Zeus/Zbot Information and Tracking the Banking Trojan

Zeus is a crimeware kit, which steals credentials for various online services like social networks, online banking accounts, ftp accounts, email accounts and other (phishing). The web admin panel can be bought for $700  and the exe builder for $4000.

The dangerous thing is anyone with resources can use the Zbot builder and package new variants making creating a definition difficult.

Once Zeus is on a system it uses covert methods of injecting additional fields into online Internet banking websites, asking users to answer questions that the authentic website would not ask. The collected details are then silently delivered to remote websites, and added into remote databases. The databases are then sold to other criminal elements down the chain who specialize in withdrawing the funds. The money laundering groups anonymously hire physical people to withdraw money from their personal accounts – in the criminal world these people are called “drops”, and their accounts are called “drop accounts”.

The purchased builder is very granular; can you imagine logging in to your online banking website and additional fields appear that seem to blend into the page:

  • Due to security measures, please provide the answers to all the security questions listed below:
  • Your first school
  • Your mother’s maiden name
  • What is the first letter of the name of your high school?
  • What is the first letter of the name of your pet?
  • etc…

Zeus Tracking Project (C&C servers overlayed w/ Google Maps)

Detailed Zeus reverse engineering

Webinar about the bot

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s