-controlled machines are in 196 countries, including isolated states such as
North Korea. The five countries with the most significant instances of infected machines are
Egypt, the
United States,
Mexico,
Saudi Arabia, and
Turkey. Altogether, 2,411 companies and organizations are said to have been affected by the criminal operations running the
botnet.
Targeted Operating Systems
Zeus targets
Microsoft Windows machines. It does not work on Mac OS X, or Linux.
In 2012, Kaspersky Lab researchers discovered five new variants of Zeus that infected
BlackBerry and
Android phones.
Targeted information
Every criminal can control which information he's interested in and
fine tune his copy of Zeus to only steal those. Examples include login
credentials for
online social networks,
e-mail accounts,
online banking or other online financial services. The top sites with stolen login credentials, according to
Netwitness' report are
Facebook,
Yahoo,
Hi5,
Metroflog,
Sonico and
Netlog.
Removal and detection
Zeus is very difficult to detect even with up-to-date antivirus software due to being
stealthy. This is the primary reason why its malware family is considered the largest botnet on the Internet: Some 3.6 million
PCs
are said to be infected in the U.S. alone. Security experts are
advising that businesses continue to offer training to users to prevent
them from clicking hostile or suspicious links in emails or on the web
while also keeping up with antivirus updates.
Symantec claims its Symantec Browser Protection can prevent "some infection attempts" but it remains unclear if modern antivirus software is effective at preventing all of its variants from taking root.
FBI crackdown
FBI: The Zeus Fraud Scheme
In October 2010, FBI announced that using Zeus, hackers in
Eastern Europe
managed to infect computers around the world. The virus was
disseminated in an e-mail, and when targeted individuals at businesses
and municipalities opened the e-mail, the trojan software installed
itself on the victimized computer, secretly capturing passwords, account
numbers, and other data used to log into online banking accounts.
The hackers then used this information to take over the victims’ bank
accounts and make unauthorized transfers of thousands of dollars at a
time, often routing the funds to other accounts controlled by a network
of
money mules.
Many of the U.S. money mules were recruited from overseas. They created
bank accounts using fake documents and phony names. Once the money was
in their accounts, the mules could either wire it back to their bosses
in Eastern Europe, or turn it into cash and smuggle it out of the
country. For their work, they were paid a commission.
More than 100 people were arrested on charges of conspiracy to commit
bank fraud and
money laundering. Of those, over 90 were in US, and the other arrests were made in
UK and
Ukraine.
Before they were caught, members of the theft ring managed to steal $70 million.
Retirement
In late 2010, a number of Internet security vendors including
McAfee and
Internet Identity claimed that the creator of Zeus had said that he was retiring and had given the
source code and rights to sell Zeus to his biggest competitor, the creator of the
SpyEye trojan. However, those same experts warned the retirement was a ruse and expect the cracker to return with new tricks.
As of 13 May 2011, the source code and compiled binaries are found to be hosted on
GitHub
