Zeus/Zbot Banking Trojan/Data Theft (credentialed check)

critical Nessus Plugin ID 45085

Synopsis

The remote Windows host has been infected with the Zeus/Zbot trojan.

Description

The remote Windows host has files that indicate that the Zeus (also known as Zbot) banking trojan has been installed, or that stolen data collected by this trojan remains on the system.

The Zeus trojan will intercept and log activity related to online banking, as well as other logins, such as web, ftp, email, etc, and report these credentials to a third party. The targeted credentials are unique per Zeus infection, so any website can be affected.

Zeus also gives the attacker complete control over the system, allowing for further malware to be installed, the ability to proxy traffic through an infected host, and other things like the ability to kill the system.

False positives may occur if file names identical to files Zeus creates are detected on the system. These file names mimic standard Windows files, and should be considered suspicious under any circumstances.

Solution

Update the host's antivirus software, clean the host, and scan again to ensure its removal. If symptoms persist, re-installation of the infected host is recommended.

See Also

https://zeustracker.abuse.ch/faq.php

http://news.cnet.com/8301-27080_3-10455525-245.html

http://www.nessus.org/u?250c95b1

http://www.secureworks.com/research/threats/zeus/?threat=zeus

Plugin Details

Severity: Critical

ID: 45085

File Name: zeus_zbot_detect.nasl

Version: 1.14

Type: local

Agent: windows

Family: Backdoors

Published: 3/18/2010

Updated: 4/11/2022

Configuration: Enable thorough checks

Asset Inventory: true

Supported Sensors: Nessus Agent, Nessus

Risk Information

CVSS v2

Risk Factor: Critical

Base Score: 10

Vector: CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C

CVSS v3

Risk Factor: Critical

Base Score: 10

Vector: CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:H

Vulnerability Information

Required KB Items: SMB/Registry/Enumerated