Rebirth of Zeus: Facebook Spammers

Zeus (also known as Zbot) is a 6 year old widespread Trojan which aims at stealing highly confidential information (mostly financial information, such as your banking information). In recent times, Facebook spammers have brought back Zeus by spreading the virus through phishing messages. When someone has been phished, their account will automatically send messages or links to a large number of their friends. These messages or links are usually ads telling friends to check out videos or products.  

Don't click them!
This ‘Trojan horse’ has already infected millions of computers worldwide. Zeus works by remaining dormant on your computer until you log into your bank account. Once you're in, it steals your password and other related information.

Zeus Targets Windows OS
Zeus targets Windows machines. It does not work on Mac OS X or Linux. However, in 2012 Kaspersky Lab discovered a new version of Zeus which targets Blackberry and Android phones.

Zeus Detection 
Zeus is very difficult to detect even with up-to-date antivirus software, due to its stealth. This is the primary reason why its malware family is considered the largest botnet on the Internet: Some 3.6 million PCs are said to be infected in the U.S. alone.

Defending Against the Threat
The initial delivery of a Zeus based attack is often done by email, phished posts on Facebook or other social networks. Training to encourage users to be suspicious of unsolicited emails or posts can help reduce the success of this tactic. Zeus operates primarily on the endpoint, monitoring data for information to steal. So, good endpoint security is always a key defense to have in place. In all we can say that visiting the trusted web links only and ignoring the untrusted links is the only real time protection.

Technical Description
Zeus is a malware construction kit used by prospective criminals to create their own customized version of the malware. As such the behavior of Zeus can vary greatly from version to version. Each copy of Zeus carries with it configuration information telling it where it can obtain updates, where to send stolen data and how to communicate with its controlling botnet. Typically, Zeus monitors the user's web browsing, observing which sites they visit and takes action only when they visit a specified target such as an online banking site. In addition to monitoring the login credentials used to gain access, Zeus can place additional fields in the login form, asking the user for data needed by the criminal such as ATM PIN or social security number.

Zeus may also attempt to bypass two-factor authentication mechanisms by harvesting transaction authentication numbers (TANs) as the user enters them. Moreover, Zeus can also search for data stored on the user's hard disk such as browser cookies and passwords stored by FTP software. Any webmaster passwords stolen in this manner can be used to compromise websites for future attacks. Once it is active on a computer, Zeus joins a botnet to receive commands controlling its activity. These include commands to update itself, download and execute other malware and trigger the data theft components. Zeus can be installed in a number of different locations, depending on the version and the configuration used to build it.

Older versions commonly use names such as ntos.exe or sdra64.exe and added files to the Windows system folder, but the latest versions use randomized names and store files in the user's Application Data area. Once installed, Zeus will maintain a memory resident process and hook a number of APIs, enabling it to inject itself into new processes and steal data. Zeus will typically add a registry entry to ensure that it is run each time the user logs on, for example: HKCU\Software\Microsoft\Windows\CurrentVersion\Run. Zeus will monitor this registry entry and recreate it if it is deleted.

In late 2010, a number of Internet security vendors including McAfee and Internet Identity claimed that the creator of Zeus had said that he was retiring and had given the source code and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, there were many who were skeptical about this retirement, and were sure that the Trojan would be back with newer tricks. The skeptics were right, Zeus has arrived, and how!