ZeuS Malware Has Retired, Worse Than Before

by Neil Schwartzman
Director, Certification Security & Standards

I was wrong. In my last article I wrote (actually my editor added the line) “it sounds like ZeuS will be around for a while.” Apparently it won’t be. Following a development as unprecedented as AOL buying Yahoo!, Zeus’ reign is now at an end.

ZeuS, aka Zbot, has for some time been the world’s premier malware for stealing banking credentials from account-holders. Like any other commercial software, purchasers of ZeuS pay for a license and then benefit from constant R&D cycles, Quality Assurance processes, customer support sites including FAQs for new users, a raft of plug-ins to provide additional functionality — all the incumbent aspects expected of a good software company. A series of YouTube videos lays out the specifics of the software’s development evolution up to July, 2009 here.

Purchasers — oh heck, let’s go ahead and call them bank robbers — set up their own ZeuS botnet nodes, infect end-users, steal money from bank accounts, and then launder that money to make it untraceable with the help of a network of ‘money mules‘.

Then, just recently, that has all changed.

As I reported earlier this month, there were a spate of arrests in America and Europe related to a ZeuS node.

Microsoft finally launched measures to remove the ZeuS Trojan from end-user systems; their Malicious Software Removal Tool now has facility to disinfect users’ computers from ZeuS. Upon release, the MSRT reportedly cleaned nearly 275,000 machines in under a week. That figure was from early days; it can be safely assumed this will continue to increase, rapidly.

I spoke with some folks at Microsoft who explained the delay in deployment: the rapid-fire development cycles by ZeuS developers, and encryption of key elements of the software, made disinfection a moving target. Somehow that didn’t stop the publishers of Spyeye, a competing botnet, from launching a ZeuS remover — which helpfully also installed their Spyeye malware.

Soon after the arrests, another botnet called Cutwail was used to infect (or re-infect) user machines via a series of counterfeit emails allegedly from LinkedIn, Netflix, Groupon, the U.S. Electronic Federal Tax Payment System, and others. The payload here were generally the ZeuS malware, but whoever was behind the campaign was doing a contrast-and-compare test, as the new stealth botnet Bugat was also found in the stream of spoofed LinkedIn messages.

The people behind Avalanche, the previous nec plus ultra botnet of the phishing world, are now reportedly using Zeus in droves. That probably won’t last long, however, because it seems the rivalry between ZeuS and Spyeye is now at an end. The people behind ZeuS have decided to close up shop for the moment, and have transferred the ZeuS code over to the Spyeye team.

What does this mean for the future of phishing? Probably nothing more than more of the same. Avalanche begat ZeuS that begat Spyeye, which will beget…something else, likely harder to remove from infected computers than before.

With botnets and malware in general, and phishing in particular, things are going to continue to get worse before they get better. The Dutch banking Association recently published statistics noting that phishing is up 450% over last year.

Spam content and approaches have evolved over time – bad guys were initially willing to sell fake body-enlargement pills to con you out of your money; now, rather than wait for sales to occur, they just dip directly into your bank account.

Previously most botnets had a single, central control system, and thus could be decapitated; now they too have evolved to follow the distributed model of ZeuS. In essence, there is no single ZeuS botnet; there are a few hundred independent ZeuS botnets. Spyeye is similar.

The phishers are no longer entirely interested in stealing small amounts of money from individuals; now they have set their sights on the far more lucrative business account market. Happily some of them are getting arrested, but that merely means one gang down, 209 (at time of publication) to go.

The criminals aren’t showing allegiance to any particular botnet; they’ll use whatever gets the job done, which creates incentives for malware authors to keep working on new exploits as quickly as defenses can be found against them.

So, what do you do? One take-away here for most readers is that if you have a brand, it will be abused. Phishers and malware distributors will invariably steal your good name to add a layer of validity to their spam. This isn’t limited to banks and major e-commerce sites anymore. If it hasn’t happened to you yet, it will. Fortunately, there are some emerging solutions to brand theft and purloined reputation.

The criminals also want your computers, and your customers’ computers, and computers from random passers-by to help them distribute their malware. To stay protected: lock your domain registrations, and ensure your name-server isn’t doing recursive look-ups. You can check this at http://recursive.iana.org/. (We’ll discuss this in more detail in a future article.)

But your brand and your hardware are just means to an end for these criminals; what they really want is your money, and your customers’ money, and money from random passers-by. To keep your own finances safe, make certain that any financial computers you have are well-firewalled, hard-drives encrypted, and the software and operating system kept religiously up-to-date on a daily basis. Run the latest anti-virus software, including Microsoft’s Malicious Software Removal Tool. Consider running a virtual machine on any hardware which connects to your bank, so as to help prevent persistent malware infections. As well, ensure you have (and use!) multi-factor authentication for any ACH transfers you do.

If your bank doesn’t have this available, start a conversation with them as to best steps you can take to prevent account take-over — and document every conversation, so that if your money gets stolen they can’t blame you for their own lack of security options.

Staff with the keys to the vault (literally and figuratively) should be trained to spot the latest phishing methods (PhishMe.com is one such service), to keep a constant eye on the account bottom lines, and report any suspicious or unauthorized transactions to the bank, and local & federal police, immediately.

I’ve been attending a lot of security conferences recently, talking with the world’s experts on botnets and malware, and it’s clear that some bad guys have already found ways to beat most of these measures if they think you’re a juicy enough target. Even so, most of the criminals out there are only looking for low-hanging fruit — the easy stuff. Rather than giving up in despair, the smart thing to do is to make yourself as difficult a target as possible — before it’s too late.

minute read

Popular stories



BriteVerify email verification ensures that an email address actually exists in real-time


The #1 global data quality tool used by thousands of Salesforce admins


Insights and deliverability guidance from the only all-in-one email marketing solution

GridBuddy Cloud

Transform how you interact with your data through the versatility of grids.

Return Path

World-class deliverability applications to optimize email marketing programs

Trust Assessments

A revolutionary new solution for assessing Salesforce data quality


Validity for Email

Increase inbox placement and maximize subscriber reach with clean and actionable data

Validity for Data Management

Simplify data management with solutions that improve data quality and increase CRM adoption

Validity for Sales Productivity

Give your sales team back hours per day with tools designed to increase productivity and mitigate pipeline risks in real-time