The ZeuS malware incident

My Windows 7 desktop computer was hit by ZeuS malware or some variant of it. It wasn't detected by virus scanners and so it lived on the computer at least over a month, maybe much longer. Here is the full story.

My Windows 7 desktop computer is equipped with three antivirus/spyware scanners: Norton 360, SUPERAntiSpyware and Trend Micro HouseCall. The former two are also set for real time protection while the last is just a scanner that I sometimes run manually the get an third opinnion. In addition to these I've set up my computer so that I have a separate browser for general net surfing and this browser is running all plug-ins disabled. I don't do online gambling or on purpose visit sites that have high malware risk. I don't download and install suspicious software. All these precautions didn't prevent ZeuS getting injected on my computer and it was also able to live there undetected.

I started to have occasional issues with my internet connection. It appeared that the connection sometimes dropped for a while and then started to work again. Resetting the 4G modem or cable modem didn't help and rebooting the computer seemed to help only for a while. I then used tools like ping and it appeared that the network wasn't really down since ping packets traveled fine without issues. I then download TCPView to monitor network connections and noticed that Opera browser was behaving badly. Opera was listening on TCP port 9050 that is the Tor port, there were some active network Tor connections and Opera was causing a massive flooding of TCP connections. So assumably TCP sockets ran out and that caused the network issues.

As explained in my earlier text running the virus scanners revealed nothing. I was also unable to find anything written about Opera browser attacks using Tor network. I uninstalled Opera and the issue went away. Reinstalling Opera caused the issue to come back. So I didn't know what it was but I decided not to install and use Opera browser anymore.

It was several weeks later when the internet connection issues returned. I tried reboot and modem resets with not much help. Then I was back with TCPView and this time it was Windows core process svchost.exe that was listening on port 9050 and TCP flooding my computer. This time I got really alarmed. I was lucky: while Opera + Tor had given no hits, svchost + Tor gave. I was facing an attack by ZeuS malware or some variant of it. Opera browser was fine and so was svchost.exe. It was ZeuS that was dynamically injecting its code to these processes, monitoring data going through the processes and setting them to run as a Tor network node.

My first action was to stop all activity on the infected computer. I logged out from social network services, email service etc. Then I cleared all browser caches. I then set the internet connection so that I could keep the computer disconnected and only connected it back up when needed.

I ran complete scans with Norton 360, SUPERAntiSpyware and Trend Micro HouseCall but nothing was found. I also ran Norton scan in Windows Safe Mode (that should be able to detect malware better) but with no results. I noticed that svchost.exe behaved normally in Safe Mode so I assumed that the malware was not active while in Safe Mode. It was time for some manual investigation.

I started regedit and checked locations HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce. These set the programs that start on boot and ZeuS is one of them. All the other entries in the registry looked normal but there was a mysterious C:\Users\username\AppData\Roaming\Exed\xayq.exe staring on boot that looked very suspicious. I searched for “tor” files or folders on my computer and found a directory C:\Users\username\AppData\Roaming\tor containing plenty of Tor related state files. So my computer was clearly running Tor network and all findings match with ZeuS malware.

I did some searches and decided to test what Norton Power Eraser does. I ran it while in Safe Mode and it detected the mentioned C:\Users\username\AppData\Roaming\Exed\xayq.exe and suggested to remove it. I allowed the removal. I then removed the directory C:\Users\username\AppData\Roaming\tor manually. I read that ZeuS is often seen on a computer with a rootkit installed. I downloaded TDSSKiller Rootkit Removal Utility by Kaspersky Lab and ran it in Safe Mode. No rootkits were found. I then ran it again but nothing was found.

I then booted the computer back up to normal mode and checked that C:\Users\username\AppData\Roaming\Exed\xayq.exe and C:\Users\username\AppData\Roaming\tor were gone for good. I also watched TCPView to see that svchost.exe behaved normally. Yes, it appeared that ZeuS was succesfully removed.

After the incident was over I changed all my major passwords and I'm also monitoring my credit card and bank account activity on daily basis. I'm also reviewing the registry, listing TCP connections and checking for tor directories to see if ZeuS still lives on my computer or makes a return.

• Where did the malware came from? I have no idea. I'm trying to be careful, use a separate plug-ins disabled browser for general surfing and use three virus scanners (two of them offer real time protection). These precautions didn't help.
• Did the malware steal or break anything? I have no idea. So far I have not noticed any suspicious transactions on my credit cards or bank accounts. ZeuS and its variants are potentially capable to steal anything you have on your computer or you type with your keyboard like files, usernames and passwords, credit card numbers etc. By using Tor they can also use you computer as a node on a network carrying out illegal activities like sending spam, drug business or distributing illegal porn.
• Is the computer now 100 percent clean? I can't tell. It appears that there are no longer suspicious programs starting on Windows boot and there are no Tor related files on my computer. But it is impossible to say if the computer is really clean or not.
• Why ZeuS caused TCP socket flooding that finally made you detect it? I assume that this happened because of some sort of malfunction on ZeuS or because of the fact that I had an active firewall that blocked the sockets causing ZeuS to open more and more sockets. But all this is purely speculation. I was lucky to have that TCP socket flooding happening. Without it I might have been running ZeuS like forever. It is also possible that this ZeuS variant was just acting annoying on purpose. But I think this is unlikely: nowdays malware is mostly to do something beneficial without getting noticed by the user, not to act annoying and dropping network connections.