How Zeus3 targets financial services giants

Jason Pearce of M86 security explains how the Zeus Trojan has been used to steal money from customers of a UK-based financial institution.

M86 Security has discovered and exposed a sophisticated attack targeting the UK customers of an international financial institution using the Zeus v3 Trojan. At least 3000 UK customers have been compromised, and around GBP675, 000 has been stolen from those customers’ online banking accounts.

The Trojan used in this attack is Zeus v3 – the latest, most advanced and sophisticated iteration of the successful and dangerous Zeus family of banking malware. Customers of the financial institution concerned were infected when visiting compromised but legitimate websites that had been infected by the criminals. Code injected into these sites redirected visitors to the malicious Eleonore Exploit Kit 1.4.1. which ultimately led to the users being infected with Zeus 3.

Zeus or ZBOT bots are part of crimeware toolkit which is available for cyber crime operation designed to steal  information and banking credentials from unsuspecting Internet users. Zeus’ malicious behavior is defined by its server-side configuration file which contains a list of targeted financial institution and online services.

In earlier versions, Zeus handled this configuration file in a way that security researchers can now easily manage to reverse engineer and capture the actual full configuration content. This is no longer the case with Zeus v3. It employs layers of protection by applying the principle of least privilege. This  means that it must only access remote command, information and resources that are necessary to a specific function and purpose.

The latest Zeus v3 configuration contains a list of targeted financial institution from Spain, Germany, United Kingdom, and USA. The previous versions contain a list of financial institutions from different countries around the world. The rationale behind more specific targeting in the newest version is to reduce the risk of detection. What is different with Zeus v3 is that it now has the capability to hijack the customers online banking sessions. In the case of this recent attack if the customer bank account balance was greater than GBP800 it issues a money transfer transaction. Zeus v3 works by modifying target Web pages in a user’s browser by asking for them to provide additional information at the login prompts. In earlier versions, this was only done in Internet Explorer (IE), but in this version this is also done on Mozilla Firefox browsers as well.

The new Zeus includes support for both Windows Vista and Windows 7. Taskeng.exe and Taskhost.exe are processes that this version targets and both are found in Windows Vista and Windows 7 though neither were found in older versions such as Windows XP.  Instead of using pre-specified names, the Trojan uses random names for the files and directories they create. In addition, Zeus now injects its code into the Explorer process, something that previous variants did not do.

Zeus has been entrenched in the cybercrime business for a long time now and has continuously evolved and improved. The changes in terms of using random file and directory names, providing support for Windows Vista and Windows 7 and being able to now hijack banking sessions highlight the fact that Zeus developers are closely monitoring the countermeasures being developed by security vendors and are resorting to new tactics to not only avoid detection, but also increase the bang for buck of the toolkit.

These changes show that cybercriminals are continuously finding new ways to not only perpetrate the attack, but also make sure they do not go out of business due to detection. There are a number of ways for organizations to ensure they are protected from these types of attack:

  • Educating staff on current IT security threats and teaching them what to look for in order to avoid infection.
  • Making sure that systems and applications are patched and up-to-date.
  • Deploying active real-time content inspection technology to inspect inbound and outbound communication over FTP, HTTP, and HTTPS looking for malicious code.

Further information on the attack and the methodology employed can be found at

About the Author

Jason Pearce is the Director, Sales Engineering Asia-Pacific for M86 Security based out of Singapore. In this role he is responsible for driving the pre-sales, systems engineering and technical architecture capabilities of M86 Security throughout the Asia-Pacific region.

Read more on Antivirus, firewall and IDS products