ZeuS/ZBot Description

ZeuS/ZBot is an infamous family of malware composed of banking Trojans. These are designed to infiltrate a computer system, silently lurk in the victim's computer, detect any banking-related activity, and then relay this information to a remote server. The ZeuS/ZBot malware infection is also associated with a vast botnet, that is, a network of infected computer systems which a criminal can control in order to perform coordinated attacks using all the infected computers. Botnets such as these can be used to send out large quantities of spam email (which has often been used to spread malware in the ZeuS/ZBot family) or to perform distributed denial of service attacks on particular targets. The ZeuS/ZBot family of malware is often distributed through social engineering email attacks, usually phishing email scams spoofing email addresses belonging to courier companies, airlines, banking institutions, and many other sources. These emails will usually contain a link to an attack website or an attached file containing the ZeuS/ZBot infection itself.

The ZeuS/ZBot family has also been linked to the blackhole exploit kit, usually used to set up websites that attempt to exploit dozens of vulnerabilities at once in order to infect the victim's computer system with a ZeuS/ZBot infection. Since the ZeuS/ZBot infection is silent, it can be quite a problem for its victims. Often, the only symptom of a ZeuS/ZBot infection is in its detection by a reliable anti-malware scanner. Because of this, making sure that your security program is up-to-date and that you scan your system periodically should be a top priority.

A Recent Attack Involving the ZeuS/ZBot Trojan Family

ESG malware analysts detected a string of attacks involving the ZeuS/ZBot banking Trojan family. These attacks involved spam email messages claiming to contain details on the victim's flight reservations, usually spoofing the logos and email addresses of well-known airlines like US Airways or American Airlines. These emails claim to have the victim's confirmation code and flight, as well as a link that supposedly allows the victim to view their reservation online. However, clicking on this link takes the victim to an attack website using the BlackHole Exploit Kit in order to install the ZeuS/ZBot Trojan on the victim's computer system. This does not happen directly; first, an executable file is downloaded onto the victim's computer system. This executable, also known as a "downloader" Trojan, then connects to a remote server and downloads and installs the ZeuS/ZBot infection itself.