Zeus Trojan Research Links

Links to good ZeuS Trojan research papers (in no particular order). See update changes in Green

Malware Intelligence blog

1. Nov. 7 2009  Special!!! ZeuS Botnet for Dummies - Jorge Mieres (Malware Intelligence blog)
2. Jan 25, 2010  Leveraging ZeuS to send spam through social networks - Jorge Mieres (Malware Intelligence blog)
3. Feb. 20, 2010  Facebook & VISA phishing campaign proposed by ZeuS - Jorge Mieres (Malware Intelligence blog)
4. March 15, 2010 New phishing campaign against Facebook led by Zeus - Jorge Mieres (Malware Intelligence blog)
5. Apr. 19, 2010 / 31.03.2010 ZeuS on IRS Scam remains actively exploited - Jorge Mieres (Malware Intelligence blog)

Abuse.ch

1. Zeus Tracker
2. April 3, 2010 ZeuS: Cybercriminals moving over to FastFlux Hosting
3. March 10, 2010 -- Massive Drop in Number of Active Zeus C&C Servers
4. March 18, 2010 -- And another Bulletproof Hoster goes Offline…

mdl4 by Mark

1. May 3, 2010 Decrypting a ZeuS (ZBot) config
2. Feb. 28, 2010 Reverse engineering a Facebook ZeuS infection

 Trusteer

1. Sept 14, 2009 Measuring the in-the-wild effectiveness of Antivirus against Zeus 
2. April 21, 2010 Trusteer Detects Rapid Spread of New Polymorphic Version of Zeus Online Banking Trojan (v.1.4)

SecureWorks

1. March 11, 2010 ZeuS Banking Trojan Report  (v. 1.3.4.x and v. 1.4)

PaulDotCom - Security Weekly  

1. June 23, 2010 Dennis Brown - Zeus/FreeZeus setup, technical details, etc   -- very interesting podcast with the most recent info

 Symantec

1. May 3rd, 2010  A Brief Look at Zeus/Zbot 2 by Karthik Selvaraj
2. Feb . 2010 Clash of the Titans: ZeuS v SpyEye   - 72 page analysis  - added Aug 1, 2010
   
   

Sophos

1. Why won’t my sample run?  James Wyke

S21Sec

1.  July 5, 2010 New features of ZeuS   Mikel Gastesi
2. Apr 28, 2010 Killing the enemy  Mikel Gastes
3. Apr 07, 2009 when a bot master goes mad - kill the os  Jozsef Gegeny

Eternal to-do.com  Jose Miguel Esparza

1. Feb 2,2010 ZeuS spreading via Facebook Jose Miguel Esparza
2. Nov 6, 2009 New ZeuS binary
3. Oct 11, 2009 Detecting ZeuS

National Cyber Forensics and Training Alliance Canada / Computer Security Laboratory, Concordia University - added Aug 1, 2010

1. On the Analysis of the Zeus Botnet Crimeware Toolkit by H. Binsalleeh,T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang - Overview, functionality and RE of v.1.2.4.2

Secure Science Corporation and Michael Ligh - added Aug 1, 2010

1. Nov. 13  2006[Prg] Malware Case Study 

TrustDefender Labs - added Aug 1, 2010

1. May 6, 2010 Zeus 2.0 – Zeus trojan at its best – extending its reach to Windows Vista, 7 and Mozilla Firefox

From TrustDefender:
"How to detect that a system is compromised
Since the new variant of Zeus doesn’t use complex rootkit techniques, detection is relatively easy. Simply start the registry editor (regedit.exe) and check for an entry in the Run section of HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run.

The things to look out for are:

• Name looks like a GUID (such as {26014332-876A-668A-546A-2A9930E39482})
• Value is a filename in %USERDIR%\Application Data\\    (such as “C:\Documents and Settings\support\Application Data\Kyniin\yqypy.exe”)

How to remove Zeus v2

Removal of the Zeus v2 Trojan is also much easier since no complex rootkit techniques are used.

Simply locate the file that is being run from the above registry entry and delete the registry entry and the file. After a restart, your computer is clean.

These are just a few links, please send me links to more good ZeuS research, I will include them. Thank you