This version of Zeus infection has interresting persinstent mechanism. It spreads via USB.
Every time, USB is connected to infected computer, Zeus checks if there is “seed” present at USB. If so, nothing happens. In case USB is clean, Zeus places the “seed” to USB. Once this USB is connected to another machine, it checks if the machine has already latest version of the Zeus infection. If not, it infects PC and thus the circle is closed.
It had high rate of re-infection after the host was restaged. It was caused by the fact, that users usually shares USB sticks in the office. Also, once user know his/her machine is to be restaged, he places backup to USB stick hence the machine is re-infected immediatelly.
Once infected, hosts communicates with CC server. It is then capable to load further modules like backdoor.
Picture below shows relation between hostname and site name.
- Bigger the node, more hosts were infected in particular site. This can spot patterns in user´s habits. We can see that one site marked by violet color, needs to pay more attention to education of employees.
- Bigger the node, more times got the particular machine reinfected. This can spot issues with particular user. The guy marked by yellow node might keep some dark secrets at his laptop: