When you are named after an ancient Greek god, you have a reputation to live up to. No one expected Zeus to have such a brutal effect on the digital world, when it was first detected in 2007. However, in 2009 Zeus became one of the most widespread malwares across the Internet.
Zeus has compromised more than 74,000 FTP website accounts and infected more than 3.6 million computers. This malware infected important networks like NASA, Amazon, Cisco and Oracle. Hackers used Zeus to steal financial information from the Bank of America and the Department of Transportation.
The original Zeus creator publically released the source code in 2011. This laid the foundation for numerous variants of Zeus to show up, making it a threat to this day.
What Is the Zeus Trojan?
Zeus Trojan malware, also referred to as Zbot, is usually used to steal sensitive data like financial information. The malware targets devices that use the Microsoft Windows operating system.
Hackers can use Zeus to steal any information they want from a Windows computer, and even to install the CryptoLocker ransomware. In addition, hackers can use the source code to create their own versions of Zeus.
Zeus can automatically collect passwords, download files, reboots or shut down computers, and delete system files. Eventually causing your computer to crash.
How Zeus Infects Computers
New variants of Zeus are difficult to detect because of different file extensions, random headers, and changes to the malware’s encryption. The malware remains dormant in the infected computer until you visit one of the targeted websites. That is when the virus becomes active and requests your personal details. Hackers then sell the stolen information on the black market.
Zeus malware can infect computers through two main methods—drive-by downloads and spam messages.
Spam messages
Spam messages usually come in the form of an email or social media postings. Spam messages look legitimate at first sight, it can be an invitation to a special event, a friend request on Facebook, or an important message from your bank.
When you click on a link in the email, you will be automatically directed to a website that installs the malware. The malware can sometimes steal your email and social media credentials and send messages from your account.
Drive-By Downloads
A drive-by download is an unintentional download of malicious software to your computer or mobile device. You do not have to open a malicious email or click on anything to become infected. The malware installs itself when the user visits a malicious website or installs an infected program. A drive-by download usually exploits outdated systems with security flaws.
What the Zeus Virus Does to Computers
Zeus malware can do numerous things to infected computers, but typically it has two main functionalities:
- Botnets—a network of connected computers coordinate together to perform a task. Hackers sometimes exploit botnets to execute Distributed Denial-of-Service (DDoS) attacks ,send spam messages, and steal sensitive information.
- Financial services Trojan—Zeus is often used to steal credentials from banking services. The malware gets around the security of a banking website to monitor user activity. When users try to log in, the malware records their credentials. Sometimes Zeus can even get around two-factor authentication.
Originally, the Zeus malware affected only Microsoft Windows operating system, but newer versions infect also Android and BlackBerry mobile devices.
How to Prevent Zeus Malware
A little bit of caution can help prevent Zeus malware from infecting your computer. Here’s what you can do to protect your devices:
- Safe Internet practices—safe browsing is the first step in preventing Zeus infection. This includes staying away from potentially dangerous websites that offer illegal free software downloads. The owners of these websites usually have no problem with hosting malware on their site. You should also avoid clicking on email and social media links unless you expect these messages. Even though the message is from a legitimate source, it can be affected by Zeus malware.
- Update your antivirus—you can expect new versions of Zeus to pop up every few years, since the source code is publically available. Only antiviruses that are constantly updated with new threats can truly protect you from the Zeus malware.
- Strengthen Authentication—malware attacks are usually the result of weak credentials. Multi-Factor Authentication (MFA) can prevent unauthorized access to applications. Make sure all your applications, including third-party services, support MFA.
- Use Endpoint Detection and Response (EDR) tools—EDR tools prevent suspicious files from running on endpoint devices, by monitoring endpoint logs and packets. Continuous monitoring of endpoints helps security teams respond to malware attacks in real-time.
- Training—conduct regular cybersecurity training in your organization. Educate employees about the basics of good security practices like validating unknown email addresses, avoiding clicking links from unknown sources, and alerting support about any suspicious activity.
Famous Zeus Attacks
There are thousands of Zeus variants out there. The Zeus malware family includes Trojans like Gameover, SpyEye, Atmos, Floki and many more.
Gameover ZeuS
The Gameover malware was created by a Russian hacker by the name Evgeniy Bogachev. Gameover Zeus uses an encrypted peer-to-peer communication to transmit information between its nodes and control server. The virus establishes the connection to the server as soon as the malicious file installs itself on a computer. After installation, the malware can disable certain system processes, download and launch other viruses, or even delete essential system files.
Zeus Panda
In 2016, the Zeus Panda malware targeted online banking services, airline loyalty programs, online betting accounts in Europe and North America. Later that year, Zeus Panda also targeted Brazilian banks and other online services. The malware targeted Brazilian law enforcement websites, network security vendors, and e-commerce websites.
Floki Bot
Floki Bot is named after a Brazilian hacker known as "flokibot". The sole purpose of Floki is financial gain. Hackers that execute Floki Bot attacks choose their victims very methodically, which is why Floki malware is much more effective than the original Zeus. In addition, unlike Zeus, Floki Bot can attack Point of Sale (POS) systems, thus opening up entirely new ways for cash grabbing.
Conclusion
Zeus malware has infected millions of computers around the world in a relatively short period of time. The source code is still available online and the hacker community constantly talks, updates, and improves the malware. As a result, Zeus will continue to be a threat for years to come, even though the original creator is no longer in business. Organizations need to understand that the Zeus virus is still out there and take steps to protect their finances and sensitive information.