My first encounter with Zeus

Opinion by Dan Raywood

A lot of headlines have been written about Zeus since it was first identified in July 2007, but until now I have not had much insight into how it operates or looks.

A lot of headlines have been written about Zeus since it was first identified in July 2007 but until now I have not had much insight into how it operates or looks.

While over in the US for the RSA Conference, I travelled to Sunnyvale, California to meet with IronKey and its employee 'Ryan' (he asked me not to reveal the rest of his identity) who gave me a demonstration on how the 'king of the bots' actually works.

He told me that the version he had downloaded, version 1.3.11, set up in under an hour. As it works, Zeus captures details and allows the user to add scripts to capture more information, such as a social security number, or select credentials from a banking page. Ryan called it a ‘man-in-the-browser attack that encrypts its own data' and said that once a computer is pwned, the malware can reboot.

He said: “Zeus is a format for running commands on HTTP and HTTPS, it will look at port 666 but not 80 or 443. It is not good enough to have a username or password and it needs to have more and needs a social security number or your mother's maiden name and it will track you for a long time and drain your account.

“This is a long time growth plan rather than a small score. The targets do not know that they are part of a criminal enterprise, as it wants to be stealthy. It is a very easy attack that fools the user and with more time, they can get it just right so that it has more Java so more data can be put in.”

Ryan showed me that if a Java window is open an alert can be made to the ‘owner' when a target is online and even if they use a one-time password it can be captured by the cyber criminal. “Then in real-time they can login when you do payroll, for example, and login using the same one-time code. It is good protection unless you are being cyber stalked,” he said.

In regard to the weaknesses, Ryan said that the screen scraping and keylogging in Zeus are pretty weak, but it has the ability to download software that will bypass security software.

I also asked him how he came about it and how easy it was to locate and download. Ryan said that to buy it is pretty difficult, but he searched for two to three hours trying to find it and downloaded it offline.

“It is an example of the new age and with the skills, you need people with the right skill set, it is easy to do a lot of damage. It is no work for an unemployed guy to spend time setting it up. It took me one hour to set up and I can see people spending time on it and working on it,” he said.

Of all of the headlines I have written about Zeus and the threat it poses and its capabilities, it was unremarkable in its appearance on a screen and there was nothing to give me a sensation that I was viewing one of the greatest malicious threats in action.

It was not really ‘in action', as no banking customers were harmed in the demonstration, but using another sandboxed computer it was demonstrated how simply it can change an infected user's website with little effort.


Find this article useful?

Get more great articles like this in your inbox every lunchtime

Upcoming Events