Zeus Trojan And Password Stealer Detection And Removal

Zeus Trojan has been around for a few years now. It is one of the most active trojans which is in constant state of further development. The last varient of Zeus (ZBot) was found a few months back which was named version 2. Zeus Trojan steals personal information from the infected PC/system. But now a new version of Zeus trojan (Version 3) has just been found which is inflicting major damage in the United Kingdom (UK). While the previous versions of Zeus Trojan were caught by most of the antivirus companies but this new version is very hard to get caught.
Zeus Trojan uses an exploit toolkit named Eleonore exploit toolkit. An exploit toolkit can be used to serve multiple exploits through a web browser. The exploit toolkit makes use of vulnerabilities in web applications to get its work done. Eleonore exploit toolkit uses the following exploits:

  • IE MDAC Vulnerability
  • Adobe Reader Collab GetIcon Vulnerability
  • Adobe Reader CollectEmailInfo Vulnerability
  • Adobe Reader newPlayer Vulnerability
  • Java Development Kit Vulnerability
  • Java Web Start Vulnerability
  • Social Engineering Attack – Requires the user to download and execute the payload

CNET reports that about $1 million have been stolen from the United Kingdom bank accounts by using the Zeus Trojan. Interesting thing is that most of the antiviruses have not been able to detect the Zeus trojan. Here’s a report from VirusTotal which shows the detections from known antiviruses:

The picture shows that only 4 antiviruses were able to detect the Zeus trojan version 3. Let’s take a look at how this trojan works. The picture below shows the whole process of Zeus trojan working.
how zeus trojan works
For those who want to go through this process deeply, here’s the pdf file that will help explain the whole process of this trojan.  Till now there is no fix for this trojan (Atleast I have not been able to find one). Most of the antivirus companies are also not able to detect this trojan. So what can we do to minimize the damage done by this trojan?
If you’re in UK, you should take special measures to avoid this trojan. First of all, make sure that you have up to date software in your computer with the latest security updates installed. Especially the following software must be updated:

  • Internet Explorer
  • Adobe Reader
  • Java Development Kit including Java web start

Also make sure that you don’t download anything from unknown websites.
One technique used by Zeus trojan is getting the infected file downloaded through advertisements. Make sure that you don’t click on advertisements until you’re sure that the advertisements are legitimate. I have already written about how to block advertisements in Internet Explorer. If you’re using Firefox, you can use Adblock Plus extension. I will post about a permanent fix of this trojan as soon as I get one. If anyone has a fix or some advice for the infected users, kindly share through comments below.





3 responses to “Zeus Trojan And Password Stealer Detection And Removal”

  1. Kathy Feringa

    We are conducting a training class for our member credit unions on how to protect themselves from fraud and to let them know of the latest schemes so they can be aware. May we use your graph above of how the Zeus process works in our power point?

  2. Sanix

    Sure you can use the graph above. It’s taken from the report I’ve mentioned.

  3. amerkiller1995

    Symantec Security Response has really nice vids about viruses
    here about zeus