In 2007, no one expected ZeuS to have such a brutal impact on the digital world. But two years later, Zbot, another of the names it is known by, became a milestone in the history of cybersecurity. With more than 3.6 million infected computers in 2009, ZeuS compromised more than 74,000 FTP accounts on such important networks as those of NASA, ABC, Oracle, Cisco, Amazon, and Bank of America. It also managed to steal and block information from the United States Department of Transportation, among other government agencies. Its impact was extreme, and the measures to combat it hard and complex. To this day, ZeuS is still posing a threat.
What is ZeuS and what does it do?
Zbot is a classic Trojan in many ways: its vector of infection usually goes through phishing methods or “drive-by download” techniques. Basically, the software, designed to infect Windows, was introduced to devices by voluntary but unintentional downloads, via infected pop-ups or email attachments. Once infected, the Trojan, according to its variant, acts in various ways. In general, ZeuS is famous for its use in the theft of credentials, passwords, and other sensitive information through different techniques: keylogging, form-grabbing, or even cryptolocking.
Among the vulnerabilities exploited by this Trojan are some failures in Microsoft ATL, different problems found in ActiveX controls, or vulnerabilities in functions controlled by JavaScript, among many others. At the time, Zbot was detected and identified in time to stop it in its tracks. However, this Trojan, supposedly created by Evgeniy Mikhailovich Bogachev, better known as “Slavik”, has been the source of a powerful toolkit that can be purchased on the black market. These tools offer various modules with which to design and create new malware.
The “Sons” of ZeuS
There are thousands of variants of Zbot. Some, like Gameover, or the slightly newer Atmos, have made their own place in the headlines. Sphinx, Floki Bot, and many more share in their core the same guidelines as ZeuS. However, they have managed to go unnoticed by many security measures. Gameover jeopardized a large section of the financial community, and Atmos, identified in 2015, targeted banks and the transactions they processed. The warning from experts is clear: ZeuS is still here, just going by new names and honing other “skills”. And it’s more dangerous than ever.
How can we protect ourselves?
The disastrous result of being infected with this Trojan (or rather its variants), can be mitigated or avoided. To do this, we must take several immediate precautions. In addition to using advanced cybersecurity tools capable of preventing this Trojan from reaching the corporate network, it is advisable to take into account other specific aspects:
- Avoid autoplay with multimedia files, activate read-only mode, and avoid access between computers in the network if it is not essential.
- When using the company network for collaborative work, it is recommended to use strict protection and password policies, limiting access and permissions.
- Get rid of unnecessary services, taking special care to eliminate ancillary services.
- Keeping all software up to date is also a sure way to reduce weaknesses.
- If an infection is detected, isolate the device immediately
- Eliminate other unnecessary connection paths, such as Bluetooth.
- Configuring email to automatically block attachments that are typically vulnerable, such as .exe, .bat, .vbs, .pif or .scr, will close one more door to attacks.
With a little attention and training, ZeuS will become a minor and well-controlled threat.