Zeus (Still) Wants Your Wallet

The Zeus Trojan, first identified in 2007 (almost prehistory in Internet time), may still be the most pernicious and costly malware out there.  In fact, your machine may be infected right now and “You would probably not know it,” said Brian Krebs, a onetime Washington Post reporter who now ranks as perhaps the most influential independent security blogger in the business. “Antivirus software is not doing a good job of detecting and removing Zeus.”

Two facts have made Zeus both persistent and pervasive.

Fact One: It is entirely about the money.  Zeus is a key logger that wakes up only when a user of an infected machine visits a financial site. It keeps its activity to a minimum and that makes it hard to notice.

Fact Two: “Every version of Zeus is different,” said Krebs, and this is because this malware is effectively open source.  Any bad guy can download it and customization kits are for sale to up its larceny. The upshot is that Zeus’ digital fingerprints keep changing; making it difficult for antivirus (AV) software to recognize it.  It actually is “fairly easy to get rid of Zeus once it is detected,” said Kevin McNamee, security architect at network security firm Kindsight.

It is just terribly hard to identify it.

“Way over 20 million computers have been infected by Zeus,” said Lance James, an executive at security firm Vigilant and himself one of the first to detect Zeus.  “It is the king of malware.” 

Because antivirus tools generally don’t work against it, this forces IT to fight a different battle with Zeus. Probably the best starting place in this ongoing battle, suggested Krebs, is user education. That is because the primary means of infection is social engineering: an email from the “IRS” arrives, demanding the recipient immediately click through to verify some fact. Do that, or click on the link in the email about unpaid New York City parking tickets or student loans that have gone into default, and Zeus will download a small chunk of code that, and here’s the genius, does absolutely nothing.  It rings no warning bells, sets off no alarms, raises no AV eyebrows.

It sit sits there, alertly monitoring every move and when the user visits a website on Zeus’s target list (so far, always financially related) it wakes up.  And then all it does is log keystrokes and send them back to the Zeus owner who then robs your accounts.


The primary targets, said Krebs, are small and mid-sized businesses, including professional services firms (lawyers, accountants, etc.).  Wherever there are big money banking accounts, Zeus wants to be there and small businesses, which typically have slim on-board security, has bank accounts big enough to capture Zeus’s interest.

Why not big business?  In part, say the experts, it’s because sophisticated tools that monitor network traffic are one effective way to detect Zeus and those tools often are deployed in large businesses.  Another effective way to block Zeus is to scan all attachments in incoming email because that remains a primary infection source and many big businesses routinely do this.

Big business, even with slick network monitoring in place, still falls victim because, just as with the weakness of antivirus software, network monitoring software only knows to look for what it is instructed to hunt and as Zeus is forever morphing, elusive.  This just is not reliable protection, say the experts. Krebs believes many big companies have been victimized by Zeus — they just haven’t reported it because the embarrassment of blowing this whistle might be as painful as the monetary losses.

So the first line of defense is teaching users to ignore suspicious email.  Easy at that sounds, the bad news is no security professional expresses optimism about the probability of educating users when it comes to Zeus.

Zeus appears to be malware we have to learn to live with. Security software can’t ID it, users keep getting infected, so Zeus’ future seems assured, so long as it keeps earning money for its masters.

The one sure way to protect against getting ripped off by Zeus is not to use Windows.  Right now, the only known versions of Zeus are Windows-based, said James, and until there are huge increases in the numbers of Apple users, Zeus is unlikely to morph over to a different OS.  It sticks to where the money is and the money follows numbers of users. 

Use an Apple device or Google ChromeBook and — probably —  that machine will stay Zeus free.

Which leads to the other preventative step: “Have one computer that is only used for banking,” said Lucas Zaichkowsky, an executive with security firm Mandiant.  This requires discipline – no IM, no email, no checking sports scores, nothing but banking can be done on the designated computer.  Do that and probably you definitely stay Zeus free … so long as your financial institutions do too.

As a busy freelance writer for more than 30 years, Rob McGarvey has written over 1500 articles for many of the nation’s leading publications — from Reader’s Digest to Playboy and from the NY Times to Harvard Business Review. McGarvey covers CEOs, business, high tech, human resources, real estate, and the energy sector. A particular specialty is advertorial sections for many top outlets including the New York Times, Crain’s New York, and Fortune Magazine.


Robert McGarvey
Robert McGarvey is an eSecurity Planet contributor.

Top Products

Related articles