Avast Academy Security Malware The Zeus Trojan: What it is, How it Works, and How to Stay Safe

The Zeus Trojan — What It Is, and How to Remove and Prevent it

The Zeus Trojan is an insidious malware kit commonly used to steal banking information. With millions of Windows computers infected, it’s one of the most widespread and successful strains of malware in the history of the internet. Learn how Zeus works and how you can keep it off your PC with world-class antivirus software like Avast One.

Editors' choice
Top Rated
Written by Ivan Belcic
Published on February 7, 2022

What is the Zeus Trojan?

The Zeus Trojan, Zbot, or ZeuS: all these names refer to a devious collection of malware that can infect your computer, spy on you, and collect sensitive personal details. Zeus also conscripts your computer into a botnet, which is a massive network of enslaved computers that can be controlled remotely.

Hamburguer menu icon

This Article Contains :

    Though Zeus peaked in the early 2010s, its source code leaked in 2011, making Zeus available for anyone to use as a template for their own malware. Many Zeus-based malware strains have gone on to cause widespread damage and become notorious examples of malware in their own right.

    How does the Zeus Trojan work?

    The Zeus Trojan is a package that contains multiple elements of malicious code that work together to infect your computer. Like all Trojan malware, Zeus must trick you into installing it — mistakenly thinking the malware is helpful, you welcome it onto your device. Once it gets inside, it unleashes its malicious payload — just like the soldier-filled wooden horse of Greek legend.

    How does Zeus get on my computer?

    Zeus infects its victims through two primary vectors: phishing emails and malicious downloads. The phishing attacks fool people into downloading and opening malicious attachments. Once opened, the attachments install the Zeus malware package. Other phishing emails may contain links to infected websites.

    Zeus can also hide in malicious online ads, which when clicked download malware onto a victim’s computer. Infected websites can automatically download Zeus to your computer when you visit, and Zeus can also hide in otherwise legitimate product downloads.

    The Zeus Trojan infects victims through phishing emails or malicious online ads.The Zeus Trojan often infects victims through phishing emails or malicious online ads.

    What does Zeus do?

    Since Zeus is available as open-source malware, its effects can vary widely. Historically, it’s had two consistent roles:

    1. Steal sensitive information. Zeus is known as a banking Trojan, but it can steal anything its operator wants it to steal: system information, stored passwords, online account credentials, and more.

    2. Build a botnet. Zeus maintains contact with its operator through a command-and-control (C&C) server so that it can remotely receive additional instructions. The operator can hijack the victim’s computer and install more malware.

    Zeus originally stole passwords via Internet Explorer’s Password Store feature: Zeus simply helped itself to any passwords stored in the browser. If Zeus detected that the victim was visiting a banking site, it would use keylogging or form-grabbing methods from within the browser to capture usernames and passwords.

    Keylogging records your keystrokes as you type, while form-grabbing captures content you enter into website form fields before the info is sent to a website’s server. That way, Zeus’s creators never had to overcome the security features on the banking sites themselves.

    Zeus can also intercept legitimate websites and add additional forms to provide the operators with even more personal information.

    The Zeus Trojan can use keylogging methods to steal personal data like info entered into form fields.The Zeus Trojan can record keystrokes to steal data you enter into website form fields.

    What is Zeus used for?

    Zeus was originally designed to steal sensitive banking information. As early as 2009, Zeus had hit computers at Bank of America, NASA, Amazon, and many other organizations, infecting an estimated 3.6 million computers that year.

    The cybercriminals behind Zeus would transfer funds out of their victims’ accounts and funnel the money back to themselves via intermediaries known as money mules. These mules would receive the stolen funds and redirect them onward, obscuring the final destination of the money.

    Zeus would also give remote access to the machines it infected. This led to the creation of the Gameover ZeuS botnet, Zeus’s most infamous successor. Botnets are often used to send spam or phishing emails, or to conduct DDoS attacks.

    In 2010, the FBI successfully penetrated the Zeus cybercrime ring, arresting over 100 people in the US, the UK, and Ukraine. By that time, the group had managed to pilfer over $70 million from victims of Zeus attacks.

    What’s the difference between Zeus and Gameover ZeuS?

    Gameover ZeuS was one of the many pieces of malware built on the foundations of the original Zeus source code after it was made public in 2011. Unlike its predecessor, Gameover ZeuS featured an encrypted peer-to-peer botnet structure that made it much more difficult for law enforcement to parse.

    In addition to banking fraud, the new Zeus botnet was also used as a vector to spread the formidable CryptoLocker ransomware. As before, victims would inadvertently join the botnet after succumbing to phishing emails. Once their computers were connected, they were infected with ransomware.

    An international cybersecurity effort known as Operation Tovar finally cracked Gameover ZeuS in 2014, which also resulted in the CryptoLocker decryption keys being made available to the public for free. Still, the folks behind the ransomware were able to escape with approximately $3 million in ransom fees.

    Coincidentally, that’s the same amount currently offered by the FBI in return for information leading to the arrest of the person they believe is responsible for Gameover ZeuS.

    Zeus’s legacy

    Gameover ZeuS might be the most famous malware to use Zeus code, but it’s far from the only one. Here’s a quick look at other Zeus-inspired malware:

    • Cthonic can access a victim’s webcam and microphone in addition to their personal information.

    • Citadel targets a victim’s password manager by attempting to access its master password, and it can also block the websites of various antivirus providers.

    • Atmos emerged in 2015 and targeted banks directly, harvesting financial data and leaving ransomware in its wake.

    • Terdot hunts for social media and email credentials in addition to a victim’s banking information.

    How to remove Zeus Trojan malware

    If your computer becomes infected, the best way to remove Zeus Trojan malware is to use a Trojan removal tool. Download the anti-malware software, and then clear out the Trojan infection like you would remove a computer virus.

    1. Download strong antivirus software from a reputable provider.

    2. After installation, restart your computer in Safe Mode to prevent any malware from connecting to the internet.

    3. Scan your computer for malware with your newly installed antivirus software to detect Trojans or any other malware.

    4. If any malware is found, follow the instructions to remove it.

    How to prevent a Zeus infection?

    While you don’t have to worry about the original Zeus Trojan anymore, its lasting influence is still present in today’s malware landscape. Add the following tips into your digital lifestyle to prevent Zeus and its descendents from stealing your information.

    • Learn to recognize phishing attacks. Cyber attackers often masquerade as trusted contacts or institutions, like your bank, to fool you into downloading infected attachments or visiting unsafe websites. If you feel like something is off about a certain email, trust your gut and delete it.

    • Don’t download unknown attachments or click links you don’t trust. If you’re sent an attachment you’re not expecting, or if you receive a link out of the blue via email or on social media, don’t engage. Delete it and turn away.

    • Don’t click online ads. As mentioned above, online ads can give you malware in a practice known as malvertising. When you click the ad, it infects your device. Ignore online ads and consider using an adblocker or a secure browser if you aren’t already.

    • Always update your software. Outdated software is vulnerable to malware infection, whereas current software contains the most updated protections. Hackers can exploit vulnerabilities in old software to infect your device.

    • Don’t store passwords in your browser. It’s easy for malware with access to your browser to get inside and find all the passwords you’ve stored there.

    • Use a password manager, but don’t save your master password. A good password manager stores your passwords securely and helps you create hard-to-crack passwords. Your master password unlocks your stored passwords — if this gets stolen by malware like Citadel, all your passwords are vulnerable. Just memorize it.

    • Download licensed software only from official sources. You can greatly reduce your risk of getting a Trojan if you avoid unofficial or unlicensed software. Torrents are tempting, but you can’t be totally sure that what you’re getting doesn’t have any malware bundled with it.

    • Use antivirus software. Strong antivirus software will detect and block Zeus-based malware before it can infect your machine. And if you do get an infection, your antivirus will quarantine and remove the malware. Download free antivirus software for Windows 10 or Windows 11.

    Protect your personal info with award-winning antivirus

    Avast One will block infected downloads, prevent you from accessing infected websites, and detect malware on your machine. If you’re already infected, you’ll be able to scan your device from top to bottom and clear out the malware.

    When you choose an antivirus solution from a reliable industry leader, you’re getting a cutting-edge cybersecurity tool that’s continuously updated against the latest malware threats. Since anyone can use Zeus’s source code to build their own malware, your best defense is a cybersecurity tool that’s ready to fight back.

    Protect your iPhone against online threats with Avast One

    Free install

    Block the Zeus Trojan and other malware with Avast One

    Free install
    Ivan Belcic