Your IP: Unknown · Your Status: ProtectedUnprotectedUnknown

Zeus malware: its history and how it works

Zeus is a type of malware that can infect your devices, use them as part of a botnet, and spy on your data. This malicious software often targets Windows users, but new variants are emerging which can also infect mobile operating systems.

Malcolm Higgins

Malcolm Higgins

Zeus malware: its history and how it works

What is Zeus malware?

Zeus, also known as Zbot, is a kind of malware, referred to as a trojan, which can secretly install itself on your device. Like most of the worst computer viruses, it can steal your data, empty your bank account, and launch more attacks. Once the infection has occurred and it's active on your computer, it will usually do one of two things.

It can add your device to a Zeus botnet; a network of infected devices that all answer to one command center. You might never realize that your device is being used in Zeus botnets, but hackers can leverage this army of compromised computers and smartphones to launch DDoS attacks on other targets.

Alternatively, the Zeus trojan can spy on you directly, stealing sensitive information from your device and feeding it back to a cybercriminal. Again, its presence on your device may be almost unnoticeable, so you might not realize you’re being targeted until it’s too late.

Zeus first appeared around 2007. Like many forms of malware the Zbot was initially used to steal banking information. However, in 2011, the source code was released to the public, allowing multiple new variants to be created. The original code has apparently been retired, but new generations of Zeus trojans are still active today.

Technical details

ZeuS 2.0.8.9 (as it was originally known) comes in many forms. In fact, there are hundreds of documented versions of the ZeuS trojan, although most of them serve a similar function; a Zbot is meant to steal data and money, or build a botnet.

If it’s targeting your data, a Zeus trojan will usually attempt to gather the following:

  • Keystroke data
  • POP and FTP account credentials
  • Cookies and tracker information
  • Login credentials
  • HTTP form data

In the case of botnet builders, the process will be less focused on stealing the specific data of a user. Instead, the device will be installed with hidden software, allowing it to be controlled remotely by the hacker.

At a later date, it can then be used, along with the rest of the botnet, to flood servers and online systems with artificially-inflated traffic. This can force websites offline and make networks inaccessible, in what’s known as a distributed denial of service (DDos) attack.

Types of Zeus malware

While the original Zeus malware is no longer active, there are numerous copycats that use the same or similar code. Here are just a few Zeus malware examples.

SpyEye. This is a particularly nasty malware that is thought to use code from the original Zeus virus. It usually targets your browser, recording your keystrokes until it manages to get the login credentials for your accounts. It can even initiate transactions while you’re logged into an online banking portal, sending funds directly to the hacker.

Gameover ZeuS. Originally created by Russian hackers, Gameover ZeuS focuses on conscripting devices into a botnet. What sets it apart from similar variants is its use of an encrypted peer-to-peer communication system, making it much harder for the authorities to track down whoever is operating it.

Ice IX. Another descendent of Zeus is Ice IX, a botnet system partially built on the code of the original malware. It’s a multifunctional tool, and can be used both to manipulate online financial transitions, and to launch botnet-driven attacks.

history of zeus

The history of Zeus

So what do we know about the history of Zeus? And where did it originate?

Where did Zeus come from?

It was first identified in 2007, when it was used by hackers to target the United States Department of Transformation.

Who created the Zeus virus? Like all malware it’s impossible to say for sure where it originated, but some law enforcement agencies have claimed that it was created in Eastern Europe.

What we know for certain is that in 2011, the creator of the original Zbot made the malware code public — or had it leaked unintentionally — allowing it to spread faster than ever.

The creator may also have sold his original code to the criminals who invented SpyEye, although in 2013 the creator of SpyEye was arrested, and subsequently pleaded guilty to conspiracy to commit wire and bank fraud.

The biggest attacks

Zeus and its variants have been successfully used to target huge organizations like Amazon, Bank of America, and even NASA. At its height, the original Zeus virus was infecting several million devices a year.

While it’s been used very effectively against larger corporations and government bodies, it has also been deployed against individuals, roping the devices of unsuspecting internet users into botnets.

How does Zeus malware work?

So how does the Zeus virus work? First, it needs to get onto your device, which it can do using one of two main tactics.

The malware can be installed through phishing emails. In this case, the hacker sends an email containing a link that will trigger the malware infection. They will try to convince the receiver to click the link, possibly by pretending to be a recognised sender like a bank or even a coworker.

Alternatively, the malware can be delivered through the code in a website; a method known as a drive-by download. The hacker might set up a fake website to do this, but they can also try to infiltrate real websites, turning them into malware distributors.

Once the infection has occurred, the malware can be operated remotely from the hacker’s command and control center.

Zeus malware

How to tell if your computer is infected with Zeus malware

One thing that makes the Zeus virus effective is how hard it is to tell if your device is infected. However, there are several indicators that you might be dealing with malware.

  • Your device slows down suddenly. A noticeable drop in operating speed may occur when malware is at work behind the scenes.
  • You notice unusual banking activity. If you regularly use an online banking portal on your computer, and you notice unusual transactions on your account, that could be a sign that you’re dealing with a Zeus virus.
  • An unknown program appears on your system. If you see a program running on your system, and you don’t remember downloading it, it could be malware. This is even more true if it’s continually using a lot of processing power.
  • Your device is overheating. Because the malware may be carrying out extensive activity while you’re using your device, you may notice the hardware overheating. If this starts to happen suddenly, it could be a red flag.

How to prevent Zeus attacks

The best way to prevent Zeus attacks is to avoid malware infection. Here are three ways to do that.

    1. Be extra vigilant around unexpected emails. If you receive a message urging you to click a link, think twice before doing so. Do you know the sender well? Does anything else about the email look unusual? Look out for spelling errors or strange sender email addresses. Phishing attacks are one of the easiest ways for hackers to spread Zeus malware.
    2. Don’t click on internet ads. While most online ads are just annoying, some can be dangerous. Malicious advertising, or malvertising, is another way to spread malware. Hackers create adverts that look genuine, and then infect anyone who clicks on them. Some can even trigger a virus download the moment you load a page on which they appear. That’s why using an ad blocker is also a good idea; if your browser doesn't show you adds, you're less likely to see a Zeus virus pop up.
    3. Use Threat Protection. To improve your defenses against malware, start using NordVPN’s Threat Protection feature. This will help you avoid websites that are known to be linked to malware, and will make it less likely that you’ll stumble onto a hacker’s page. It will also help you to identify malware-ridden files.

Take your security into your own hands.

Stay safe with the world’s leading VPN


Malcolm Higgins
Malcolm Higgins Malcolm Higgins
Malcolm is a content writer specializing in cybersecurity and tech news. With a background in journalism and a passion for digital privacy, he hopes his work will empower people to control their own data.