Will the real Zeus botnet please stand up?

30 Apr 2010

minute read

Authors

Roel Schouwenberg

Amongst some others the Zeus bot is one of the most prolific bots in the wild and in the media. Lately there has been quite a few reports on the aspects surrounding Zeus, such as new research and the Troyak takedown.

Naturally, this is great news. However, awareness is still lacking and the heavy reporting around Zeus is making more people aware of the sophistication of the cyber criminal underground. Unfortunately, In many of the reports there is a recurring incorrectness. These reports talk about “the Zeus botnet”, which is an inaccurate reflection of reality.

The reality is that there are many, many different Zeus botnets all maintained by different cyber criminals. The amount of unique Zeus botnets is likely to be in the hundreds. The cyber criminals behind the Zeus bot will sell it to anyone who can then start their own unique botnet. Going even further there are some side-branches of Zeus maintained by other cyber criminals.

Given this situation it’s not unlikely that in a large enterprise machines may be infected with Zeus bot variants which are controlled by different cyber criminals and therefore belong to different Zeus botnets.

In order to create greater distinction we’ve seen a security company give a particular Zeus botnet another name when talking about it in the media. From my own perspective this novel idea didn’t quite work as it seemed to cause more confusion rather than less.

Sadly, I’m not convinced that a botnet naming convention for variants of a particular bot will help the public have a better understanding in the short term. So where does that leave us? Well, I think there is an easy guideline.

If the security community is reasonably sure that a certain bot is controlled by one cyber criminal group we can refer to the threat as a botnet. Examples of this rule are Conficker, Storm and Mebroot. If the bot is available in the underground we should refer to the threat as bot or botnets created by the following bot. Examples of this rule are Zeus, SpyEye and Poison Ivy.

Authors

Roel Schouwenberg

Will the real Zeus botnet please stand up?

Latest Posts

Latest Webinars

Reports

In this report Kaspersky researchers provide an analysis of the previously unknown HrServ web shell, which exhibits both APT and crimeware features and has likely been active since 2021.

Asian APT groups target various organizations from a multitude of regions and industries. We created this report to provide the cybersecurity community with the best-prepared intelligence data to effectively counteract Asian APT groups.

We unveil a Lazarus campaign exploiting security company products and examine its intricate connections with other campaigns

How Kaspersky researchers obtained all stages of the Operation Triangulation campaign targeting iPhones and iPads, including zero-day exploits, validators, TriangleDB implant and additional modules.

Will the real Zeus botnet please stand up?

GReAT Ideas. Balalaika Edition

GReAT Ideas. Green Tea Edition

GReAT Ideas. Powered by SAS: malware attribution and next-gen IoT honeypots

GReAT Ideas. Powered by SAS: threat actors advance on new fronts

GReAT Ideas. Powered by SAS: threat hunting and new techniques

ZeroLocker won’t come to your rescue

A Post-PC BlackHat?

Adobe Updates April 2014

Trust. Trust. Trust

Adobe’s First Patch Tuesday of 2014

How much security is enough?

TOP 10 unattributed APT mysteries

The future of cyberconflicts

Researchers call for a determined path to cybersecurity

What does it take to become a good reverse engineer?

Latest Posts

Using the LockBit builder to generate targeted ransomware

Android malware, Android malware and more Android malware

Threat landscape for industrial automation systems. H2 2023

A patched Windows attack surface is still exploitable

Latest Webinars

The Future of AI in cybersecurity: what to expect in 2024

Responding to a data breach: a step-by-step guide

2024 Advanced persistent threat predictions

Overview of modern car compromise techniques and methods of protection

Reports

HrServ – Previously unknown web shell used in APT attack

Modern Asian APT groups’ tactics, techniques and procedures (TTPs)

A cascade of compromise: unveiling Lazarus’ new campaign

How to catch a wild triangle

Subscribe to our weekly e-mails