Zeus is staging a comeback over the last few months, possibly using a new infection routine that leverages Windows’ autorun feature even after an update, according to research by Microsoft.
Microsoft’s Malicious Software Removal Tool (MSRT) removed the common banking Trojan program from 185,000 computers in September and the company expects more than 100,000 removals in October, according to a post on Microsoft’s Threat Research and Response blog.
The growth spurt reflects Zbot’s growing use of Windows autorun functionality, said Matt McCormack, senior anti virus research lead at Microsoft.
Autorun is a standard Windows feature that allows applications on external media like DVDs and USB thumb drives to launch automatically when that media inserts into a machine running Windows.
Attackers have used autorun to spread their malware, but this is the first time Zeus used the technique to broaden its distribution method.
Autorun infection numbers initially tumbled in February after Microsoft pushed a Windows’ update that changed the function’s behavior. But that reduction appears to have been short lived.
Microsoft said MSRT is catching more infections, despite the new reliance on autorun features to spread.
It was roughly a month ago Microsoft pushed out an update to its Security Essentials software that marked Google’s Chrome web browser as a variant of Zeus, PWS:Win32/Zbot. Microsoft released an emergency update, later that day, addressing the issue and reversing the detection.