Jump to content

Zeus Botnet malware is improving for hackers tremendously , making it extremely hard for any antivirus to catch it easily ...


Recommended Posts

Zeus botnet malware is improving for hackers

New capabilities are strengthening the Zeus botnet, which criminals use to steal financial credentials and execute unauthorized transactions in online banking, automated clearing house (ACH) networks and payroll systems.

The latest version of this cybercrime toolkit, which starts at about $3,000, offers a $10,000 module that can let attackers completely take control of a compromised PC.

Zeus v.1.3.4.x (code changes are always underway by the author and owner, who is believed to be one individual in Eastern Europe) has integrated a powerful remote-control function into the botnet so that the attacker can now "take complete control of the person's PC," says Don Jackson, director of threat intelligence at SecureWorks, which released an in-depth report on Zeus this week.

Russian botnet takes on Zeus | FAQ: The Kneber botnet revealed | The botnet threat | How to avoid joining a botnet

This new Zeus feature, which was picked up from an older public-domain project from AT&T Bell Labs known as "Virtual Network Computing," gives Zeus the kind of remote-control capability that might be found in a legitimate product like GoToMyPC, Jackson says. SecureWorks calls this a "total presence proxy," and it's so useful to criminals, just this one VNC module for ZeuS costs $10,000.

The Windows-based Zeus Trojan software, which takes up about 50,000 bytes on a compromised Windows-based computer, is designed to plunder accounts in North American and United Kingdom banking systems via the victim's computer. The criminal might be located a continent away, directing unauthorised transfers of funds to accounts through elaborate command-and-control systems.

Zeus, around since at least 2007, "was originally a spyware Trojan and it had good marketing" and became popular as botnets of all sorts proliferated, Jackson says.

SecureWorks researcher Kevin Stevens says the Zeus hardware-based copyright mechanism is based on a hardware token method, similar to WinLicense, that takes into account a lot of hardware details about a computer before allowing the Zeus Builder toolkit code to be unlocked by an individual.

Older versions of Zeus are available for free, but the price for the current Zeus and its modules, out since the end of last year, is not cheap. In the online criminal underground, fraudsters often pay for crimeware through Western Union or Web Money, according to SecureWorks.

According to a report published by SecureWorks this week, the basic Zeus Builder kit runs $3,000 to $4,000, with another $1,500 for the "Backconnect" module to connect back to an infected machine to make financial transactions from it. This means banks that try to track money transfers will always trace it back to the computer of the account holder. To hack Windows 7 or Vista computers, criminals will have to ante up an extra $2,000 or be limited to Windows XP systems.

A "Firefox form grabber," costing another $2,000, lets a criminal grab data out of fields that are submitted using the Firefox Web browser, such as usernames and passwords for banks. A "Jabber (IM) chat notifier," costing another $500, will let the attacker get stolen data immediately in order to access the victim's account after the victim logs in using a token provided by the bank to randomly generate numbers. And the VNC module, which allows the attacker to get around any smartcard that's required for large-dollar transactions, is $10,000.

The latest version is also designed to blow through the most current defences in place regarding two-factor and other authentication in banking systems, and is especially oriented toward facilitating high-dollar transactions of $100,000 or more, Jackson notes.

"Zeus automatically detects top-tier, gold-level targets" associated with online banking services, Jackson says. A signal is given to the botnet controller, and a highly automated transfer can be made into accounts the attacker desires.

There are many stories starting to appear of companies complaining about unauthorized ACH transfers, or fake employees fraudulently added to automated payroll systems, when high-dollar amounts are transferred into accounts where banks either can't or won't retrieve these sums.

Jackson says the latest version of Zeus gets around most of the advanced online authentication mechanisms used by banks today, with perhaps the exception of a transaction approval process based on at least two people, often randomly selected from a pool of people trained for this purpose, who manually authorize a transfer. "It's an arms race," he says.

The upcoming version of Zeus, v.1.4, is still in beta but promises yet more deadly features. Its "Web Injects for Firefox" capability, for instance, would let the attacker present a screen on the fly in the Firefox browser in order to elicit more sensitive information during the banking transaction by pretending the bank needs the information. The Zeus Trojan is also getting polymorphic encryption to re-encrypt itself to appear unique each time, thus making it even more difficult for antivirus software to detect it.



Link to comment
Share on other sites

  • Replies 14
  • Views 2.4k
  • Created
  • Last Reply

Okay so who is going to pirate this thing.. Links anybody..:lmao:


God forbid if that happens .....!!!!!

Link to comment
Share on other sites

does the worlds AV companies updated there signatures for this Zeus trojan though it updates quite frequently AV companies must b on high alert :ph34r:

Link to comment
Share on other sites

The Zeus Trojan is also getting polymorphic encryption to re-encrypt itself to appear unique each time, thus making it even more difficult for antivirus software to detect it.----

this kind of explains why it is difficult for any anti virus to easily catch it .

but just imagine ,

you have to pay to get this malware !!!! :o

and that too big bucks according to the type of system you want to infect !!!!!!

it just relates to how much worth of damage is this malware capable of !! :o

God save the machine infested with this pest ....

even then the authorities can only speculate the developer to be " one individual in eastern europe . ! "


whosoever is developing this malware is a real smart [email protected]@ ....


Link to comment
Share on other sites

Captain Blood

Maybe another good reason to at least have one alternative OS installed (via multiboot, VM, or bootable CD/DVD for M$, Linux... ), and to use it ;) when needed.

"Who is believed to be one individual" :s :eek::frusty::chair::mad2:, just politics !

The "BIG state based cyberwar, LITTLE economic cybercriminal" underlying statement is :shit: ...

Who can seriously believe that :moon:?

Futhermore, portable apps should be a marvellous spreading vector for this stuff, if clever enough :fear:.

Link to comment
Share on other sites

I dont think this kind of trojan has anything to do with ppl like us.. Obviously is a targeted, highly capable and specific to one target and only, stealing lot of money. By the cost of it i would say only governments or big companies can get it for spying or controlling.

Link to comment
Share on other sites

  • Administrator

It can infect anyone and really badly. It's already spread to normal public if I'm not wrong.

This is what one of my friend says about polymorphic virus:

I would rate polymorphic viruses the most dangerous virus after Multipartite viruses. Most of the antiviruses fail to remove polymorphic viruses. These viruses change their signature everytime they infect other file in the system. Antivirus remove the virus by scanning its signature which is predefined in antivirus which helps it to understand that some file is virus. Since polymorphic virus keep changing and making new signature each time it spreads, becomes almost impossible for antiviruses to scan and remove it.

Credit: Brainst0rm from SecWorm.net

Link to comment
Share on other sites

Well, for viruses like this, I guess Norton SONAR, Threatfire should do the job...

Link to comment
Share on other sites


This topic is now archived and is closed to further replies.

  • Recently Browsing   0 members

    • No registered users viewing this page.
  • Create New...