A bit about Zeus

As I posted a couple of weeks ago, the Zeus botnet was partially taken down after researchers worked with ISPs to disconnect them.  Even though this victory was only temporarily short-lived, it’s still nice to know that botnets can be targeted for takedown if enough people get together and concentrate their efforts.

From the MMPC Encyclopedia, Zeus is also referred to as Zbot but also goes by a variety of other names including Kollah, the Avalanche botnet or Wsnpoem.  Win32/Zbot is a trojan password stealer that can may bypass installed firewall applications to send captured passwords to an attacker. It also contains limited backdoor functionality that allows unauthorized access and control of an affected machine.

In the wild, Win32/Zbot has been observed distributed as an attachment to spammed e-mail. The e-mail is disguised as a security alert from Microsoft and the attachment may have a file name such as "officexp-KB910721-FullFile-ENU.exe". This trojan may also be encountered and installed when visiting a malicious Web page.

Below and for example, PWS:Win32/Zbot.PM may be downloaded from a malicious Web site disguised as a security alert from Microsoft as in the following example from the domain 'update.microsoft.com.il1ifi.com.mix' :


Win32/Zbot attempts to steal the sensitive information including certificates, cached passwords and cookies (but not Ritz crackers).  Take the following steps to help prevent infection on your system:

  • Enable a firewall on your computer.

  • Get the latest computer updates for all your installed software.

  • Use up-to-date antivirus software.

  • Use caution when opening attachments and accepting file transfers.

  • Use caution when clicking on links to Web pages.

  • Avoid downloading pirated software.

  • Protect yourself against social engineering attacks.

  • Use strong passwords.

More information on the MMPC blog is available here.

Skip to main content