An Internet Security Blog

  • Advertisements

The “Zeus” Botnet / Trojan

Posted by Bob Zenith on August 10, 2010

The “Zeus” Botnet / Trojan Horse (Also called “Zbot”) has been making a lot of new recently, and none of it is good.

Just some background, first:

A “Zeus” or “Zbot” is a type of Trojan Horse and Botnet that steals personal information by using a technique called Keystroke Logging, similar to a Keylogger. It was first identified in July 2007 when it was being used to steal information from the U.S. Department of Transportation.

Since then, the use of the Zeus Trojan has exploded – mostly due to the availability of malicious toolkits. Recently, Zeus has been making headlines in the U.K. by secretly compromising thousands of computers and transferring $1 million dollars from bank accounts.

The scary thing about a Zeus is that once it gets on your computer (usually by clicking a phishing link or a scripting exploit), it can even get the information you type on a secured network with encryption (like SSL). A Zeus can do this by grabbing the information right before it is encrypted, or right after it is decrypted.

Worse, up-to-date anti virus software rarely detect Zeus trojans (about 23% of the time), let alone remove them completely.

So… How do you protect yourself?
Well, here are some obvious answers:
* Keep your anti-virus up-to-date. Even though anti-viruses rarely catch Zeus trojans, letting them fall behind in their definitions will not help.
* Beware of phishing or other malicious links / scripts. Beware of the links with WOT, beware of the scripts with NoScript

Here’s some answers for tech-savy users:
* A Zeus trojan will commonly use names like NTOS.EXE, LD08.EXE, LD12.EXE, PP06.EXE, PP08.EXE, LDnn.EXE and PPnn.EXE etc, so search your PCs for files with names like this. The Zeus Trojan will typically be between 40KBytes and 150K bytes in size.
* Also look for a folder with the name WSNPOEM, this is also a common sign of infection for the Zeus Trojan.
* Finally, check the Registry looking for RUN keys referencing any of these names.

Here are the places known variants of the Zeus trojan are installed:

Variant 1

* C:\WINDOWS\system32\ntos.exe
* C:\WINDOWS\system32\wsnpoem\audio.dll
* C:\WINDOWS\system32\wsnpoem\video.dll

Variant 2

* C:\WINDOWS\system32\oembios.exe
* C:\WINDOWS\system32\sysproc64\sysproc86.sys
* C:\WINDOWS\system32\sysproc64\sysproc32.sys

Variant 3

* C:\WINDOWS\system32\twext.exe
* C:\WINDOWS\system32\twain_32\local.ds
* C:\WINDOWS\system32\twain_32\user.ds

Variant 4

* C:\WINDOWS\system32\sdra64.exe
* C:\WINDOWS\system32\lowsec\local.ds
* C:\WINDOWS\system32\lowsec\user.ds

For more help removing a Zeus, go here:


One Response to “The “Zeus” Botnet / Trojan”

  1. We all hate adware and everyone very well know it’s a big industry for the cyber criminals, very few know there is different part to the story too. Millions are wasted every year for virus removal and repairing for notebook. Many spywares out smart anti-virus softwares too. Interesting view mate.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s