Zeus malware is considered the most popular and prolific malicious code for banking, it is one of the privilege agent by cybercrime the use to sell various customized version in the underground to conduct sophisticated frauds.
Security community has found it in different occasion and anyway it was a surprice, the malware has evolved in time exploiting various platforms and technologies from mobile to social networks, from P2P protocols to Deep Web.
Cyber criminals continue to use Zeus, it is considered one of the most dynamic cyber threats due the numerous variants and customizations detected.
The Symantec post describes with following statements the operation of the malware:
“The functionality is the same as that of other Zeus variants. Once infected, Zeus monitors the Web browser visiting the targeted banks and injects HTML code that displays a message in Japanese that states in English:
"In order to provide a better service to our customers, we are updating our personal internet banking system. Please re-enter the information that you provided when you first registered."
The user is asked to enter personal information including passwords and any other information the attacker can use access the account. The log in credentials are recorded using Zeus’s built-in key logging functionality.”
Zeus is typically delivered through exploit kits, for this reason it is fundamental to keep defense systems and any other installed software updated, there are also few best practices to follow such as never open attachments, or click on link related to email from dubious origin and be suspicious if your online banking service requests further information on your account.
In the past months cyber criminals implemented an efficient commercial model for the distribution of the famous Zeus Trojan, the malware that is designed as an open project that can be customized with new features to meet customer demands. Zeus botnets are estimated to include millions of compromised computers, in October 28, 2009 over 1.5 million phishing messages were sent on Facebook with the purpose of spreading the Zeus’ Trojan. An interesting collection of information on ZeuS diffusion is available on the web site https://zeustracker.abuse.ch/ that provide updated statistics on the localization of the Command&Control servers of the botnets based on the agent.
To all victims of Zeus it is suggested to change the passwords for online banking accounts and if user has carried bought using credit card while his machine was infected by Zeus Trojan it is necessary to inform the bank.