Remember Zeus? No, not the ancient god. We're talking about the nasty little bit of malware that can trick you into believing that you're logged onto your bank's website when you're really on a fake one designed to give criminals your online banking username and password. Earlier this year, the European Network and Information Security Agency told banks to "assume all PCs are infected." One of the worst things about Zeus is that it's an easily purchased piece of software that can be customized, yielding a variety of different sub-bugs that have proven very difficult to eradicate. Zeus may be old (around since at least 2007), but it ain't dead yet -- by a long shot. So here's an edited Q-and-A update on the threat we conducted yesterday with Meaghan Molloy, an analyst with the IT security firm Mandiant:

Killer Apps: How extensive is the problem today?

Molloy: Earlier this year, in response to a Zeus campaign "High Roller" that was targeted at high-balance accounts, the European Network and Information Security Agency (ENISA) advised that banks should assume that all PCs are infected. In 2011, a variant of Zeus [Zitmo, aimed at breaking into bank customers' mobile banking apps] was behind the theft of an estimated $47 million from 30,000 European individuals and corporate customers. This is by no means the total sum of money lost through Zeus. It has been spotted in nearly every country and caused untold hundreds of millions of dollars in damage.

• There have been numerous other instances of widespread losses due to Zeus over the past several years. For example, in 2010, M86 Security reported that Zeus was responsible for the loss of $1 million from 3,000 compromised accounts in the UK. In the same year, Trusteer reported that a different Zeus botnet had infected over 100,000 systems.

• Zeus is not a single botnet but rather it is a type of malicious software that encompasses hundreds or thousands of different command and control infrastructures. A criminal is much better able to remain nimble when he can simply set up multiple small infrastructures that are less likely to be exposed and suffer only small losses if they are.

• While Zeus makes up only a fraction of the millions of compromised computers that Mandiant Cloud Alert tracks on a daily basis, it is massive and standard security measures such as antivirus aren't containing it.

Killer Apps: Is it still making inroads into the U.S.?

Molloy: Yes, absolutely. Here is just one example: Operation Trident Breach in 2010 exposed the theft of $70 million dollars from hundreds of small and medium business in the U.S. In an attack lasting 18 months, a Ukrainian gang used Zeus to break into 390 bank accounts belonging to American companies.

Killer Apps: How advanced is the threat? How could it evolve?

Molloy: Zeus is an information stealing trojan primarily designed to harvest banking credentials using keystroke logging and form grabbing. It can be purchased for the low price of just a few hundred dollars and is highly customizable beyond its basic functionality. Because Zeus is readily available for purchase on many black markets there is no single Zeus botnet but rather thousands of smaller botnets run by individuals and criminal organizations.

• In May 2011, the Zeus source code was leaked on underground forums. This has since resulted in several new versions of Zeus appearing in the wild such as ICE IX, Citadel, Zitmo, and GameOver which uses peer-to-peer command and control infrastructure. Some versions of Zeus use sophisticated techniques to avoid detection and takedown such as domain generation algorithms (DGA) and fast flux IP. Citadel offers the botmaster more comprehensive information [about victims] than is typically offered with Zeus, harvesting information on database servers and network configuration. Zitmo, which targets mobile users, is capable of defeating two-factor authentication, a common technique in bank account security.

• Ongoing development of the Zeus kit that is available for sale and individual customization of the 'open source' versions mean that criminals can and will continue to use Zeus and improve its functionality. As long as it continues to be effective Zeus will remain in use.

Killer Apps: Is there a security solution to Zeus?

Molloy: Unfortunately there is no single security solution to combat the threat of Zeus. Most Zeus variants communicate with their command and control infrastructure just like regular web traffic. In particular, small and medium sized companies should ensure that they have strict security procedures in place for any unusual activity on their accounts. They are at the highest risk since financial institutions do not provide companies with the same money back guarantee in case of fraud as they do with individuals. Additionally, companies of that size are the least likely to maintain an in-house security team. Maintain up-to-date software, only bank within a virtual machine, and change your passwords frequently though none of those techniques guarantee your security. Most importantly, individuals and companies should monitor their network traffic for communication with command and control servers.

Killer Apps: Are there similar threats?

Molloy: SpyEye is another information stealing trojan focused primarily on banking credentials. In 2011, there were reports of a potential merger between the creators behind both trojans. Regardless, development of both types and subsequent variants is ongoing.