Guide to Zeus Infections

Description of Issue

Zeus, ZeuS, or Zbot is a trojan horse worm that runs on versions of Microsoft Windows, and can involved infected websites as part of the Command&Control (regardless if the websites are hosted on Linux or windows servers).  While it is capable of being used to carry out many malicious and criminal tasks, it is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware.  Zeus is spread mainly through drive-by downloads and phishing schemes. Zeus controllers can fine tune the copy of Zeus they are using to steal only information they are interested in such as login credentials for online social networks, e-mail accounts, online banking or other online financial services.

Several variant of Zeus have been released like 'Game Over Zeus', 'Citadel' or 'KINS' Banking Trojans.


Background of Issue

First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA,, ABC, Oracle,, Cisco, Amazon, and BusinessWeek.

Platforms Affected

  • Websites

Zeus banking trojan can use infected websites as part of the Command&Control platform. In such case, the infected websites are used to distribute configuration files, perform exfiltration of data that has been stolen, or host the botnet administration panel. Compromised accounts databases could also be modified to inject Zeus trojan data.

ZeuS Tracker usually monitors these websites:

Zeus related malicious files are usually named config.bin , bot.exe , gate.php and cp.php

  • Workstations

On the infected workstations, the banking trojan will steal information such as login credentials or online banking data. All known versions of the Windows operating system are affected.

  • VPN services

Servers and workstations behind a VPN may be infected and therefor a report of infection may be sent about the machine providing Internet connectivity when the infection is actually on a computer using the VPN.

Suggestions for Resolution

If your website is compromised: We suggest that you use the Malicious URL Troubleshooting and Guidelines to investigate, clean, and secure the compromised account.

If your workstation is compromised: We suggest that you remove the malware (several anti-viruses can be used). However, as there are many variant of Zeus malware and no utility can effectively detect and remove all versions of this software from all operating systems with a 100% success at this time, you should consider re-installing your operating system, and change all credentials used on the compromised machine.

If you are running a VPN service used to transmit Zeus traffic: We suggest that you identify the related account, close it, and warn it that it has been identified as part or a Zeus banking trojan botnet.


Recommendation for Resolution

  1. Remove Zeus Trojan Master Boot Record infection with Kaspersky TDSSKiller
  2. Run RKill to terminate Zeus Trojan malicious processes
  3. Remove Zeus Trojan virus with Malwarebytes Anti-Malware Free
  4. Remove Zeus Trojan infection with HitmanPro
  5. Double check for any left over infections with Emsisoft Emergency Kit
  6. Remove Zeus Trojan adware with AdwCleaner
  7. Remove Zeus Trojan browser hijacker with Junkware Removal Tool


Article is closed for comments.
Powered by Zendesk