Comodo AV Labs Identifies Dangerous Zeus Banking Trojan Variant

April 3, 2014 | By Editor
1 Star2 Stars3 Stars4 Stars5 Stars

Comodo Antivirus Labs has identified a new and extremely dangerous variant of the Zeus banking Trojan. Hackers use Zeus to launch attacks that obtain the login credentials of visitors to online banking sites and commit financial fraud. The significance of this variant is the combination of a legitimate digital signature, rootkit and malware component. Malware with a valid digital signature is an extremely dangerous situation.

A digital signature assures browsers and Antivirus for Windows 8 systems that a file is legitimate and not a threat. Versions of Zeus have been around for several years, but with a valid digital certificate antivirus systems are much less likely to take action or will give lower levels of warning.

The Comodo team identified the Zeus variant because they continuously monitor and analyze scan data from the users of Comodo’s internet security systems. They have found over 200 unique hits for this Zeus variant from our users so far.

Zeus is distributed to a wide audience, primary through infected web page components or through email phishing. The phishing emails appear to be from a trusted source, such as a major bank, but are actually from hackers.

A Typical Attack

The type of an attack launched by Zeus is called a “Man-the-Browser” (MitB) attack. The hackers are sent information required to create a remote session where they can see exactly what the victim is doing and interfere with their actions without their knowledge.

For example, if the attack victim goes to an online banking site to perform a transaction, such as transferring funds, they see everything as occurring normally. The payment information they keyed will display as expected, but behind the scenes the hackers will alter the transaction and send it to another account with possibly a larger amount.

The hackers work with “Money Mules” who establish bank accounts using false credentials and receive a commission for handling ill-gotten gains.

Protecting from Zeus

To stay protected from such threats, install Comodo Internet Security and make sure to keep all of its real time shields enabled.

Technical Details

There are three components to an attack launched by Zeus:

  1. The Downloader: Delivered to the user system by an exploit or an attachment in a phishing email. It will download the rootkit and malware component of the attack.
  2. The Malware: In this case it is a data stealer, the program that will steal valuable user data, login credentials, credit card info, etc. that the user keys into a web form.
  3. A Rootkit: A rootkit hides the installed malware component, protecting it from detection and removal.

Comodo first learned of the variant from a sample submitted by a Comodo user. It attempts to trick the user into executing it by presenting itself as some type of Internet Explorer document, including an icon similar to the Windows browser. What is alarming about this is that the file is digitally signed with a valid certificate, making it appear trustworthy at first glance. The digital certificate is issued to “isonet ag”.

Upon running, the file copies itself into memory, adds to end of file the full path it was executed from and then writes it to %temp%\tahol.exe.

The file is then executed and installer exits.

Virus Removal
Further, the executed file tries to download rootkit components from two web locations, and


After decrypting downloaded payload, the rootkit is installed within “Boot Bus Extender” to make sure it loads before other drivers. Its purpose is to protect malicious files and autorun entries from being deleted by user or antivirus software, increasing difficulty of the removal process.

Malware Removal Tool
The protected executable which is added into startup is a variant of the known Zbot banker trojan designed to retrieve banking and other sensitive data from user’s computer.

Zbot banker trojan Removal Software

Internet Security

Be Sociable, Share!


    Aggravatorx April 4, 2014 at 1:08 am

    AT-A-BOY Comodo that’s the way to stop the bad guys
    keep up the great work!!!!!!!!!!!!

      Kevin Judge April 4, 2014 at 1:36 pm

      Unfortunately, the bad guys keep coming at us.
      That is why we are stressing a containment approach, using sandboxing.
      You have to assume that some threats will get through, but you then isolate them where they can do no harm

    someone April 4, 2014 at 5:39 pm

    Can you post on how to block it explicitly?

      Kevin Judge April 4, 2014 at 8:55 pm

      You should be safe from any variant of Zeus with Comodo Internet Security.
      If the detection layers do not identify it, the worst that can happen is that it runs in the secure sandbox where it can do no harm.

      If you are really concerned about infection, you can run your browser in the sandbox or use the Virtual Desktop so you are always operating in a secure environment

    taranis April 5, 2014 at 11:12 am

    Having watched (from the sidelines) a recent compromise and cleanup of a system by a Zeus variant (protected, incidentally, by a vastly inferior AV product which didn’t prevent/detect the infection), could someone clear up a couple of points about Zeus I’ve been wondering about.

    rootkit: Am I correct in assuming for the malware to install this component, this requires that the compromised account on the infected system had admin privileges.

    disinfection: Assuming that the user-admin privilege separation works as advertised on windows, can Zeus be safely removed from compromised user accounts by running the AV scanner as admin on the same infected system? (Not that this would be my normal practice – mines is the pocket with multiple bootable USB sticks c/w WInXP/7 PE AV & rescue software – and DVDs contaning the same in the bag)

      Kim April 7, 2014 at 3:14 pm

      “rootkit: Am I correct in assuming for the malware to install this component, this requires that the compromised account on the infected system had admin privileges.”

      Taranis, if the victim doesn’t have administrative rights, the binary will attempt to exploit a vulnerability listed as CVE-2010-4398.

      Users who are patched against this already aging vulnerability will see a UAC (User Account Control) prompt.

      Windows XP users are a bit safer as the rootkit can’t prompt for permission to load itself.

      The exploit (CVE-2010-4398) relies on a specially crafted registry entry and the use of a system function associated with “End-User Defined Characters” (EUDCs).



    Starlight April 6, 2014 at 8:06 pm

    Solution is simple.

    Just run ‘mmc’, add the Certificate plug-in selecting the system account. Then track down the root that signs the miscreant intermediate: CN=”VeriSign Class 3 Public Primary Certification Authority – G3″.

    Then uncheck the “code signing” property of the root CA.

    I doubt any important drivers are signed via this path. Verisign is stupid, so just whack the origin of the stupidity.

    I killed this CA cert off for code awhile ago as several evil drivers are indirectly signed by it.

    Lezur April 6, 2014 at 10:14 pm

    Should I untick the “Trust applications signed by trusted vendors” from Advanced Settings > Security Settings > File Rating > File Rating Settings to mitigiate this and any future malware using a similiar technique?

    Leon April 7, 2014 at 5:40 am

    Awesome post, quick Q? Where is the most common place to pick this up?

    JokoYo April 7, 2014 at 11:59 am

    Your content has been jacked and plagiarised: The image is yours and there is no attribution

    ok April 7, 2014 at 1:07 pm

    Comodo thinking that digital signatures are some kind of magical protection is so cute.

    Bozo April 8, 2014 at 5:53 am

    Can you publish the sample/MD5 of the analyzed file?

    Rob April 8, 2014 at 12:55 pm

    I want to understand the details better. Here is a question.

    Is the malware an .exe file disguised with an IE look-alike icon?

    lans April 15, 2014 at 12:39 pm

    Please provide the full certificate subject – that way, those of us that use MS AppLocker can pre-emptively block it. Eg, like this for Flash.

    CN = Adobe Systems Incorporated
    OU = Digital ID Class 3 – Microsoft Software Validation v2
    OU = Flash Player – Fortnight
    O = Adobe Systems Incorporated
    L = San Jose
    S = California
    C = US

    (Would be so nice if all Malware authors were to do this.. how much easier it would make life)

    Rod Scott April 17, 2014 at 1:25 pm

    I just want to read stuff. Thanks Comodo

    Kevin Judge April 4, 2014 at 9:02 pm

    Thanks for your blog.
    Just to be clear, while over 200 users are known to be targeted by the Zeus variant none have actually been harmed.
    If the threat was not deleted or quarantined, the worst that happens is that it runs in a secure and isolated sandbox where it cannot do any harm


    Add new comment

    Your name

    You may use these HTML tags and attributes: <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>


    What Hidden Threats LurkOn Your Endpoints?

    Get complete security from known and unknown threats from Comodo Endpoint Protection

    free threat scan

    How Secure is your network against Internet-based Attacks?

    Take the instant Network Security Assessment to get your security score!

    test my security now