After tapering off, the Zeus Trojan has been staging a comeback over the last few months, possibly using a new infection routine that leverages Windows’ autorun feature even after a company update to limit infections that use it, according to research by Microsoft.
Microsoft’s Malicious Software Removal Tool (MSRT) removed the common banking Trojan horse program from 185,000 computers in September and the company expects more than 100,000 removals in October, according to a post on Microsoft’s Threat Research and Response blog. The growth spurt reflects Zbot’s growing use of Windows autorun functionality, says Matt McCormack, Senior Anti Virus Research lead at Microsoft.
Autorun is a standard Windows feature that allows applications on external media like DVDs and USB thumb drives to launch automatically when that media is inserted into a machine running Windows. Attackers have long used autorun to spread their malware, but this is the first time that Zeus has used the technique to broaden its already extensive distribution method.
Autorun infection numbers initially tumbled in February after Microsoft pushed a Windows’ update that changed the function’s behavior. But that reduction appears to have been short lived. Still, the company claims that more infections are being caught by MSRT, despite the new reliance on autorun features to spread.
It was roughly a month ago that Microsoft pushed out an update to its Security Essentials software that marked Google’s Chrome web browser as a variant of Zeus, PWS:Win32/Zbot. Microsoft released an emergency update, later that day, addressing the issue and reversing the detection.