Zeus Banking Trojan Turns Its Attention To Japan


The notorious Zeus banking Trojan has been detected in a wave of attacks targeting new online banking customers in a campaign being driven by the Black Hole automated attack toolkit.

The malware, which has caused serious problems to banking customers in Europe and the U.S., has been detected in Japan, according to the National Police Agency. Until now Japanese banking customers have been relatively immune to Zeus, according to Symantec, which analyzed the latest attacks and reported on them in a recent blog.

Symantec said that Japan may have posed a serious challenge for the malware writers, keeping the Trojan out of that country for so long. Zeus was first detected in 2009 and attacks began to increase in 2010. The latest Zeus variant is targeting five major banks in Japan, according to Symantec. The attacks appear to be similar to earlier variants.

[Related: Malware Rising: Trojans Dominate Rankings, Study Finds]

"Once infected, Zeus monitors the Web browser visiting the targeted banks and injects HTML code that displays a message in Japanese," Symantec said in its report.

The message, in English, prompts users to update their personal information, including account passwords and other data needed to access the bank account. "The log-in credentials are recorded using Zeus' built-in key logging functionality," Symantec said.

Attacks using variants of the Zeus Trojan are still targeting customers in the U.S. and Europe. In June, a McAfee report outlined Operation High Roller, which used customized versions of Zeus and SpyEye.

The attacks inject code into the browser to masquerade as the victim's bank. Banking customers with a high balance and businesses conducting high-value transactions appear to be the biggest targets, security researchers say.

Microsoft tangled with a Zeus botnet owner last year, using a court order to seize servers in the U.S. that controlled about 13 million computers infected with Zeus, including 3 million PCs in the U.S. During the seizure, Microsoft kept the botnet running to gather evidence on the cybercriminals behind the attacks.

The Microsoft Zeus botnet disruption was one of several it conducted against botnet operators. It disrupted the Kelihos botnet as well as Rustock in 2011 and Waledac in 2010.

PUBLISHED FEB. 12, 2013