Latest Zeus Trojan Supersedes Antivirus, Undetectable

Dennis Faas's picture

Just when security companies have developed new ways of dealing with the infamous Zeus Trojan, a variant characterized as the "Son of Zeus" has arisen. Worse yet, the variant has the trait of being virtually undetectable by conventional antivirus applications.

About the Zeus Trojan and MS Windows

The Zeus Trojan made headlines back in 2009 as a "highly customizable" tool for hackers. It's main mission is to sniff out financial information and break into online bank accounts. Security experts estimate that the Zeus Trojan has been used to infiltrate tens of thousands of PCs around the world. Owners of infected PCs are unaware their computers are even infected, with the majority (if not all) of infections targeting MS Windows PCs. (Source:

Zeus a Persistent Threat, Continues to Morph

The Zeus Trojan continues to be a persistent threat and was responsible for stealing 3 Million US Dollars (as of October 1st, 2010) and a reported 6 Million British Sterling from UK bank accounts (Source:

The latest revision of the Trojan ("Son of Zeus") Trojan is codenamed "TSPY_ZBOT.BYZ," according to security experts. The reason why it is able to slip by conventional antivirus programs is because it imports a large number of application programming interfaces (API's), making it difficult to know (or even predict) where it will strike next. (Source:

New Variant More Efficient Than Original

As is the case with most types of malware variants, the newer version is somewhat different (and much more efficient) than its predecessor. It is also different in its compression and can foil a detection system based on calculable entropy. In a nutshell, calculable entropy pertains to finding where in the viral code certain trigger routines might be hidden and gives TSPY_ZBOT.BYZ its "undetectable" status.

With most forms of malware, security companies are able to isolate the virus in a virtual "sandbox" and track how the code was executed, what system changes it made and any network traffic it generated. Thus, Zeus (in all of its forms) refuses to "play in the sandbox". (Source:

Conventional Antivirus Not Sufficient

This spells disaster for most security companies whose primary focus is to keep their customers safe. As Trend Micro research engineer Julius Dizon expressed, "To properly guard against this threat, conventional antivirus is not sufficient. Only improved detection techniques and proactive blocking of the websites, working together, can protect users."

Last Tuesday, Microsoft's Malicious Software Removal Tool (MSRT) was able to detect the original Zeus Trojan and has since removed 281,491 infections as of yesterday. (Source:

Rate this article: 
Average: 5 (1 vote)