Monday, May 3rd, 2010
AVG (AU/NZ) Pty Ltd (the distributor for Australia, New Zealand and the South Pacific of the award-winning AVG Anti-Virus and Internet Security software), thought you might find it interesting to see how one of the most successful pieces of malware out there, codenamed Zeus, has managed to stay alive for such a long time.

“Zeus is probably the malware most used by cyber criminals specialising in financial fraud,” said Lloyd Borrett, Marketing Manager at AVG (AU/NZ). “It’s a do-it-yourself crimeware kit responsible for millions of dollars in losses by consumers and businesses.

“Once your computer is infected by Zeus it becomes part of a criminal botnet,” Borrett continued. “It can steal information such as your banking details, credentials for social networking sites and e-mail accounts. It is truly a global threat.”

Although you may have read about Zeus (also known as Zbot) in the past, that was probably about Zeus 1.0 or its many sub-versions 1.2, 1.3, etc. that have spread all over the web for several years now. This article is about the latest Zeus version that hit ‘the market’ recently - Zeus 2.0.

The fact that Zeus keeps developing and new releases are still coming out from its developer/s indicates the amount of money involved. The provider of Zeus obviously makes enough money to keep funding ongoing development, otherwise this project would have been dead a long time ago, as has happened to other less successful malware threats.

The latest version of Zeus introduces new features and enhancements to make the work of security vendors even more challenging to detect it.

Here are some ‘improvements’ in the new Zeus 2.0 that AVG Technologies found in the samples they analysed:

• Zeus 2.0 incorporates new encryption layers to hide its data and communication. Those of you that found ways to break the 1.x encryption and get the keys may find v2.0 much more challenging.

• In v2.0 the binary is installed in "%APPDATA%\{random chars}\{random chars}.exe". Zeus 1.x was using a hardcoded filename and was usually installed under %WINDIR%\System32.

• While Zeus 1.x infected the whole PC if it had sufficient permissions, Zeus 2.0 by-design infects only the current user. That's also the reason why file paths and registry entries have changed. This new behaviour makes Zeus 2.0 less detectable but also limits the damage if several people are using the same PC.

• Zeus 2.0 registers itself in HKCU\..\Run key while Zeus 1.x normally registered itself in UserInit Key.

• Zeus 2.0 binaries and configuration files are no longer protected by ring-3 rootkit.

• Zeus 2.0 does not hook code in svchost.exe, lsass.exe, services.exe.

• Since v1.3, Zeus Builder is protected with "hardware-based licensing system", thus fighting "malware piracy" and preventing AV researchers from analysing the builder engine.

• In v2.0 Mutex and event names are now pseudo-random GUID strings. Zeus 1.x used hardcoded mutex names like _XXXX_2109, __SYSTEM__64AD0625__, etc.

This change is probably business-driven, as it allows several copies of Zeus from different "vendors" (infections) to co-exist on one PC. This maximizes the monetisation of a single infected PC by various hackers – each can steal the bank credentials of the same user and cash out.

These are not all the changes in Zeus 2.0; however, they ensure that even users with very limited rights on their computer will get infected.

Zeus 2.0 commands for botnet were completely changed. The new commands are much more descriptive:
user_flashplayer_remove; user_flashplayer_get; user_ftpclients_get; user_homepage_set; user_url_unblock; user_url_block; user_certs_remove; user_certs_get; user_cookies_remove;
user_cookies_get; user_execute; user_logoff; user_destroy; fs_search_remove; fs_search_add; fs_path_get; bot_httpinject_enable; bot_httpinject_disable; bot_bc_remove; bot_bc_add; bot_update; bot_uninstall; os_reboot; os_shutdown;

What should we expect to come on the next Zeus update? Here is our guess:

The following commands are present in the malware body but are not implemented yet: bot_httpinject_disable; bot_httpinject_enable; fs_path_get; fs_search_add; fs_search_remove; user_destroy.

As long as Zeus continues to make money for its developer/s, we will continue to find new releases and new features in the market.

Preventing the infection from such malware requires more than just one security technology. AVG uses multiple security layers: proactive, reactive, real-time and reputation-based technologies to provide its free and paid users with the most advanced protection against the most advanced malware threats out there, including Zeus 2.0.


Contact Profile


malware, Zeus, cybercrime



More Formats