Cisco Blogs

Zeus: Malware Designed to go After Your Bank Account

July 25, 2011 - 0 Comments

One of the more (in)famous examples of malware is the banking Trojan Zeus. We have covered Zeus before (Seth Hanford’s post, Zeus: Getting a Taste of its Own Medicine), but like William Shatner, it is one of those things that never seems to get old. Zeus is interesting because it was one of the more successful commercial or productized forms of malware, but more than that, it was a financial crimeware solution.

Zeus was sold in the form of a kit, and has been available in freeware, cheap and expensive versions ranging in price up to several thousand dollars or more. The kit allowed you to build malware that would help you steal banking and identity information. The malware has an initial configuration baked in when you do the build process, but once it goes live on the host it phones home for a dynamic configuration, which includes where to upload stolen data to, hosts file entries etc.

Once on the victim PC, Zeus would grab banking and other userids, passwords, and PINs, later uploading them for the botnet master to exploit. Zeus was really quite clever and would steal from HTTP forms, FTP and email passwords, cookies, it would do screen grabs, upload files, and run other malware. The client was really remarkably clever, well engineered and evolved and grew new capabilities over time.

Of course botnets are little fun without some sort of Command and Control. Zeus command and control mechanisms include the ability to send commands, receive info from and track the status of malware infected hosts in the field.

Overall, the entire solution was remarkably polished, comprehensive and effective, lacking only a distribution method. Unfortunately distribution was not overly hard, with Social Engineering offering a relatively easy way for criminals to get the malware onto victim PCs, usually in the form of an attachment or link.

At Cisco SIO, we have put together a series of videos, the SecureX Files, with the intent of providing IT and Security professionals with an easy to use resource that will allow them to communicate some of the fundamental challenges and issues we face in security in an easy to understand way that the average layman can relate. Zeus is the latest installment.

We also have pieces on Social Engineering and Driveby Web Exploits with more to come!

In an effort to keep conversations fresh, Cisco Blogs closes comments after 60 days. Please visit the Cisco Blogs hub page for the latest content.