Zeus (Trojan horse)
Zeus, ZeuS, or Zbot is Trojan horse computer malware that runs on computers running under versions of the Microsoft Windows operating system. While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.
As of October 28, 2009 over 1.5 million phishing messages had been sent on Facebook with the purpose of spreading the Zeus trojan. On November 3, 2009 two Britons were arrested on suspicion of using Zeus to steal personal data. From November 14–15, 2009 Zeus spread via phishing e-mails purporting to be from Verizon Wireless; a total of nine million e-mails were sent.
On October 1, 2010, the FBI announced it had discovered a major international cybercrime network which had used Zeus to hack into US computers and steal around US$70m. More than 90 suspected members of the ring were arrested in the US, and arrests were also made in the UK and Ukraine.
In May 2011, the then-current version of Zeus's source code was leaked   and in October the abuse.ch blog reported a new custom build of the trojan that used more sophisticated peer-to-peer capabilities. 
Zeus Trojan-controlled machines have been found in 196 countries, including isolated states such as North Korea. The five countries with most infected machines are Egypt, the United States, Mexico, Saudi Arabia, and Turkey. Altogether, 2,411 companies and organizations are said to have been affected by the criminal operations running the botnet.
Many companies use SMS text messages on mobile telephones as a required second authentication vector, in addition to online username and password. In 2010, S21sec researchers discovered a malicious application used by Zeus to infect Symbian and BlackBerry mobile devices in order to access systems for which username and password had already been acquired .
Zeus controllers can fine tune the copy of Zeus they are using to steal only information they are interested in; typically login credentials for online social networks, e-mail accounts, online banking or other online financial services. The top sites with stolen login credentials, according to Netwitness' report are Facebook, Yahoo, Hi5, Metroflog, Sonico and Netlog.
Detection and removal
Zeus is very difficult to detect even with up-to-date antivirus software as it hides itself using stealth techniques. It is considered that this is the primary reason why the Zeus malware family has become the largest botnet on the Internet: some 3.6 million PCs are said to be infected in the U.S. alone. Security experts are advising that businesses continue to offer training to users to teach them not to click on hostile or suspicious links in emails or Web sites, and to keep antivirus protection up to date. Antivirus software does not claim to reliably prevent infection; for example Symantec Browser Protection says that it can prevent "some infection attempts".
In October 2010 the US FBI announced that hackers in Eastern Europe had managed to infect computers around the world using Zeus. The virus was disseminated in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the trojan software installed itself on the victimized computer, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.
The hackers then used this information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of money mules, paid a commission. Many of the U.S. money mules were recruited from overseas. They created bank accounts using fake documents and false names. Once the money was in the accounts, the mules would either wire it back to their bosses in Eastern Europe, or withdraw it in cash and smuggle it out of the country.
More than 100 people were arrested on charges of conspiracy to commit bank fraud and money laundering, over 90 in the US, and the others in the UK and Ukraine. Members of the ring had stolen $70 million.
In 2013 Hamza Bendelladj, known as Bx1 online, was arrested and deported to Atlanta, Georgia, USA. Early reports said that he was the mastermind behind ZeuS. He was accused of operating SpyEye (a bot functionally similar to ZeuS) botnets, and suspected of also operating ZeuS botnets. He was charged with several counts of wire fraud and computer fraud and abuse. Court papers allege that from 2009 to 2011 Bendelladj and others "developed, marketed and sold various versions of the SpyEye virus and component parts on the Internet and allowed cybercriminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information". It was also alleged that Bendelladj advertised SpyEye on Internet forums devoted to cyber- and other crimes and operated Command and Control servers. The charges in Georgia relate only to SpyEye, as a SpyEye botnet control server was based in Atlanta.
Possible retirement of creator
In late 2010, a number of Internet security vendors including McAfee and Internet Identity claimed that the creator of Zeus had said that he was retiring and had given the source code and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, those same experts warned the retirement was a ruse and expect the developer to return with new tricks.
- Abrams, Lawrence. "CryptoLocker Ransomware Information Guide and FAQ". Bleeping Computer. Retrieved 25 October 2013.
- Jim Finkle (July 17, 2007). "Hackers steal U.S. government, corporate data from PCs". Reuters. Retrieved November 17, 2009.
- Steve Ragan (June 29, 2009). "ZBot data dump discovered with over 74,000 FTP credentials". The Tech Herald. Retrieved November 17, 2009.
- "UAB computer forensics links internet postcards to virus". The Hindu (Chennai, India). July 27, 2009. Retrieved November 17, 2009.
- "Two held in global PC fraud probe". BBC News. November 18, 2009. Retrieved November 17, 2009.
- "New Verizon Wireless-themed Zeus campaign hits". SC Magazine. November 16, 2009. Retrieved November 17, 2009.
- Dan Goodin (February 18, 2010). "Almost 2,500 firms breached in ongoing hack attack". The Register. Retrieved February 23, 2010.
- Siobhan Gorman (February 18, 2010). "Broad New Hacking Attack Detected". Wall Street Journal. Retrieved February 23, 2010.
- Raju PP (July 15, 2010). "Zeus/Zbot Trojan Attacks Credit Cards of 15 US Banks". TechPP. Retrieved July 15, 2010.
- "Trojan.Zbot". Symantec. Retrieved February 19, 2010.
- FBI (October 1, 2010). "CYBER BANKING FRAUD Global Partnerships Lead to Major Arrests". Retrieved January 28, 2011.
- Peter Kruse (May 9, 2011). "Complete ZeuS sourcecode has been leaked to the masses". Retrieved May 15, 2011.
- Larry Seltzer (May 10, 2011). "Zeus Source Code Released". Retrieved May 15, 2011.
- abuse.ch blog. "ZeuS Gets More Sophisticated Using P2P Techniques". abuse.ch. Retrieved 21 December 2011.
- Christopher Null (February 18, 2010). "Scary "global hacking offensive" finally outed". Yahoo! Tech. Retrieved February 23, 2010.[dead link]
- Barroso, David. "ZeuS Mitmo: Man-in-the-mobile". S21sec. Retrieved 25 September 2010.
- Kaplan, Dan. "BlackBerry, Android users targeted by new Zeus trojan". SCMagazine. Retrieved 14 August 2012.
- FBI (October 1, 2010). "CYBER BANKING FRAUD Global Partnerships Lead to Major Arrests". Retrieved October 2, 2010.[dead link]
- BBC (October 1, 2010). "More than 100 arrests, as FBI uncovers cyber crime ring". BBC News. Retrieved October 2, 2010.
- Alleged 'SpyEye' Botmaster Ends Up in America, Handcuffs, Kim Zetter, Wired, 3 May 2013
- Alleged "SpyEye" mastermind extradited to US, Lisa Vaas, 7 May 2013, Sophos nakedsecurity
- Diane Bartz (October 29, 2010). "Top hacker "retires"; experts brace for his return". Reuters. Retrieved December 16, 2010.
- Internet Identity (December 6, 2010). "Growth in Social Networking, Mobile and Infrastructure Attacks Threaten Corporate Security in 2011". Yahoo! Finance. Retrieved December 16, 2010.
|Wikinews has related news: Zeus botnet trojan horse is back|
- "Measuring the in-the-wild effectiveness of Antivirus against Zeus" Study by Internet security firm Trusteer.
- "A summary of the ZeuS Bot" A summary of ZeuS as a Trojan and Botnet, plus vector of attacks.
- Video on YouTube
- "The Kneber BotNet" by Alex Cox NetWitness Whitepaper on the Kneber botnet.
- "België legt fraude met onlinebankieren bloot" Dutch news article about a banking trojan
- "Indications in affected systems" Files and registry keys created by different versions of Zeus Trojan.
- (French) Zeus, le dieu des virus contre les banques
- Zeus Bot's User Guide
- Zeus source code at GitHub