What is Zeus Malware?

Zeus Malware
What is Zeus Malware?

Zeus malware (a Trojan Horse malware) is also known as Zeus virus or Zbot. This malware runs on different versions of Microsoft Windows and is supposed to carry out malicious activities at the victim’s computer. The reason for making the Zeus banking trojan was to steal banking records by man-in-the-browser keystroke logging and form grabbing.

Zeus malware is also used to install CryptoLocker ransomware. The primary ways of infecting are through phishing schemes and drive-by downloads. The malware infection was first recognized stealing information from the United States Department of Transportation in 2007. By March 2009, it became the most widespread malware across the internet.

According to, security company, Prevx; Zeus virus compromised over 74,000 FTP website accounts. This detail was brought to light in 2009. Zeus trojan attacks include companies like BusinessWeek, NASA, ABC, Play.com, Bank of America, Monster.com, Amazon, and Cisco.

Zeus malware tricks users of tech support scams into giving the scam artists money. The pop-up messages claim to have identified a virus in the computer, but in actuality, they might have no viruses at all. The hackers/scammers might use the Event viewer or Command prompt to make the user believe that their computer is compromised.

The threat posed by Zeus Trojan malware decreased when its original creator retired in 2010. This paved the way for several variants to show up on the scene when the source code became public, making this distinct malware consistent and dangerous once again.

What does Zeus Malware do to Computers?

Zeus malware can do a variety of things once it affects a system, however, it actually has two main sections of functionality.

Primarily, it creates a botnet, which is a network of individual computers infected with malicious programs. It is managed as a group without the owners’ knowledge by a command and control server under the control of the malware’s owner. The botnet enables the owner to gather massive amounts of information or execute large-scale attacks.

The malware is designed to recognize when the user is on a banking website and records the keystrokes used to log in. Now, Zeus trojan has been mainly neutralized, the Trojan lives on as its components are used (and built upon) in a large number of new and emerging malware.

How can Zeus Malware be detected?

The malware is really tough to detect, even with up-to-date antivirus as it is designed with stealth techniques to hide – this is another reason why it has become one of the largest botnets on the Internet.

Who does the Zeus Malware Target?

According to Damballa, Zeus malware infected 3.6 million PCs in the U.S.A in 2009. Thereby, it is vital to learn and share the knowledge about steering clear from such attacks. Avoid clicking on hostile or suspicious links in emails or on web sites, and always keep the antivirus protection up to date. Some antivirus software doesn’t claim to reliably prevent infection and is capable of preventing some infection attempts.

The Unanticipated FBI Crackdown

Zeus malware hackers in Eastern Europe successfully infected computers across the globe using the Zeus virus, this information was officially confirmed by the FBI in October 2010. Initially, the botnet was circulated to the victims through the email. After the user opened the emails, the malicious program stealthily installed itself on the victimized computer. After successful entry, it secretly started to capture account numbers, passwords and other important data used to log into online banking accounts.

The harvested information from the victim’s computer helped the hackers take over the victims’ bank accounts and make unapproved transfers of thousands of dollars. The misappropriated funds were sent out to other accounts controlled by a network of money mules who received a commission for their assistance. The hackers recruited money mules from overseas to play it safe.

The money mule account operators created bank accounts using fake documents and false names. As soon as the money was transferred to their accounts, they encashed and smuggled it to the hackers or wired it to them. The FBI arrested over 90 people in the US, and 10 in the UK and Ukraine on charges of conspiracy to commit bank fraud and money laundering. The gang swindled approximately $70 million.

Hamza Bendelladj, a Thailand national, was arrested in 2013 and deported to Atlanta, Georgia, USA. He was known as Bx1 online who was the mastermind behind Zeus malware attacks. He was held responsible for operating SpyEye – a bot functionally similar to ZeuS. He was also suspected of operating Zeus botnets.

The Online fraudster was charged with several counts of wire fraud, computer fraud and abuse. The official papers from the court declared that between 2009 and 2011 Bendelladj and others developed, marketed, and sold various versions of the SpyEye virus.

They also sold the component parts online which helped the other online criminals customize their versions to add methods of collecting victims’ personal and financial information. He was also accused of advertising SpyEye on the online forums devoted to cyber and other crimes. The SpyEye botnet control server was based in Atlanta and the charges in Georgia relate only to SpyEye.


Malware attack

Do you need protection against Zeus-malware?

Comodo Advanced Endpoint Protection (Comodo AEP), Get complete protection for every endpoint on your network.

→ Free Trial for 30 days

→ 7-Layers Enpoint Security Platform

→ Default Deny Security

→ Cloud-based Advanced Malware Analysis

Get Free Trial

How to Prevent Zeus Malware Attack?

As the old saying goes – “prevention is better than cure,” it is best to stay protected through safe internet practices. Avoid visiting websites that are unknown or suspicious, websites that deal with adult content, illegal downloads or illegal free software. The owners of these websites have no issues letting malware owners host their software on the site.

On the other hand, by simply not clicking on social media messages or links in email, you can stay safe.. Treat all messages equally and if the message arrives from a source affiliated with Zeus Trojan malware, chances are the message could pose a possible threat.

Make use of the two-factor authentication, whereby the financial website triggers a confirmation code to be sent to your mobile device and confirm the login is legit. Recently, a few offshoots from Zeus malware-infected smart devices, too. Below are a few tips for individuals and businesses:

For Individual Users:

  • Never visit suspicious websites
  • Be careful when opening e-mails or attachments from unknown sources.
  • Back up your files regularly
  • Have the popup blockers enabled always
  • Keep your computer OS and antivirus software up-to-date

For Businesses (Corporates):

  • Implement stringent controls on privileged accounts
  • Have a proper data backup and recovery plan
  • Make sure all the corporate-connected devices are up to date

Since the advent of BYOD, users have been accessing corporate data from outside of the office and through preferred networks. This makes it all the more vulnerable for hackers to infiltrate through the defense systems to steal potential banking details from websites that deal with a lot of online fund transactions, e.g., e-commerce sites, banking sites, online ticket booking sites and so on. A powerful, updated antivirus solution is a must to stay away from such vulnerabilities.

When it comes to the business safety, antivirus products are not a viable option. The ideal way to disarm Zeus malware is to have an advanced endpoint protection system in place. Comodo Advanced Endpoint protection (AEP) is such a solution which provides real-time protection for all of your endpoints.

Comodo AEP isolates malware (including ransomware) from penetrating your company’s local area network at the device layer and executes them in an isolated or restricted system environment. It is the most intelligent endpoint protection solution that offers multiple layers of protection against both known and unknown threats. Basically, the Advanced Endpoint Protection can easily scan the endpoints and remove the malware if it already exists on the device.

The Comodo AEP offers complete 360-degree protection for the endpoints connected to the corporate network both locally and virtually. It combines numerous security techniques to defend the corporate network and endpoints with complete protection. Some of the robust features include:

Host Intrusion Prevention System (HIPS) –  It blocks malicious activities by monitoring the behavior of the code.

Containment Technology – This works on Artificial Intelligence and moves the unknown files in a virtual isolated container. This file is later analyzed and the intention of the file is known. It ensures that the users can run programs and applications on their enterprise endpoints; however, the known good applications run as usual while the unknown suspicious files run in the virtual environment.

IT and Security Manager – It is a single console to ensure efficient IT security and device management. It provides a complete report on the status of each device and its level of security.

The Zeus Trojan has infected millions of computers across the globe in a relatively short time. The original creator is no longer running Zeus Malware however, the code is still very much available online to customize per hacker needs. In order to prevent, the corporate networks and endpoints falling victim to the financial data theft, it we recommend choosing Comodo AEP.

For further details on Comodo Advanced Endpoint Protection, contact us at EnterpriseSolutions@comodo.com or +1 888-256-2608.

What is Zeus Malware
Related Resources
Endpoint Security
Trojan Virus

Website Backup

Website Malware Scanner

Website Status

What is Locky Ransomware?

What is a Malware Scanner

Locky is a type of ransomware. It was released in 2016 while security experts found that the malware authors delivered this ransomware via email asking for payment through an attached invoice of a malicious Microsoft Word document that runs infectious macros.

How does Locky Ransomware work?

The document when opened by the user would not be in a readable format and a dialog box opens with a phrase “Enable macro if data encoding is incorrect.” This is a simple social engineering technique to used as bait to trick the user and pass on the infection.

When the user enables the macros, the malware author runs a binary file which then installs the encryption trojan that locks all the files that have specific extensions. Later the filenames are changed to a combination of letters and numbers.

Once the files are encrypted,the locky ransomware demands to download the tor browser and enter a specific website which is actually malicious. It also demands to pay a ransom to unlock the encrypted file.

Who is a target for Locky Ransomware?

Locky is a very dangerous threat capable of infecting a variety of file formats that includes the files created by designers, developers, engineers and testers. Locky ransomware attack targets mainly small businesses.

The top countries hit by the Locky virus are Spain, Germany, the USA, France, Italy, Great Britain, the Czech Republic, Canada, and Poland.

What is the method of infection for Locky ransomware?

Malware authors pass on the infection through spam emails that come along with malicious attachments that include .doc,.xls, or .zip files.

Where does Locky Ransomware come from?

Security experts found evidence that the Locky ransomware has been developed by the Hackers who developed Dridex. It’s also understood that the locky comes from Russia as it targets all the PCs around the globe except Russia.

Locky Ransomware Detection

Locky infected emails looks genuine which makes it difficult for users to identify that the emails are malicious. If the email has a subject line that reads – “Upcoming Payment – 1 month notice.” or comes with a Microsoft Word document containing malicious macros.

If the locky ransomware runs and infects the files, then it will be difficult to recover. The user will be notified to pay ransom to unlock the files.

How to remove Locky?

During the process of starting your computer, press the F8 key on your keyboard continuously until the Windows Advanced Options menu pops out,

  • Select Safe Mode with Command Prompt from the menu list and then press ENTER
  • As the Command Prompt mode loads, type “cd restore” and then press ENTER.
  • Following that type: rstrui.exe and press ENTER.
  • Click NEXT in the opened Window
  • Select the Restore Points and click NEXT (this is to restore your system even before the infiltration of locky ransomware on to the PC).
  • Then Click “YES” in the following opened Window   

Once the PC is restored, Scan the system with effective and recommended antivirus software and delete any remaining Locky virus files.

How to prevent Locky ransomware?

Ransomware trojans are developed to spread through phishing or spam emails. Below are ways to prevent locky ransomware:

  • Deploy an updated antivirus
  • Install an internet security suite that has email security system to eliminate spam and phishing emails
  • Avoid opening suspicious links and attachments from unauthorized sources.
  • Disable the macros from running default in Microsoft office.
  • Take a backup of vital files on external drives or over the cloud.
  • Ensure the operating system or any other third-party software associated with the system are patched and updated.

Why Comodo Advanced Endpoint Protection?

Comodo Advanced Endpoint Protection (AEP) is an ideal security solution that equips any business network with the right measure of security features. Case studies have proven that Comodo AEP completely denies targeted attacks and APTs (advanced persistent threats) which cannot be made possible by a single standalone antivirus.

Endpoint protection solutions provide enterprises a centrally managed security solution to help secure workstations, endpoints- servers, etc.. which are connected to endpoints, and the endpoint devices.

It is considered to be the best, as it integrates antivirus, anti-spyware, firewall, and application control that features HIPS (host intrusion prevention) techniques – all in one single console.

It combines patch management, configuration capability, and vulnerability assessment to enable proactive protection of data files and disk encryption.

Locky ransomware attacks
Related Resources
Endpoint Security
Trojan Virus

Website Backup

Website Status

Ryuk ransomware