ZeusVM is a relatively new addition to the Zeus family of malware. Like the other Zeus variants, it is a banking trojan (“banker”) that focuses on stealing user credentials from financial institutions. Although recent attention has been on non-Zeus based bankers such as Neverquest and Dyreza, ZeusVM is still a formidable threat. At the time of this writing, it is actively being developed and has implemented some interesting features such as a custom virtual machine and basic steganography. In addition, due to a recent leak of a builder program, the ability to create new ZeusVM campaigns is now in the hands of many more miscreants.
To foster a better understanding of ZeusVM, the attached paper examines some of the internals of the malware from a reverse engineer’s perspective. While it doesn’t cover every component, the visibility provided can help organizations better detect and protect from this threat.
ZeusVM: Bits and Pieces (PDF)