exe file. But, the configuration file differs from one botnet to the other.
Server
The server component of the toolkit is basically a set of PHP scripts that monitor, command, and collect information from the infected computers.
Steps of Infection
Zeus malware typically follows the steps mentioned below to infect a computer :
- Firstly, the attackers use social engineering techniques to trick the victims into downloading the malware. They may send phishing emails with malicious links or use other methods to convince the victims to click on the malicious links. The malware can even be downloaded by exploiting security vulnerabilities of commonly used software on the victim’s computer.
- The malware copies itself to a location, executes the copy, and then deletes it to avoid detection.
- After the installation, the malware changes the browser settings of the victim’s computer. Zeus typically uses a Man-In-The-Browser attack (What is a Man-In-The-Browser Attack?) to steal the sensitive credentials of the victims.
- The malware then injects code into other processes in the victim’s computer.
- The injected code hooks APIs in each process.
- Next, the configuration file gets downloaded from the server controlled by the attackers.
- The malware then uses API hooks to steal sensitive data, especially the banking credentials of the victims.
How does the Zeus malware steal the sensitive data of victims?
As mentioned earlier, Zeus uses the Man-In-The-Browser attack to steal the banking credentials of the victims. It typically follows the steps mentioned below to steal the sensitive data of the victims:
- After infecting a computer, the trojan installs a malicious extension on the victim’s browser. When the user restarts the browser, the extension is loaded automatically.
- The extension registers a handler for every page load, which tracks all the pages loaded by the browser and matches them with a list of known websites.
- Whenever the user loads a page of a banking website, the extension registers a button event handler.
- The user authenticates to the banking website by providing his credentials. When the user fills out a form for financial transactions, the extension intercepts the communication. It notes down the data entered by the user but modifies it and sends the modified data to the banking web application.
- The web application performs the transaction as per the modified data and sends the receipt.
- The extension again intercepts the communication. It modifies the data in the receipt with the data entered by the user originally.
- The user gets the modified receipt filled up with the data he provided.
0 Comments