Zbot Botnet

[Amaia Novara]

Zeuswas first spotted in 2007, but its origin is unclear. Some sources say that it may have been created by a group of hackers in Eastern Europe, and that the mastermind behind it is Evgeniy Bogachev, also known as Slavic. Slavic allegedly retired in October 2010 and claimed to sell the Zeus code to SpyEye, a rival malware that competed with Zeus. However, this is disputed, and some sources say that Slavic never sold the Zeus code, and that he still has the master key to the original Zeus botnet.

In May 2011, the Zeus source code was leaked, and several hacking groups created their own version of Zeus. One of the most popular variants of the Zeus trojan is GameOver Zeus, which contains the Zeus backbone, but also has features such as peer-to-peer communication, domain generation algorithm (DGA), encryption, and proxy servers to evade detection and disruption.

If a user installs GameOver Zeus, the malware installs ransomware in addition to the bank account-stealing component. The ransomware included in Zeus works similarly to other ransomwares in the wild. It scans the local machine and any shared drives for critical files. The ransomware then encrypts files with a secure cipher and alerts the user of the infection. The user is given a ransom note instructing them how to pay the ransom to get their files back.

Initially, every peer-to-peer network had its own backbone managed by its own owner. Researchers believe that the botnet was used to shield critical infrastructure from detection, which appeared to work for several years. Slavic partnered with several cyber-criminals, so anyone in the group could have controlled their own botnet. Slavic, however, had exclusive access to all backend infrastructure. Slavic could access the peer-to-peer network to upgrade software, retrieve data, or simply eavesdrop on activity. He maintained full control over Zeus even if a group of cyber-criminals owned the entire network.

A key component in sophisticated malware is staying active in an environment without administrators or users detecting its presence. Zeus is considered one of the more sophisticated malware applications in the wild and has survived for over 15 years. The malware has two main goals: to steal banking information and restrict communication between other computers to the botnet.

Zeus embeds into the computer system so that it can continually steal data, communicate with the command-and-control server, and inject itself into banking account web pages. It does not aim to damage computers unless the target machine is infected with GameOver Zeus, a variant containing ransomware.

After the targeted computer is added to the botnet, it communicates with the command-and-control server. An attacker oversees the command-and-control server and can run commands on the infected computer like accessing remote control or sending the attacker stolen data. Zeus aims to steal banking information first and foremost, so it will continually monitor web browser activity for bank account credentials and inject malicious scripts into opened web pages.

Some malware authors create viruses to destroy computers, but Zeus creators built the malware to prevent detection and let users work uninterrupted. The longer the malware stays on a computer, the more data the attacker can extract from user activity. Each computer in the botnet can also be used for backup should another computer disconnect from the malware network.

Zeus has no official target. Malware targeting businesses are made to disrupt productivity or extort money, usually in the millions of dollars. Zeus aims to steal banking credentials so attackers can steal money from individuals and businesses. Attackers with control of a specific botnet might target specific businesses, but the malware is built to run on servers, Android devices, and Windows workstations.

The Zeus malware and botnet have already stolen data from several notable government agencies and private businesses. Attackers used Zeus to steal data from NASA, the US Department of Transportation (DOT), Bank of America, Amazon, Oracle, ABC, and Cisco.

Attackers with access to the original Zeus source code have already created several variants. One recent variant is GameOver Zeus, which is much more sophisticated than its predecessor. GameOver Zeus also has a botnet component but adds a layer of encryption security to communication data to protect it from law enforcement investigations.

As mentioned previously, GameOver Zeus has all the same features of the original Zeus with added communication encryption and CryptoLocker ransomware. Both variants will cause financial damage to a target, but the CryptoLocker component in GameOver Zeus is arguably the most dangerous to organizations and individuals.

In 2014, researchers intercepted the GameOver Zeus private key so that any CryptoLocker victim could decrypt their files. The GameOver Zeus developers quickly changed their code to bypass researchers, but for a short time, GaveOver Zeus was easily remediated.

Keep all anti-malware and antivirus software updated to ensure that they identify and stop the latest attacks. You should never rely on antivirus software entirely, but it will help stop many common threats in the wild, including Zeus. Updates ensure that the antivirus software identifies the newest variants.

Employees should never download pirated software. Pirated software often contains hidden malware that installs during the installation of legitimate software. Always download software from legitimate sources and only use licensed versions of software.

The only way to remove Zeus from a computer is to use antivirus software. You cannot decrypt files if CryptoLocker encrypted them, but you can remove Zeus and the botnet using a good antivirus program.

Organizations must have enterprise-level risk management and anti-malware strategies to stop Zeus and other variants. Proofpoint can help administrators build strategies and cybersecurity infrastructure to stop Zeus, ransomware, botnet malware, and other applications that could harm your business.

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. [1] Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation,[2] it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.[3] Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected.[4]

Zeus is very difficult to detect even with up-to-date antivirus and other security software as it hides itself using stealth techniques.[5] It is considered that this is the primary reason why the Zeus malware has become the largest botnet on the Internet: Damballa estimated that the malware infected 3.6 million PCs in the U.S. in 2009.[6] Security experts are advising that businesses continue to offer training to users to teach them to not to click on hostile or suspicious links in emails or Web sites, and to keep antivirus protection up to date. Antivirus software does not claim to reliably prevent infection; for example Symantec's Browser Protection says that it can prevent "some infection attempts".[7]

In October 2010 the US FBI announced that hackers in Eastern Europe had managed to infect computers around the world using Zeus.[8] The virus was distributed in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the trojan software installed itself on the victimized computer, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.

More than 100 people were arrested on charges of conspiracy to commit bank fraud and money laundering, over 90 in the US, and the others in the UK and Ukraine.[10] Members of the ring had stolen $70 million.

In late 2010, a number of Internet security vendors including McAfee and Internet Identity claimed that the creator of Zeus had said that he was retiring and had given the source code and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, those same experts warned the retirement was a ruse and expect the developer to return with new tricks.[14][15]

Zeus Virus (or Zeus Trojan malware) is a form of malicious software that targets Microsoft Windows and is often used to steal financial data. First detected in 2007, the Zeus Trojan, which is often called Zbot, has become one of the most successful pieces of botnet software in the world, afflicting millions of machines and spawning a host of similar pieces of malware built off of its code. While the threat posed by Zeus dwindled when its creator purportedly retired in 2010, a number of variants showed up on the scene when the source code became public, making this particular malware relevant and dangerous once again.

First, it creates a botnet, which is a network of corrupted machines that are covertly controlled by a command and control server under the control of the malware's owner. A botnet allows the owner to collect massive amounts of information or execute large-scale attacks.

Zeus also acts as a financial services Trojan designed to steal banking credentials from the machines it infects. It accomplishes this through website monitoring and keylogging, where the malware recognizes when the user is on a banking website and records the keystrokes used to log in. This means that the Trojan can get around the security in place on these websites, as the keystrokes required for logging in are recorded as the user enters them.

3a8082e126