Dissecting ZeuS malware


Published on

Zeus, one of the stealthiest advanced malware has ruled the world of botnets and still posses a significant security risk. In the US alone, Zeus is estimated to have control over 4 million devices. Banks, social networks and email accounts, all have fallen prey to its might and despite of its years in service, no anti virus vendor can claim to detect it reliably. Join Cyphort research team as we explain the inner working of Zeus.
www.cyphort.com for more information

Published in: Technology, Design
1 Like
  • Be the first to comment

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Dissecting ZeuS malware

  1. 1. Target  threats  that  target  you.   1  
  2. 2. Target  threats  that  target  you.  Target  threats  that  target  you.   Dissec2ng  the     Zeus  Malware   Cyphort  Labs   Malware’s  Most  Wanted  Series     April  2014  
  3. 3. Your  speakers  today   3   Nick  Bilogorskiy   Director  of  Security  Research     Anthony  James   VP  of  Marke5ng  and  Products  
  4. 4. Agenda   o  What  is  Zeus   o  Major  incidents  involving  Zeus   o  Dissec2ng  the  malware   o  Zeus  advanced  tricks   o  Wrap-­‐up  and  Q&A   4   Cyphort  Labs  T-­‐shirt  
  5. 5. We  work  with  the     security  ecosystem   •••••   Contribute  to  and  learn   from  malware  KB   •••••   Best  of  3rd  Party  threat   data   We  enhance  malware   detec2on  accuracy   •••••   False  posi2ves/nega2ves   •••••   Deep-­‐dive  research     Global  malware     research  team   •••••   24X7  monitoring  for   malware  events   About  Cyphort  Labs   5  
  6. 6. Poll  #1   What  is  the  most  prevalent  use  of  Zeus  malware?   o  Espionage   o  Stealing  banking  creden2als  and  informa2on   o  Impac2ng  industrial  control  systems   6  
  7. 7. What  is  Zeus?   o  Zeus  is  the  most  successful  banking  malware  to  date.   o  Trojan  horse  targeted  at  Windows  opera2ng  systems   o  Tens  of  millions  of  computers  worldwide  infected   o  Capable  of  “form-­‐grabbing”  and  “man  in  the  middle”   a`acks  to  steal  financial  informa2on   o  Distributed  as  a  toolkit   o  Ac2ve  since  2007,  s2ll  used  heavily   o  Evasive  and  challenging  for  detec2on  and  mi2ga2on   7  
  8. 8. Zeus:  S2ll  causing  havoc,  several  years  ader  its  birth     8  
  9. 9. Zeus  History   9   2007   2008   Apr   2010   April   2011   October   2011   March   2012   December   2013   Peer  to  Peer   version  –  Zeus   Gameover  -­‐   removes  the   centralized  CnC   infrastructure   Microsod  legal   ac2on  through  a   civil  lawsuit   dubbed     Opera1on  b71   64-­‐bit   version  of   Zeus   appears   ZeuS  source  code  of   version   leaked     Version  2.0  Zeus  version   1.0  
  10. 10. Zeus  Stats   o  Zeus  is  now  being  used  not  just  to  a`ack  financial   ins2tu2ons  but  also  stock  trading,  social-­‐networking   and  e-­‐mail  services,  plus  portals  for  entertainment   or  da2ng,  and  even  Salesforce.com   10  
  11. 11. Zeus  Hos2ng   11   2%   3%   11%   84%   Zeus  Hos1ng  Breakdown   Bulletproof  hosted   Hosted  on  a  FastFlux  botnet   Free  hos2ng  service   Hacked  webserver   Data  from  ZeuS  Tracker  
  12. 12. Zeus  Author   12   ZeuS  author  —  known  variously  as  “Slavik”  and  “Monstr”  on   criminal  forums  —  in  2010  gave  the  SpyEye   author  Harderman  stewardship  over  the  ZeuS  code  base,  on   the  condi2on  that  Gribodemon  agreed  to  provide  ongoing   support  for  exis2ng  ZeuS  clients.   Good  day!   I  will  service  the  Zeus  product  beginning  today  and  from  here  on…  All  clients   who  bought  the  soEware  from  Slavik  will  be  serviced  from  me  on  the  same   condi5ons  as  previously.  Harderman  
  13. 13. Jabber  Zeus  Crew   13   Nine  people  listed  in  the  indictment  that  has  been  sealed  since   August  of  2012,  including  Kulibaba,  Konovalenko  
  14. 14. Jabber  Zeus  Crew   14   Stole  more  than  $70  million  from  banks  worldwide   Ringleader,  32-­‐year-­‐old     Ukrainian  property     developer  Yevhen  Kulibaba   Kulibaba’s  right-­‐hand  man,     28-­‐year-­‐old  Yuriy   Konovalenko   Karina   Kostromina,  wife   of  Kulibaba,     33-­‐year-­‐old   Latvian  woman   jailed  for  money   laundering   Photos  from  krebsonsecurity.com  
  15. 15. Zeus  Opera2ons   15   Source:  Brian  Krebs  
  16. 16. Zeus  architecture   16   •  Used  to  build  the  exe  file   •  Unique  to  each  owner   •  URL  and  encryp2on  key  different  for  each  owner   The  Builder   •  Entry,  Sta2c  and  Dynamic  sec2ons   •  Download  URL  and  exfiltra2on  URL     The   Configura2on  File   •  Unique  executable  file  built  by  the  bot  owner   The  Exe  File   •  PHP  scripts  for  monitoring  and  managing  bots  The  Server  
  17. 17. Zeus  architecture:  Builder   o  With  a  li`le  technical  knowledge  you  can  run  your     own  botnet.    Screenshot  of  Zeus  builder   17  
  18. 18. Zeus  architecture:  Config  file   18   Zeus  config  file    
  19. 19. Zeus  architecture:  Config  file   19   Zeus  config  file  contains  the  following:         •  url_config  -­‐  where  the  config  is  downloaded.     •  url_loader  -­‐where  new  bot  executable  is  downloaded     •  url_server  -­‐  where  the  stolen  data  is  sent     •  AdvancedConfigs  alternate  loca2ons    for    config     •  webFilters  and  WebDataFilters  -­‐ list  of  websites  monitored.  When  these  sites  are  visite dby  the  infected  user,  any  data  sent  to  the  site  is  also     sent  to  the  url_server.     •  WebFakes    list  of  websites  to  redirects  to  a  fake  site.    
  20. 20. Func2onality  of  the  Zbot  binary   20   • Copy,  execute  and  delete  itself   • Change  browser  sevngs   • Code  injec2on   • Creden2al  thed   • Data  exfiltra2on   • Evasion   v Rootkit   v Digital  cer2ficate   v DGA   v Steganography  
  21. 21. Poll  #2   Ques2on-­‐2:  Do  you  think  you  (or  your  organiza2on)   have  been  impacted  by  Zeus?   o  Yes   o  No   21  
  22. 22. Zeus  Advanced  Tricks  –  Rootkit   22   Necurs  Rootkit  Component     When  GameOver  /  Necurs  is  fully  installed,  it  will  become  difficult  to  remove  the   threat  using  tradi2onal  methods.     It’s  impossible  to  access  the  process  to  retrieve  informa2on  or  to  terminate  the   process.       Access  is  denied  when  dele2ng   the  malware  files.  
  23. 23. Signed  malware  is  quite  rare.     Stuxnet  rootkit  components   were  digitally  signed  with   cer2ficates  stolen  from  Realtek   and  Jmicron.    Flame  used   fraudulent  cer2ficates  as  well  .     Zeus  used  the  same  trick,   authors  got  access  to  a   cer2ficate  of    isonet  ag   Microsod-­‐registered  third-­‐   party  developer  in  Switzerland.   Zeus  Advanced  Tricks  –  Digital  Cer2ficates   23  
  24. 24. It  also  employs  DGA  –  Domain  Genera1on  Algorithm.  DGA  is  a  way  for  malware   to  prevent  blacklis2ng  of  its  CnC  site,  where  an  infected  machine  creates   thousands  of  domain  names  such    as:  www.<gibberish>.com  and  would  a`empt   to  contact  a  por2on  of  these  with  the  purpose  of  receiving  an  update  or   commands.  The  technique  was  popularized  by  Conficker  worm,  which   generated  50,000  domains  a  day.   Zeus  Advanced  Tricks  -­‐  DGA   24  
  25. 25. Zeus  advanced  tricks  -­‐  Steganography   o  Steganography  –  concealing  messages  or  images  in   other  messages  or  images.   o  Zeus  hides  its  config  file  inside  a  jpeg  image   25   Vic2m  opens  up     suspicious  mail  a`achment     Executes  File  in  A`achment     Decrypted  config  file     has  bank  sites  to     monitor  for  thed   JPEG  files  dowloaded   (configura2on  file     embedded)  
  26. 26. Zeus  advanced  tricks  -­‐  Steganography   o  Image  looks  innocent     o  But  it  has  appended  encrypted  data  –  Zeus  config.   26  
  27. 27. Zeus  advanced  tricks  -­‐  Steganography   o  This  data  is  encrypted  with  base64,  RC4  and  XORed.   Decrypted,  we  see  urls  and  banking  sites  it  targeted.   27  
  28. 28. Conclusions   28     •  Zeus  has  grown  into  one  of  the  most  popular  and   widespread  crimeware  kits  on  the    market.  Its  ease  of  use   and  effec2veness  make  it  an  a`rac2ve  choice  for  today’s   cyber  criminals.     •  Check  for  presence  of  unfamiliar  network  callbacks   •  Zeus  malware  is  very  complex  and  is  wri`en  with  extra   care  to  avoid  detec2on,  so  it  is  not  trivial  to  tell  if  you  are   infected.  You  need  to  use  a  professional  grade  APT  solu2on   to  detect  this.    
  29. 29. Q  and  A   29   o  Informa2on  sharing   and  advanced  threats   resources   o  Blogs  on  latest   threats  and  findings   o  Tools  for  iden2fying   malware