In Greek mythology, Zeus is the king of all Gods. He is powerful and can strike any time any where using his thunderbolts. In computer security, ZeuS is just another powerful malware, also known as PRG, ZBOT, or NTOS by some AV editors.

At first, ZeuS was sold on the black market, and could be configured to the buyer's desire. It has mainly bot capabilities at that time, and its popularity quickly grew in the pirates community. But this fame was a bit too much for its author, who is believed to have stopped selling it. Yet new variants still continue to arrive on a daily basis, either produced by the original author or by other malware programmers. It got a lot of improvements, and is now a very nasty and active banking trojan. We have been watching it evolve for months, but recently we noticed a slight increase in the amount of PRG spreading around.

Last night, I got 18 different variants of ZeuS downloaders. A variant means that the binary is not exactly the same, each one having a different MD5 (or SHA256) hash. Therefore, I decided it was high time to make some comparisons between these variants. "Grep" in one hand, "sort" and "uniq" in the other (after all I'm a geek), I started digging the different configurations I had in my possession. My goal was getting the different command&control (or C&C) servers of these trojans.

At first glance, it was obvious that the configuration files were not exactly the same, as they were targeting different banking institutions. I could for example find one specific bank in a single file, but not in the others. Furthermore, some other banks were specifically targeted by some variants, and some were in all. Also, the c&c server and the PHP script collecting the data were stored on different servers. From the 18 downloaders I had, there were 8 different places where the scripts could be found :

http://195.2.x.x/11/s.php
http://195.2.x.x/11/s.php/11/s.php
http://195.2.x.x/11/s.php5
http://195.93.x.x/~xxx/a5y5ju79h/s.php
http://195.93.x.x/xxx/a5y5ju79h/s.php
http://202.75.x.x/zeus/s.php
http://xxx.la/vvv/s.php
http://xxx.la/vvv/s.php/vvv/s.php3

Most of these scripts are not surprisingly hosted in Russia, while some are in Malaysia.

As for the places where all the downloaders connect to retrieve the actual Trojan, we discovered that there were only 4 different locations:

http://195.2.x.x/hh/ldr.exe
http://195.2.x.x/11/ldr.exe
http://85.255.x.x/download/1013.exe
http://xxxxxxx-xxxxxxxx.com/images/m.exe
Russian, Ukrainian, and Turkish IPs are hosting these malicious binaries.

As for their detection by AV products, it is luckily quite high for the 18 downloaders : an average of 20 AV editors out of 32 (from VirusTotal.com) are recognizing these variants. But for the trojan itself, "m.exe", and "ldr.exe", were only detected by three AV editors at the time of this writing.

You can find more info about ZeuS on Kaspersky's Viruslist.com here.