Zeus, one of the stealthiest advanced malware has ruled the world of botnets and still posses a significant security risk. In the US alone, Zeus is estimated to have control over 4 million devices. Banks, social networks and email accounts, all have fallen prey to its might and despite of its years in service, no anti virus vendor can claim to detect it reliably. Join Cyphort research team as we explain the inner working of Zeus.
www.cyphort.com for more information
2. Target
threats
that
target
you.
Target
threats
that
target
you.
Dissec2ng
the
Zeus
Malware
Cyphort
Labs
Malware’s
Most
Wanted
Series
April
2014
3. Your
speakers
today
3
Nick
Bilogorskiy
Director
of
Security
Research
Anthony
James
VP
of
Marke5ng
and
Products
4. Agenda
o What
is
Zeus
o Major
incidents
involving
Zeus
o Dissec2ng
the
malware
o Zeus
advanced
tricks
o Wrap-‐up
and
Q&A
4
Cyphort
Labs
T-‐shirt
5. We
work
with
the
security
ecosystem
•••••
Contribute
to
and
learn
from
malware
KB
•••••
Best
of
3rd
Party
threat
data
We
enhance
malware
detec2on
accuracy
•••••
False
posi2ves/nega2ves
•••••
Deep-‐dive
research
Global
malware
research
team
•••••
24X7
monitoring
for
malware
events
About
Cyphort
Labs
5
6. Poll
#1
What
is
the
most
prevalent
use
of
Zeus
malware?
o Espionage
o Stealing
banking
creden2als
and
informa2on
o Impac2ng
industrial
control
systems
6
7. What
is
Zeus?
o Zeus
is
the
most
successful
banking
malware
to
date.
o Trojan
horse
targeted
at
Windows
opera2ng
systems
o Tens
of
millions
of
computers
worldwide
infected
o Capable
of
“form-‐grabbing”
and
“man
in
the
middle”
a`acks
to
steal
financial
informa2on
o Distributed
as
a
toolkit
o Ac2ve
since
2007,
s2ll
used
heavily
o Evasive
and
challenging
for
detec2on
and
mi2ga2on
7
9. Zeus
History
9
2007
2008
Apr
2010
April
2011
October
2011
March
2012
December
2013
Peer
to
Peer
version
–
Zeus
Gameover
-‐
removes
the
centralized
CnC
infrastructure
Microsod
legal
ac2on
through
a
civil
lawsuit
dubbed
Opera1on
b71
64-‐bit
version
of
Zeus
appears
ZeuS
source
code
of
version
2.0.8.9
leaked
Version
2.0
Zeus
version
1.0
10. Zeus
Stats
o Zeus
is
now
being
used
not
just
to
a`ack
financial
ins2tu2ons
but
also
stock
trading,
social-‐networking
and
e-‐mail
services,
plus
portals
for
entertainment
or
da2ng,
and
even
Salesforce.com
10
11. Zeus
Hos2ng
11
2%
3%
11%
84%
Zeus
Hos1ng
Breakdown
Bulletproof
hosted
Hosted
on
a
FastFlux
botnet
Free
hos2ng
service
Hacked
webserver
Data
from
ZeuS
Tracker
12. Zeus
Author
12
ZeuS
author
—
known
variously
as
“Slavik”
and
“Monstr”
on
criminal
forums
—
in
2010
gave
the
SpyEye
author
Harderman
stewardship
over
the
ZeuS
code
base,
on
the
condi2on
that
Gribodemon
agreed
to
provide
ongoing
support
for
exis2ng
ZeuS
clients.
Good
day!
I
will
service
the
Zeus
product
beginning
today
and
from
here
on…
All
clients
who
bought
the
soEware
from
Slavik
will
be
serviced
from
me
on
the
same
condi5ons
as
previously.
Harderman
13. Jabber
Zeus
Crew
13
Nine
people
listed
in
the
indictment
that
has
been
sealed
since
August
of
2012,
including
Kulibaba,
Konovalenko
14. Jabber
Zeus
Crew
14
Stole
more
than
$70
million
from
banks
worldwide
Ringleader,
32-‐year-‐old
Ukrainian
property
developer
Yevhen
Kulibaba
Kulibaba’s
right-‐hand
man,
28-‐year-‐old
Yuriy
Konovalenko
Karina
Kostromina,
wife
of
Kulibaba,
33-‐year-‐old
Latvian
woman
jailed
for
money
laundering
Photos
from
krebsonsecurity.com
16. Zeus
architecture
16
• Used
to
build
the
exe
file
• Unique
to
each
owner
• URL
and
encryp2on
key
different
for
each
owner
The
Builder
• Entry,
Sta2c
and
Dynamic
sec2ons
• Download
URL
and
exfiltra2on
URL
The
Configura2on
File
• Unique
executable
file
built
by
the
bot
owner
The
Exe
File
• PHP
scripts
for
monitoring
and
managing
bots
The
Server
17. Zeus
architecture:
Builder
o With
a
li`le
technical
knowledge
you
can
run
your
own
botnet.
Screenshot
of
Zeus
builder
17
19. Zeus
architecture:
Config
file
19
Zeus
config
file
contains
the
following:
• url_config
-‐
where
the
config
is
downloaded.
• url_loader
-‐where
new
bot
executable
is
downloaded
• url_server
-‐
where
the
stolen
data
is
sent
• AdvancedConfigs
alternate
loca2ons
for
config
• webFilters
and
WebDataFilters
-‐
list
of
websites
monitored.
When
these
sites
are
visite
dby
the
infected
user,
any
data
sent
to
the
site
is
also
sent
to
the
url_server.
• WebFakes
list
of
websites
to
redirects
to
a
fake
site.
20. Func2onality
of
the
Zbot
binary
20
• Copy,
execute
and
delete
itself
• Change
browser
sevngs
• Code
injec2on
• Creden2al
thed
• Data
exfiltra2on
• Evasion
v Rootkit
v Digital
cer2ficate
v DGA
v Steganography
21. Poll
#2
Ques2on-‐2:
Do
you
think
you
(or
your
organiza2on)
have
been
impacted
by
Zeus?
o Yes
o No
21
22. Zeus
Advanced
Tricks
–
Rootkit
22
Necurs
Rootkit
Component
When
GameOver
/
Necurs
is
fully
installed,
it
will
become
difficult
to
remove
the
threat
using
tradi2onal
methods.
It’s
impossible
to
access
the
process
to
retrieve
informa2on
or
to
terminate
the
process.
Access
is
denied
when
dele2ng
the
malware
files.
23. Signed
malware
is
quite
rare.
Stuxnet
rootkit
components
were
digitally
signed
with
cer2ficates
stolen
from
Realtek
and
Jmicron.
Flame
used
fraudulent
cer2ficates
as
well
.
Zeus
used
the
same
trick,
authors
got
access
to
a
cer2ficate
of
isonet
ag
Microsod-‐registered
third-‐
party
developer
in
Switzerland.
Zeus
Advanced
Tricks
–
Digital
Cer2ficates
23
24. It
also
employs
DGA
–
Domain
Genera1on
Algorithm.
DGA
is
a
way
for
malware
to
prevent
blacklis2ng
of
its
CnC
site,
where
an
infected
machine
creates
thousands
of
domain
names
such
as:
www.<gibberish>.com
and
would
a`empt
to
contact
a
por2on
of
these
with
the
purpose
of
receiving
an
update
or
commands.
The
technique
was
popularized
by
Conficker
worm,
which
generated
50,000
domains
a
day.
Zeus
Advanced
Tricks
-‐
DGA
24
25. Zeus
advanced
tricks
-‐
Steganography
o Steganography
–
concealing
messages
or
images
in
other
messages
or
images.
o Zeus
hides
its
config
file
inside
a
jpeg
image
25
Vic2m
opens
up
suspicious
mail
a`achment
Executes
File
in
A`achment
Decrypted
config
file
has
bank
sites
to
monitor
for
thed
JPEG
files
dowloaded
(configura2on
file
embedded)
26. Zeus
advanced
tricks
-‐
Steganography
o Image
looks
innocent
o But
it
has
appended
encrypted
data
–
Zeus
config.
26
27. Zeus
advanced
tricks
-‐
Steganography
o This
data
is
encrypted
with
base64,
RC4
and
XORed.
Decrypted,
we
see
urls
and
banking
sites
it
targeted.
27
28. Conclusions
28
• Zeus
has
grown
into
one
of
the
most
popular
and
widespread
crimeware
kits
on
the
market.
Its
ease
of
use
and
effec2veness
make
it
an
a`rac2ve
choice
for
today’s
cyber
criminals.
• Check
for
presence
of
unfamiliar
network
callbacks
• Zeus
malware
is
very
complex
and
is
wri`en
with
extra
care
to
avoid
detec2on,
so
it
is
not
trivial
to
tell
if
you
are
infected.
You
need
to
use
a
professional
grade
APT
solu2on
to
detect
this.
29. Q
and
A
29
o Informa2on
sharing
and
advanced
threats
resources
o Blogs
on
latest
threats
and
findings
o Tools
for
iden2fying
malware