Despite recent busts, ZeuS Trojan will be around awhile

ZeuS malware is resilient, distributed, effective

Despite high-profile busts in the U.S. , U.K. and Ukraine of cybercriminals using ZeuS malware to steal from online accounts, ZeuS will evolve and remain an effective theft tool for a long time, security experts say.

Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.

"There's a community building it and supporting it," says Eric Skinner, CTO of Entrust. "There's no one person to take down. If one person stops updating, somebody else will pick up the task. It's not like when you shut down a software company and the product ceases to be developed."

To continue reading, register here and become an Insider. You'll get free access to premium content from CIO, Computerworld, CSO, InfoWorld, and Network World. See more Insider content or sign in.

Despite high-profile busts in the U.S. , U.K. and Ukraine of cybercriminals using ZeuS malware to steal from online accounts, ZeuS will evolve and remain an effective theft tool for a long time, security experts say.

Zeus Trojan bust reveals sophisticated 'money mules' operation in U.S.

"There's a community building it and supporting it," says Eric Skinner, CTO of Entrust. "There's no one person to take down. If one person stops updating, somebody else will pick up the task. It's not like when you shut down a software company and the product ceases to be developed."

That about sums up the main strength of ZeuS, which experts agree is the major malware framework available today. It's available; it's affordable; it works; its toolkit makes modifying it simple. And the core people who do the major development work have managed to elude capture, hiding behind layers of shifting command and control servers, ISPs, domain registrars and international borders.

"Even if we work with law enforcement, we're still not getting them," says Pedro Bueno, malware research scientist at McAfee Labs. "It takes several hops to get to them. We are real close to them but are never able to get to the final destination where they are."

The Zeus banking Trojan steals usernames and passwords from Windows machines so criminals can use them to illegally transfer money out of victims' accounts.

A relatively small group of eastern Europeans are considered to be the main developers responsible for creating new releases of the platform, which has been around since 2007.

For example, researchers recently discovered that a ZeuS add-on helps defeat attempts by banks to thwart access by thieves who have used ZeuS to steal usernames and passwords of online banking customers. After users login, the banks send SMS messages to their cell phones containing one-time codes that the customers enter.

This two-factor authentication makes it more difficult for criminals to break into accounts, but the developers of ZeuS found a way. A mobile ZeuS Trojan grabs the one-time code and sends it to a ZeuS command and control server where criminals can use it to break into accounts, says Derek Manky, project manager for cyber-security and threat research at Fortinet. "That's an enhancement," he says.

Another recent development ties instances of the software to particular machines, so purchasers of ZeuS can't copy it endlessly or resell it. So far, there is no known way to break this licensing safeguard, Bueno says.

Developers also sell a ZeuS toolkit that lets purchasers customize it to their uses and modify its look so it can keep ahead of anti-virus vendors trying to identify signatures that can be used to block it, Skinner says. They can also tailor the Trojan to the requirements of breaking the security of specific banks, he says.

Plus it's easy to use, Manky says. "It's easy for anybody to pick this up without any sort of qualifications," he says. "There's no need to be very technically adept."