The Zeus crimeware toolkit has been around now for some time and is well established in the underground economy as being an easy-to-use and powerful tool for stealing personal data from remote systems. Initially linked to a group of criminals known as the “Rock Phish” group and targeting worldwide financial institutions, the toolkit has since become widely available both for sale and for free on underground forums.
The following video provides an insight into the Zeus crimeware toolkit, the underground economy, and distribution methods for the Trojan:
As seen in the video, the ease-of-use of the Zeus crimeware toolkit for individuals to create their own tailored Trojan botnets has meant that it has become a favored toolkit for entry-level criminals to get involved in the underground economy. The greater availability of this toolkit on underground forums as of late has also led to an increase in its usage. In the last year, Symantec alone has detected over 154,000 computers as being infected with the Zeus Trojan and 70,330 unique variants of the Zeus Trojan binary. The true figure of Zeus infections outside of Symantec’s count is bound to be a lot higher.
Sites such as Abuse.ch Zeus tracker have for some time now been doing an excellent job in tracking Zeus command & control (C&C) servers and hosts of Zeus files. It also gives a good representation of how active the Zeus Trojan family is in the wild. Symantec’s own data shows the following breakdown of the top 10 countries reporting Zeus detections over the past twelve months:
Symantec detects the Zeus Trojan family variants as Trojan.Wsnpoem, Infostealer.Banker.C, and Packed.Generic.232.
*Note: Special thanks to Ben Nahorney for producing the video.