In this last post of the series dedicated to the timeline ZeuS trojan (and its leaks) [1][2], we are going to show some numbers that S21sec have being collecting regarding them.
The number of botnets detected in past few years has raised up to 2.300, most of them being ZeuS ones. In order to show this in a visual form, we have created a chart that groups them by version. As you can see, the two main ZeuS versions ( and account for almost 50% of the attacks.
As can be observed in the following chart, the prime target of the attacks is financial sector, specifically online banking, that pose 87.5% of the total targeted entities.
Though historically online banking affectation has been really high, we have seen a drop lately mainly due to the flourish of new variants which target other sectors in order to attain their goal. Regarding this, online banking security is getting better every year, and hence, thef by means of banking transactions has dropped significally. Following chart shows how online banking affectation has dropped from an historic average of 88% to a 86.8% in 2013.
Data collected by S21sec supports this theory and we can see it just by comparing ZeuS and Citadel development over time. In 2012 (year in which Citadel was released) it accounted roughly for 24% of the samples vs. 76% of ZeuS ones (please, don’t forget that we set aside all other malware families for the comparison). Nowadays, the tide has turned and ZeuS samples dropped to 41% while Citadel accounts for 59% ot the total which is even more impressive if we consider the global Citadel botnet take down action carried out by Microsoft in mid-year. Regarding this, ZeuS versions have been targeting online banking entities more then other variants, including Citadel.
The following chart shows the affectation of countries (that is, the country of the entity being targeted, as long as it still has a login form). In order to understand this chart, you must know that each sample uses to attack more than one entity at the same time, so, the higher the number of entities targeted by one trojan for a country the higher it accounts on the chart.
In this way, spanish entities are the third most targeted, with a 16% of total attacks (mainly online banking entities, but remember banking malware is targeting other sectors too). This affectation to spanish entities is bigger when talking about ZeuS, more than any other variants. Any way, spanish entities targeting has dropped from 18% in previous years to 14% in 2013.

Finally, we will like to remark that new ZeuS variants have not only managed to target new sectors, but they are also targeting entities of countries which had not appeared in the configs until now. The number of different countries whose entities were affected in 2013 has raised to 71.
As you can see, ZeuS and its variants are causing security companies and entities lots of trouble. They still dominate the scene, although with the new famlies of banking trojans that are emerging, and above all, the leak of Carberp’s code, we can not make any predictions in the foreseable future.
Advanced Cyber Security Services