Malware has become an underground industry, rapidly evolving in response to attempts by computer security experts and organizations to keep it in check. One of the most notorious examples of this pattern is Zeus malware, and specifically the Zeus crimeware toolkit, which allows individuals to create tailored Trojans that are used to establish botnets for stealing financial information. These networks have been linked to large financial losses, especially when stolen banking credentials are used to transfer large sums of money into offshore accounts [1].

The authors of this paper describe their novel approach to detecting Zeus: break its encrypted communications traffic. They have implemented this method in their own intrusion detection system (IDS), pithily named Cronus.

Given the rapidly evolving nature of malware in general, it may seem that a paper submitted in late 2011, and published in late 2012, might be outdated in late 2013. In fact, Zeus has recently resurfaced and is once more in the spotlight [2], so this research remains highly relevant for anyone interested in computer security and computer forensics. The level of technical detail in the paper will be of immense use to readers dealing directly with Zeus derivatives, as well as anyone seeking a more detailed understanding of methods that can be applied to intrusion detection problems.