Monday, April 18, 2016

What is Zeus Malware and how to prevent it ?

If not redirected, please click here

Zeus, ZeuS or Zbot is a Trojan malware package which is used by the attackers to steal sensitive data of users, especially banking credentials, causing heavy financial losses to the users. This malware was first identified in July 2007 and became more widespread since 2009. Attackers use this malwre to create a botnet and then use that to steal banking credentials of the victim.

How does Zeus malware infect a computer ?

Zeus is one of the most widely known notorious malware which is used by the attackers to create a botnet which silently harvests financial data of the victims and send it back to the attackers. Zeus is basically the name of the malware toolkit which is widely distributed and used by the underworld miscreants to create the information stealing trojans.

A Zeus malware toolkit typically has the following components :

  • Builder
  • Configuration File
  • Exe File
  • Server


Builder is used by the miscreants to create the malware executable file as well as the configuration file. The malware usually uses encryption mechanism to obfuscate itself.

Configuration File

Configuration file is downloaded at the time of execution of the executable malware code. It contains the following information along with some other information :

  • URL from which the Zeus executable will be downloaded
  • URL to which the stolen data of victims will be sent back
  • A set of IP/domain pairs that will be written into the infected host file to hijack DNS requests of the victim's computer

This configuration file is typically stored in the server controlled by the attackers. The bot periodically queries the server to retrieve the information contained in the configuration file. A bot owner may upload a new configuration file at the server at any time to change the configuration.

Exe File

Different underworld botnet customers who use same version of Zeus toolkit typically have the same exe file. But, the configuration file differs from one botnet to the other.


The server component of the toolkit is basically a set of php scripts which are used to monitor, command and collect information from the infected computers.

Steps of infection


Zeus malware typically follows the steps mentioned below to infect a computer :

  • Firstly the attackers use some social engineering to trick the victims to download the malware. They may send phishing email with malicious links or use some other methods to convince the victims to click on a malicious link. The malware can even get downloaded by exploiting security vulnerabilities of commonly used software of the victim's computer.
  • The malware copies itself to a location, execute the copy and then delete it to avoid detection.
  • After installation, the malware changes browser settings of the victim's computer. Zeus typically uses Man-In-The-Browser attack (What is a Man-In-The-Browser Attack ? ) to steal sensitive credentials of the victims.
  • The malware then infects code to other processes in the victim's computer.
  • The injected code hooks apis in each process.
  • Next, the configuration file gets downloaded from the server controlled by the attackers.
  • The malware then uses api hooks to steal sensitive data, especially banking credentials of the victims.

How does Zeus malware steal sensitive data of victims ?

As mentioned earlier, Zeus uses Man-In-The-Browser attack to steal banking credentials of the victims. It typically follows the steps mentioned below to steal sensitive data of the victims :

  • After infecting a computer, the trojan installs a malicious extension to the victim's browser. When the user restarts the browser, it gets loaded automatically.
  • The extension registers a handler for every page load, which tracks all the pages loaded by the browser and matches them with a list of known websites.
  • Whenever the user loads a page of a banking website, the extension registers a button event handler.
  • The user authenticates to the banking website giving his credentials. When the user fills up a form for financial transaction, the extension intercepts the communication. It notes down the data entered by the user, but modifies the data and sends the modified data to the banking web application.
  • The web application performs the transaction as per the modified data and sends the receipt.
  • The extension again intercepts the communication. It modifies the data in the receipt with the data entered by the user originally.
  • The user gets the modified receipt filled up with data provided by him.

How to prevent Zeus malware ?

Zeus malware is one of the most widely known notorious malware which is difficult to detect. But, a user can always follow some simple steps to prevent infection of the malware.

  • The malware mostly uses some social engineering to infect a victim's computer. Do not click on any link if you are not very sure of its authenticity. Do not open email attachments if you are not sure of the sender. And, always avoid downloading software from untrusted sources.
  • The malware exploits security vulnerabilities of commonly used software to infect a computer. So, always keep your computer updated with recent security patches of all the commonly used software.
  • Update your Operating Systems with recent patches for the same reason.
  • Keep your browser updated with recent patches. It would reduce the security vulnerabilities present in the browser software.
  • Always keep your system updated with recent patches of anti-malware programs from a trusted source.
  • Closely monitor any changes in browser settings is one option of preventing this attack. Browser extensions and scripting should be limited. And, do not use any browser extension if you are not very sure about its authenticity.
  • Users should educate themselves about Zeus malware and its attacks and use their common sense while using sensitive banking web applications.

So, beware of various malware programs and how to prevent them, so that you can protect your data in a better way. And, stay safe, stay secured.

No comments:

Post a Comment