Zeus Trojan

First observed in 2007, Zeus (also known as Zbot) is a trojan that creates a botnet and steals confidential information such as online banking credentials.

Threat ID:: CC-1138
Category:: Spyware, Trojan
Threat Severity:: Medium
Threat Vector:
Published:: 2 February 2017 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

First observed in 2007, Zeus (also known as Zbot) is a trojan that creates a botnet and steals confidential information such as online banking credentials.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions
Google Android - All versions
BlackBerry OS - All versions
Symbian - All versions

Threat details

Malicious files were originally created using an online toolkit, but the source code has since been leaked. This has resulted in further variants being developed such as Gameover ZeuS and Zeus Sphinx.

Attackers primarily spread Zeus via spam email messages and drive-by downloads. When executed, it automatically gathers stored passwords and then monitors visits to specific websites. It can insert extra fields into web pages to capture additional information from the user.

Zeus also contacts a command and control server which can instruct the infected device to shut down, delete system files and download additional malware.

Remediation advice

To prevent and detect a trojan infection, ensure that:

Remediation steps

Type	Step
	A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails. All operating systems, anti-virus and other security products are kept up-to-date. Regular anti-virus and security scans are performed on your organisation’s estate. All day-to-day computer activities such as email and internet are performed using non-administrative accounts. Strong password policies are in place. Network, proxy and firewall logs should be monitored for suspicious activity. User accounts accessed from affected devices should be reset on a clean computer. Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Type

Step

A robust program of education and awareness training is delivered to users to ensure they don’t open attachments or follow links within unsolicited emails.
All operating systems, anti-virus and other security products are kept up-to-date.
Regular anti-virus and security scans are performed on your organisation’s estate.
All day-to-day computer activities such as email and internet are performed using non-administrative accounts.
Strong password policies are in place.
Network, proxy and firewall logs should be monitored for suspicious activity.
User accounts accessed from affected devices should be reset on a clean computer.
Your organisation adopts a holistic all-round approach to Cyber Security as advocated by the 10 Steps to Cyber Security.

Last edited: 17 February 2020 11:42 am