Zeus also known as Zbot is actually a facebook virus and technically a Trojan horse that can wash away your bank accounts by stealing your internet banking password, once your computer got infected with Zeus it stays dormant until a victim logs into a bank site, and then it steals the victim’s passwords and drains the victim’s accounts.
Zeaus aka Zbot has infected millions of computers mostly in US and in some cases, it can even replace a bank’s Web site with its own page, in order to get even more information. It’s actually a six-year-old virus that shape up again in 2013, it was first detected in year 2007. Incidents of Zeus have risen steadily this year and peaked in May as reported by Trend Micro.
Zeus gain popularity as choice among cyber-criminals in 2006 when they can buy Zeus aka Zbot malware toolkit from black market and it even allows non-programmers cyber-criminals to carry out cyber crimes. According to a 2010 report from Dell SecureWorks, the basic Zeus package starts at about $3,000 to $4000.
How to protect your computer & Facebook account
Besides keeping your antivirus, operating system and software patches up to date there are prevention tips to reduce threat to Zeus virus:
- Be very careful about making online purchases from sketchy sites advertised on Facebook especially NFL fan page on facebook and other facebook groups/pages as reported by facecrooks.com.
- Make your facebook profile more secure by enabling HTTPS on your profile.
- Do not click on flashy links that says – Work at home or get rich quick etc.
- Run your Facebook account through – Facebook Checkpoint (screenshot below).
How to know if Zeus Trojan is in your computer
Computers infected with this version of ZeuS will have the following files and folders installed. The location depends on whether the victim has Administrator rights. The files will most likely have the ‘hidden’ attribute set to hide them from casual inspection.
With Administrator rights:
%systemroot%\system32\sdra64.exe (malware) %systemroot%\system32\lowsec %systemroot%\system32\lowsec\user.ds (encrypted stolen data file) %systemroot%\system32\lowsec\user.ds.lll (temporary file for stolen data) %systemroot%\system32\lowsec\local.ds (encrypted configuration file)
Without Administrator rights:
%appdata%\sdra64.exe %appdata%\lowsec %appdata%\lowsec\user.ds %appdata%\lowsec\user.ds.lll %appdata%\lowsec\local.ds
ZeuS also makes registry changes to ensure that it starts up with Administrator privileges:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon From: "Userinit" = "C:\WINDOWS\system32\userinit.exe" To: "Userinit" = "C:\WINDOWS\system32\userinit.exe,C:\WINDOWS\system32\sdra64.exe"
Without Administrator rights:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run Add: "Userinit" = "C:\Documents and Settings\<user>\Application Data\sdra64.exe"
The sdra64.exe program uses process injection to hide its presence in the list of running processes. Upon startup, it will inject code into winlogon.exe (if Administrator rights available) or explorer.exe (for non-Administrators) and exit. The injected code infects other processes to perform its data theft capabilities.
Detection tip via – Secureworks