Zeus the sky and thunder god of malware

August 30, 2016
Zeus the sky and thunder god of malware

Zeus malware is a financial Trojan targeting online banking. Zeus malware steals banking information by man-in-the-browser attacks, keystroke logging and form grabbing methods. Zeus was developed to target the Windows OS and has been around for almost 10 years now. Zeus is spread mainly through drive-by downloads and phishing schemes.

Why are we talking about an older generation of malware? Two main reasons. First the Zeus source code is now widely available allowing the criminal to build and develop enhancements to update the malware code. Second is that we still see Zeus families responsible for fraud losses across the global banking market place.

ZeusVM is a newer addition to the Zeus family of malware. Like the other Zeus variants, it is a banking Trojan that focuses on stealing user credentials from financial institutions. Although recent attention has been on non-Zeus based bankers such as Neverquest and Dyreza, ZeusVM is still a formidable threat.

ZeusVM is based on the infamous Zeus Trojan, whose own source code is now in the public domain, hence, we are having seen recent functionality enhancements and still forms an important tool in the cybercriminals arsenal.

ZeusVM, also known as KINS, is a computer Trojan that hijacks the browser process in order to modify or steal information from websites opened by victims on their computers. It’s primarily used to steal online banking credentials, but other types of websites can also be targeted as long as attackers list them in the configuration file downloaded by the Trojan from the Internet.

ZeusVM comes with it’s own User Interface (UI) a program that allows attackers to create and customized ZeusVM binary files, which can then be used to infect computers. The control panel is the Web application that runs on the command-and-control server and is used to receive and send data to ZeusVM-infected computers. The customization involves modifying things like the URL of the command-and-control server where the Trojan will connect or the key used to encrypt its configuration files. The UI also allows the novice cybercriminal to easily manage and launch attacks against intended banking domain listed in the configuration file.

The above now allows the novice cybercriminal to launch sophisticated attacks against the online banking channel.

About the author

Leave a Reply