Zeus Found Crawling through Salesforce.com

  • February 19, 2014
  • 3 min read


The infamous banking Trojan Zeus has been spotted on Salesforce.com.  This interesting discovery has just been made by SaaS security firm Adallom, who has since shared the information with Salesforce.  As yet, the investigation ongoing.

What is known so far is that Zeus was used to target a single Windows PC.  Adallom provides security by monitoring cloud traffic, and the firm noticed the attack when they saw about 2 gigabytes of data being downloaded to the victim’s computer, in less than 10 minutes.  Adallom has yet to publish a report, but in a brief interview with Techworld their spokesperson mentioned the variant having web crawling capabilities.  It is believed the malware is being used to grab sensitive business data from the massive CRM.

Zeus Evolving in 2014

This is the first time Zeus has been used to attack a CRM, but it is far from the Trojan’s Internet debut.  In 2013, Zeus’s Gameover variant was responsible for approximately one-third of all computerized attacks on financial institutions.  Early last year, Zeus was also found connecting to LinkedIn.

It would seem that 2014 is shaping up to be a year of transformation for the Trojan.  Late last week, reports emerged of yet another variant, ZeusVM, which is being steganographically concealed in .JPG image files.  Stenographic coding techniques allow hackers to append malicious code to an otherwise harmless file, without altering the file’s appearance.  .JPG files are therefore being used to hide ZuesVM’s configuration file, which sneaks in as users download what they think is just an image.

Over the last year, the Zeus Trojan has been so effective because it enables man in the middle attacks.  Essentially, Zeus can recognize when users log on to major banking sites, and when they do it ‘wakes up.’  Once awoken, attackers can then use Zeus to gain direct access to an account, since the user has already provided verification using their credentials. Such access can be used to steal sensitive data, or even schedule a wire transfer to the attacker’s bank account.

As Adallom’s discovery has shown, this same man in the middle technique is now being leveraged to download data from CRMs.   In theory, the same technique could be used to harvest sensitive information from any SaaS website.

Exacerbating the situation, is the fact that Zeus’s code is widely available on the dark web, and is modified into new variants quite often.

 Threat Mitigation

Have a Great (Malware-Free) Wednesday…and if you’re using Salesforce.com: Go Make Some Sales!

UPDATE 2/20/2014:

Adallom has published a report of their findings on their blog.



Freelance writer and security enthusiast based in the USA.

What to read next

Reader Comments