Zeus - The Ultimate Malware Package

Zeus or sometimes known as Zbot is a malware package that was originally sold and traded through underground forums.Basically it is a executable file with a web based front-end that helps you to control it.Zbot is a generic back door that allows full control by a remote user, the primary function of Zbot is financial gain, and stealing credentials such as FTP, email, online banking, and other online passwords.Zeus has existed at least since 2007, but has been further enhanced and honed over time. It has been rumoured that Zeus originated in Russia or Russian speaking countries as initial help files and other files in the package were written in Russian.

Circulation and Popularity

Zeus can be purchased for as low as 750 AUD and can also be found free if you know where to look. Zeus has an estimated infection count of less than 4,000 in Australia, But has seen rates a lot higher in other countries.The top infections per country are as follows;

• Japan - Over 45,000 Zeus Infections
• U.S.A - Estimated 25,000 Zeus Infections
• U.K - Estimated 11,000 Zeus Infections
• Australia - Less Than 4,000 Zeus Infections

How Zeus Infects You

You can be infected via various methods but the outcome is generally the same.

• It copies itself to %system32%\sdra64.exe.
• It sets the previous path to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\winlogon\userinit, so that winlogon.exe spawns the process at startup time.
• It looks for winlogon.exe, increases its privileges, injects its code and a string table into this process, and creates a thread to execute this code.
• The main bot executable terminates
• The injected code in winlogon injects additional code into svchost.exe.
• It also creates a folder named %System%\lowsec and puts two files inside: local.ds and user.ds. Local.ds is the latest dynamic configuration file downloaded from the server. User.ds contains stolen credentials and other information to be transmitted to the server.
• The code inside svchost is responsible for network communication and third-party process injection required to hook Internet-related APIs in order to inject or steal information to/from banking sites
• The communication between these various injected components is done with mutexes and pipes, maliciously named _AVIRA_x, where x is a number (E.g: x=2109 in winlogon.exe, x=2108 in svchost.exe).

Main Purpose Of Zeus

The main purpose of Zeus is to steal your credentials as specified by the unaurthorized person. Zeus performs four main actions:

• Gathering system information.
• Stealing protected storage information, FTP passwords, and POP3 passwords.
• Stealing online credential information as specified by a configuration file.
• Contacting the command and control server for additional tasks to perform.

System Information Gathering

By default Zeus will automatically gather a variety of system information and send this information to the command and control server. This information includes:

• A unique bot identification stringName of the botnet.
• Version of the bot
• Operating system version
• Operating system language
• Local time of the compromised computer
• Uptime of the bot
• Last report time
• Country of the compromised computer
• IP address of the compromised computer
• Process names

More information can be obtained by reading the following attached file.It includes comprehensive information as well as screenshots.