{
	"id": "b7577318-7c49-42a3-b2a0-a36275bc4875",
	"created_at": "2026-04-06T00:17:33.035955Z",
	"updated_at": "2026-04-10T03:21:22.374941Z",
	"deleted_at": null,
	"sha1_hash": "290de53b007e32e60a7e8704bf374a014c1074fc",
	"title": "Detecting ZeuS | eternal-todo.com",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 240286,
	"plain_text": "Detecting ZeuS | eternal-todo.com\r\nArchived: 2026-04-05 18:56:10 UTC\r\nBotnet\r\nDetection\r\nMalware\r\nZeuS\r\nIn the S21sec blog we have been talking some time ago about our dear friend, almost one more colleague: ZeuS. It\r\nis a malware with more than 3 years of life which continues changing and evolving to hide itself better and\r\nmaking the fraud more efficient. But what we maybe have not mentioned yet is how to know if our little friend is\r\nhere, spying all our movements and reporting all of this to its parents, because sometimes the AV software is not\r\nso effective as we expect.\r\nThere are several evidences in its different versions which mean that we are infected with ZeuS:\r\nFilesystem\r\nZeuS leaves a trace in the filesystem when it's installed in the computer, but it hides and blocks all the files\r\nit creates, avoiding that a normal user can see and delete them. The solution to find these files is using\r\nantirootkit software which will show us the hidden files.\r\nNowadays the usual binary name is sdra64.exe and its configuration directory\r\nc:\\windows\\system32\\lowsec, but this can change depending on the version. We already mentioned the\r\nvarious names for the configuration files, so now I'll only comment the different names for binary files:\r\nntos.exe\r\noembios.exe\r\nhttp://eternal-todo.com/blog/detecting-zeus\r\nPage 1 of 4\n\ntwext.exe\r\ntwex.exe\r\nsdra64.exe\r\nbootlist32.exe\r\nuserinit32.exe\r\nbootwindows.exe\r\nWindows registry\r\nSearching the Windows registry is another way to detect the infection. The trojan is able to execute itself\r\nafter each reboot thanks to the inclusion of the binary path in the following registry entry:\r\nHKLM/SOFTWARE/Microsoft/WindowsNT/Winlogon@Userinit\r\nThus simply opening the registry editor (regedit.exe) we could locate our ZeuS:\r\nHooks\r\nZeuS needs to put several hooks in different functions in order to make the code injection, intercept data,\r\netc. We can find these hooks in most of the executed processes and the most common ones are the\r\nfollowing:\r\nntdll.dll\r\nNtCreateThread\r\nLdrLoadDll\r\nLdrGetProcedureAddress\r\nNtQueryDirectoryFile\r\nuser32.dll\r\nGetClipboardData\r\nTranslateMessage\r\nTo know if we have these hooks in our system we must use an antirootkit program too:\r\nhttp://eternal-todo.com/blog/detecting-zeus\r\nPage 2 of 4\n\nOnline banking strange behaviour\r\nWe can expect that people who use online banking on daily basis can notice some change in the application\r\nlike an extra field asking for the password needed to make transactions or asking for all the positions of the\r\ncoordinates card. This is what our trojan makes. Perhaps it will be harder to detect for people who use it\r\noccasionally, so the solution here is to pay attention while doing online banking and talk with the bank if\r\nthere is any suspicious behaviour. This is an example of a login page before and after of ZeuS injection:\r\n \r\nExtra parameters (server-side)\r\nUsually when ZeuS adds extra fields in the bank page through HTML injection these additional parameters\r\nwill be sent to the bank server where, depending on the injected code, could be intercepted and being\r\npossible to warn the user of a possible infection.\r\nhttp://eternal-todo.com/blog/detecting-zeus\r\nPage 3 of 4\n\nTrojan mutexes\r\nFinally, we can detect the trojan in the system thanks to the mutexes that it creates. For example, with the\r\nOpenMutex function we can check if the ZeuS mutexes exist or not, showing the malware trace in the\r\nsystem. Until the moment the mutexes we have seen are:\r\n__SYSTEM__64AD0625__\r\n_H_64AD0625_\r\n_AVIRA_2109\r\n_LILO_1909\r\n_SOSI_1909\r\nSubmitted by jesparza on Thu, 2009/10/01 - 12:25\r\nSource: http://eternal-todo.com/blog/detecting-zeus\r\nhttp://eternal-todo.com/blog/detecting-zeus\r\nPage 4 of 4",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"references": [
		"http://eternal-todo.com/blog/detecting-zeus"
	],
	"report_names": [
		"detecting-zeus"
	],
	"threat_actors": [],
	"ts_created_at": 1775434653,
	"ts_updated_at": 1775791282,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/290de53b007e32e60a7e8704bf374a014c1074fc.pdf",
		"text": "https://archive.orkl.eu/290de53b007e32e60a7e8704bf374a014c1074fc.txt",
		"img": "https://archive.orkl.eu/290de53b007e32e60a7e8704bf374a014c1074fc.jpg"
	}
}