What Is Zeus Trojan (Zbot)?

The Zeus Trojan is one of the oldest malware programs used to steal targeted victims’ banking details. The creator sold the Zeus code to a competitor, but several variants were released over the years. In fact, new variants of Zeus are still released today. What started as a banking trojan has evolved into a package of malware that includes keyloggers, browser injection scripts, ransomware, and an advanced peer-to-peer communication network.

Zeus was first spotted in 2007, but its origin is unclear. Some sources say that it may have been created by a group of hackers in Eastern Europe, and that the mastermind behind it is Evgeniy Bogachev, also known as Slavic. Slavic allegedly retired in October 2010 and claimed to sell the Zeus code to SpyEye, a rival malware that competed with Zeus. However, this is disputed, and some sources say that Slavic never sold the Zeus code, and that he still has the master key to the original Zeus botnet.

In May 2011, the Zeus source code was leaked, and several hacking groups created their own version of Zeus. One of the most popular variants of the Zeus trojan is GameOver Zeus, which contains the Zeus backbone, but also has features such as peer-to-peer communication, domain generation algorithm (DGA), encryption, and proxy servers to evade detection and disruption.

GameOver Zeus can also deliver ransomware, which encrypts the user’s files and demands a ransom for their decryption. Ransomware is a separate malware that can affect the user regardless of whether GameOver Zeus steals banking information or not. For a short time, researchers stopped GameOver Zeus from communicating and working effectively, but the authors changed the code to bypass researcher controls.

Zbot typically starts through a phishing email with a malicious link for a targeted user to download the malware or an attachment used to download the malware after a user executes it. The first step is dropping malware on the local system to allow it to communicate with the Zbot central command-and-control server. The local machine also becomes a part of the Zeus Trojan botnet, giving the botnet owner control over the device. The botnet also provides an attacker access to the local machine’s data.

The original Zeus Trojan installs a keylogger, a malware application used to log keystrokes from the machine’s keyboard. Whenever the targeted user types a URL, username, and password into a browser, a keylogger records the information and sends it to the command-and-control center. This activity is invisible to the user, so it continues until the user determines that malware is running on the machine.

After several years, Zeus authors added a “web inject” component. This component added malicious JavaScript code to a bank page and tricked users into divulging sensitive information. Webinject components can bypass multi-factor authentication and steal data directly from the targeted user’s account.

If a user installs GameOver Zeus, the malware installs ransomware in addition to the bank account-stealing component. The ransomware included in Zeus works similarly to other ransomwares in the wild. It scans the local machine and any shared drives for critical files. The ransomware then encrypts files with a secure cipher and alerts the user of the infection. The user is given a ransom note instructing them how to pay the ransom to get their files back.

Zeus is mainly crimeware, so its primary function is to steal a targeted user’s banking information. The webinject component performs much of the functionality to steal a user’s banking information, but the botnet and peer-to-peer communication make Zeus unique. Zeus also has proxy functionality used to shield the command-and-control server from detection.

Initially, every peer-to-peer network had its own backbone managed by its own owner. Researchers believe that the botnet was used to shield critical infrastructure from detection, which appeared to work for several years. Slavic partnered with several cyber-criminals, so anyone in the group could have controlled their own botnet. Slavic, however, had exclusive access to all backend infrastructure. Slavic could access the peer-to-peer network to upgrade software, retrieve data, or simply eavesdrop on activity. He maintained full control over Zeus even if a group of cyber-criminals owned the entire network.

When a targeted user’s computer is affected by GameOver Zeus with ransomware, the computer will likely be inoperable. One reason ransomware is effective at extorting businesses is its scanning capabilities. The ransomware scans mapped drives, which usually include servers on the network. Files across the environment are irreversibly encrypted, so computers vulnerable to ransomware are rendered inoperable, including servers running critical applications. If servers or workstations reboot, they could crash or no longer be accessible to users. In many cases, the only way for administrators to recover from this type of attack is to re-image the server, which means a clean installation of the operating system and recovery of encrypted files from backup. The time it takes for disaster recovery is time the corporation is not functioning, often resulting in severe revenue loss.

A key component in sophisticated malware is staying active in an environment without administrators or users detecting its presence. Zeus is considered one of the more sophisticated malware applications in the wild and has survived for over 15 years. The malware has two main goals: to steal banking information and restrict communication between other computers to the botnet.

Zeus embeds into the computer system so that it can continually steal data, communicate with the command-and-control server, and inject itself into banking account web pages. It does not aim to damage computers unless the target machine is infected with GameOver Zeus, a variant containing ransomware.

After the targeted computer is added to the botnet, it communicates with the command-and-control server. An attacker oversees the command-and-control server and can run commands on the infected computer like accessing remote control or sending the attacker stolen data. Zeus aims to steal banking information first and foremost, so it will continually monitor web browser activity for bank account credentials and inject malicious scripts into opened web pages.

Some malware authors create viruses to destroy computers, but Zeus creators built the malware to prevent detection and let users work uninterrupted. The longer the malware stays on a computer, the more data the attacker can extract from user activity. Each computer in the botnet can also be used for backup should another computer disconnect from the malware network.

Zeus has no official target. Malware targeting businesses are made to disrupt productivity or extort money, usually in the millions of dollars. Zeus aims to steal banking credentials so attackers can steal money from individuals and businesses. Attackers with control of a specific botnet might target specific businesses, but the malware is built to run on servers, Android devices, and Windows workstations.

Zeus has broadened its range of victims by adding Android devices to its Windows-only trojan and governments to its business and individual targets. The command-and-control component in Zeus gives attackers access to the local machine’s data, so governments risk losing trade secrets and proprietary information if any of their workstations are compromised with Zeus malware.

The Zeus malware and botnet have already stolen data from several notable government agencies and private businesses. Attackers used Zeus to steal data from NASA, the US Department of Transportation (DOT), Bank of America, Amazon, Oracle, ABC, and Cisco.

Attackers with access to the original Zeus source code have already created several variants. One recent variant is GameOver Zeus, which is much more sophisticated than its predecessor. GameOver Zeus also has a botnet component but adds a layer of encryption security to communication data to protect it from law enforcement investigations.

As mentioned previously, GameOver Zeus has all the same features of the original Zeus with added communication encryption and CryptoLocker ransomware. Both variants will cause financial damage to a target, but the CryptoLocker component in GameOver Zeus is arguably the most dangerous to organizations and individuals.

After a targeted user installs GameOver Zeus, the user’s computer joins the standard Zeus botnet, but then the CryptoLocker ransomware triggers its functions. CryptoLocker searches for a list of over 150 file extensions and file types and encrypts the data. Files can only be unencrypted with the private key after the targeted victim pays the ransom.

In 2014, researchers intercepted the GameOver Zeus private key so that any CryptoLocker victim could decrypt their files. The GameOver Zeus developers quickly changed their code to bypass researchers, but for a short time, GaveOver Zeus was easily remediated.

Individuals and organizations can take several steps to stop and prevent Zeus from installing on their machines. The first step is to educate employees on identifying phishing emails – this can be done by developing a security awareness training program. Most Zeus installations start with a phishing email. The phishing email contains a script to download Zeus or a link where users can download Zeus in their browsers.

Keep all anti-malware and antivirus software updated to ensure that they identify and stop the latest attacks. You should never rely on antivirus software entirely, but it will help stop many common threats in the wild, including Zeus. Updates ensure that the antivirus software identifies the newest variants.

Zeus steals passwords stored in browsers and password managers. Don’t store passwords on the machine. If you use a password manager, do not store the private key to access the password manager.

Employees should never download pirated software. Pirated software often contains hidden malware that installs during the installation of legitimate software. Always download software from legitimate sources and only use licensed versions of software.

The only way to remove Zeus from a computer is to use antivirus software. You cannot decrypt files if CryptoLocker encrypted them, but you can remove Zeus and the botnet using a good antivirus program.

The basic steps for removing Zeus:

1. Download and install your antivirus software.
2. Reboot your Windows computer in Safe Mode without network support. This step stops Zeus from connecting to its botnet.
3. Let the antivirus software scan your computer.
4. Let the antivirus remove any malware found on your computer. Follow the instructions your antivirus shows you.

Organizations must have enterprise-level risk management and anti-malware strategies to stop Zeus and other variants. Proofpoint can help administrators build strategies and cybersecurity infrastructure to stop Zeus, ransomware, botnet malware, and other applications that could harm your business.