Zeus, King of the Underground Crimeware Toolkits

Post date: Mar 7, 2010 5:10:10 PM

Zeus (also known as Zbot, PRG, Wsnpoem, Gorhax and Kneber) is a Trojan horse that steals banking information by keystroke logging. Zeus is spread mainly through drive-by downloads and phishing schemes. Zeus' current botnet is estimated to include millions of compromised computers (around 3.6 million in the United States).

The Zeus botnet is targeting login credentials for online social networks, e-mail accounts and online financial services. The top sites with stolen login credentials, according to Netwitness' report are Facebook, Yahoo, Hi5, Metroflog, Sonico and Zeus. While the focus has been on e-mail and social networks, Kneber is now targeting banking sites as well.

Zeus is readily available to buy in underground forums for as little as 700 USD. The package contains a builder that can generate a bot executable and Web server files (PHP, images, SQL templates) for use as the command and control server. While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain stealing online credentials such as FTP, email, online banking, and other online passwords.

Zeus is very difficult to detect even with up-to-date antivirus software. This is the primary reason why its malware family is considered the largest botnet on the internet. Many security programs can detected and remove the bot, but it remains unclear if modern antivirus software is effective at preventing all of its variants from taking root.

Screenshots:

Zeus Builder

Zeus Control Panel: