SlideShare a Scribd company logo

Zeus

Download as DOCX, PDF
M
MaGn3t0

Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing.

Technology
1 of 7
Virus Programming – Zeus Trojan Introduction Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. Zeus, also known as Zbot, is a malware package that is readily available for sale and also traded in underground forums. The package contains a builder that can generate a bot executable and Web server files (PHP, images, SQL templates) for use as the command and control server. While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain—stealing online credentials such as FTP, email, online banking, and other online passwords. Zeus is primarily a crimeware kit designed to steal users‟ online banking login credentials, among other things. It is the handiwork of Eastern European organized criminals that has now entered the underground cybercriminal market as a commodity. Zeus is a botnet package that can be purchased for as low as 700 USD and up to 15,000 USD for the newest version with all available features and can also be found freely traded as well. The bot can be found worldwide and thus remains consistently prevalent in compromising unprotected computers. In short, Zeus is two things: • From a technical perspective, it is a crimeware tool primarily used to steal money. • From another perspective, it signals a new wave in online criminal business enterprise wherein many different organizations cooperate with one another to perpetrate outright online theft and fraud. 1
Virus Programming – Zeus Trojan Technical Facts The technical aspect of Zeus is really not that complicated, at least from a functional perspective. It does use a complex encryption technique but explaining its functionality is pretty simple. It has the three components: 1. Zeus Trojan 2. Zeus configuration file (config) 3. Zeus drop zone where stolen credentials are sent The Zeus botnet uses several delivery methods in the first stage—the Trojan. Once the Zeus Trojan is executed, it downloads its configuration file from a predetermined location then waits for the victim to log in to a particular target that its configfile has defined, which usually comprises a selection of banks, their login URLs, and the like. Unlike traditional keyloggers, Zeus Trojans are “men-in-the-browser” agents that grab variables from a browser session such as an online banking session. This makes Zeus especially dangerous because it also has the ability to inject additional form fields into a legitimate Web session. Injecting these additional fields can fraudulently urge victims to surrender more information than they would normally be required to in a session, for instance, with their banks. Some Zeus variants also contain a nasty feature called “JabberZeuS,” which immediately relays victims‟ login credentials to cybercriminals in real-time via an instant messenger (IM). This allows cybercriminals to bypass multifactor authentication schemes to log in to victims‟ accounts and to wire money to third parties, virtually piggybacking on the victims‟ sessions. This is where the Zeus botnet‟s real power lays, the core nature of which is wholesale theft. 2
Virus Programming – Zeus Trojan How it works? Because Zbot is a package that is readily available, vectors of infection vary widely, with popular methods including drive-by download and SPAM. SPAM runs of Zbot are a regular occurrence using social engineering tactics, impersonating organizations such as the FDIC, IRS, MySpace, Facebook, and Microsoft, as shown in figure 3 on the next page. Once the bot is executed, the following actions take place: It copies itself to %system32%sdra64.exe. It sets the previous path to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTwinlogonuserinit, so that winlogon.exe spawns the process at startup time. It looks for winlogon.exe, increases its privileges, injects its code and a string table into this process, and creates a thread to execute this code. The main bot executable terminates The injected code in winlogon injects additional code into svchost.exe. It also creates a folder named %System%lowsec and puts two files inside: local.ds and user.ds. Local.ds is the latest dynamic configuration file downloaded from the server. User.ds contains stolen credentials and other information to be transmitted to the server. The code inside svchost is responsible for network communication and third-party process injection required to hook Internet-related APIs in order to inject or steal information to/from banking sites The communication between these various injected components is done with mutexes and pipes, maliciously named _AVIRA_x, where x is a number (eg: x=2109 in winlogon.exe, x=2108 in svchost.exe). If Zeus is run using an account that does not have Administrator privileges, code will not be injected into winlogon.exe, but instead into explorer.exe. Also, instead of copying itself to the %System% folder, the bot will copy itself to %UserProfile%Application Datasdra64.exe, and create the folder %UserProfile%Application Datalowsec. Finally, the bot will create a load point under the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”userinit”=” %UserProfile%Application Datasdra64.exe”. 3
Virus Programming – Zeus Trojan Functionality The main purpose of Zeus is to steal online credentials as specified by the hacker. Zeus performs four main actions: Gathering system information. Stealing protected storage information, FTP passwords, and POP3 passwords. Stealing online credential information as specified by a configuration file. Contacting the command and control server for additional tasks to perform. System Information Gathering By default Zeus will automatically gather a variety of system information and send this information to the command and control server. This information includes: A unique bot identification string Name of the botnet Version of the bot Operating system version Operating system language Local time of the compromised computer Uptime of the bot Last report time Country of the compromised computer IP address of the compromised computer Process names Credential Stealing Zeus‟ main purpose is to steal online credentials and does so in two manners—by automatic actions hardcoded in the binary and also using configuration files that are included in the Zeus binary, but also downloadable from the command and control server. After Zeus is executed, it will automatically steal information stored in the PSTORE (Protected Storage), which usually contains saved Internet Explorer passwords and also automatically captures any FTP or POP3 (email) passwords that are sent across the network in the clear. However, Zeus‟ most effective means of financial gain is controlled via a configuration file modified by the distributor of the Trojan. This configuration file specifies actions to perform once Zeus is installed and is updatable via the command and control server. Web Page Injection Many online banking and other Web sites that require credentials have evolved to evade standard keystroke logging or network-sniffing attacks. Thus, many credential-stealing threats now utilize HTML injection techniques to obtain credential information. In particular, these threats inject additional HTML into legitimate pages that cause the user to input credential information not actually required by the financial Web site or HTML content that 4
Virus Programming – Zeus Trojan defeats client-side security techniques, such as hashing credentials before they are sent over the wire. Sample Web injections are provided in the Zeus package and are defined in the configuration file. Below is an example of injection configuration block: set_urlhttp://www.[REMOVED].com/contact.php data_before name=‟email‟*</tr> data_end data_inject <tr><td>PIN:</td><td><input type=”text” name=”pinnumber” id=”pinnumber” /></td></tr> data_end data_after data_end On any Web page matching the URL http://www.[REMOVED].com/content.php, the HTML defined by „data_inject‟ is added after the string “email*</tr>” in the existing page. Before the injection, the targeted form on the Web page looks like figure1. After the injection, looks like figure2. When the form is sent, the Zeus will intercept the content of the form including the PIN number and send this information to the command and control server, as shown in figure. The syntax also allows for HTML to be replaced rather than just added by also specifying the „data_after‟ field. When this field is specified, then the HTML specified by data_inject will replace the HTML content between „data_before‟ and „data_after‟. Replacement HTML is usually used to modify or hijack JavaScript that is used for client side security purposes. For example, many online banking sites with increased security will hash the credentials before sending the credentials over the wire. This JavaScript routine used for hashing will be hijacked to also preserve the plaintext credentials and send them using non-visible form fields, which will then be intercepted and sent to the command and control servers. Web page before injection :- 5
Virus Programming – Zeus Trojan Web page after injection :- Zeus Infection Chain The following figure shows how a typical Zeus infection takes place. 6
Virus Programming – Zeus Trojan Conclusion Zeus provides a ready-to-deploy package for hackers to distribute their own botnet. The botnet is easily purchased and also freely traded online and continues to be updated to provide new features and functionality. The ease-of-use of Zeus means the Zeus bot is used widely and is highly prevalent, allowing the most novice hackers to easily steal online banking credentials and other online credentials for financial gain. 7

Recommended

Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online bankingScientia Groups
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachIBM Security
 
Software security
Software securitySoftware security
Software securityjes_d
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 

Recommended

Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online bankingScientia Groups
 
System hacking
System hackingSystem hacking
System hackingCAS
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachIBM Security
 
Software security
Software securitySoftware security
Software securityjes_d
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems designdrewz lin
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Teymur Kheirkhabarov
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Yury Chemerkin
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureSergey Soldatov
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsPositive Hack Days
 
Surat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSurat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSystem 021
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellJamieWilliams130
 
Hackers dictionary
Hackers dictionaryHackers dictionary
Hackers dictionaryTabraiz Bukhari
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee RoundtableHarvard PR
 
Атаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетовАтаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетовPositive Hack Days
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System ThreatsReddhi Basu
 
Operating system security
Operating system securityOperating system security
Operating system securityRachel Jeewa
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013STO STRATEGY
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Understanding Windows Lateral Movements
Understanding Windows Lateral MovementsUnderstanding Windows Lateral Movements
Understanding Windows Lateral MovementsDaniel López Jiménez
 
Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Mikko Ohtamaa
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareVishal Kumar
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session ManagementSehan Lee
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWebsecurify
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 
Botnets 101
Botnets 101Botnets 101
Botnets 101Aung Thu Rha Hein
 
Computer virus
Computer virusComputer virus
Computer viruskiran_a_c
 

More Related Content

What's hot

Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsPositive Hack Days
 
Surat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSurat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSystem 021
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellJamieWilliams130
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee RoundtableHarvard PR
 
Атаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетовАтаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетовPositive Hack Days
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System ThreatsReddhi Basu
 
Operating system security
Operating system securityOperating system security
Operating system securityRachel Jeewa
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)Mikko Ohtamaa
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Mikko Ohtamaa
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013STO STRATEGY
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesYury Chemerkin
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationFernando Lopez Aguilar
 
Understanding Windows Lateral Movements
Understanding Windows Lateral MovementsUnderstanding Windows Lateral Movements
Understanding Windows Lateral MovementsDaniel López Jiménez
 
Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Mikko Ohtamaa
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareVishal Kumar
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session ManagementSehan Lee
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWebsecurify
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding AttackFelipe Japm
 

What's hot (20)

Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
 
Surat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSurat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware Kuba
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShell
 
Hackers dictionary
Hackers dictionaryHackers dictionary
Hackers dictionary
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee Roundtable
 
Атаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетовАтаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетов
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System Threats
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
Understanding Windows Lateral Movements
Understanding Windows Lateral MovementsUnderstanding Windows Lateral Movements
Understanding Windows Lateral Movements
 
Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft Maalware
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session Management
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session Management
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 

Viewers also liked

Computer virus
Computer virusComputer virus
Computer viruskiran_a_c
 
Html5 with SharePoint 2010
Html5 with SharePoint 2010Html5 with SharePoint 2010
Html5 with SharePoint 2010Hemant Joshi
 
HTML 5 Step By Step - Ebook
HTML 5 Step By Step - EbookHTML 5 Step By Step - Ebook
HTML 5 Step By Step - EbookScottperrone
 
Game Development Using HTML 5
Game Development Using HTML 5Game Development Using HTML 5
Game Development Using HTML 5osa_ora
 
virus programming using batch file
virus programming using batch filevirus programming using batch file
virus programming using batch fileAris Suryadi
 
Hello world program
Hello world programHello world program
Hello world programSpy Seat
 
Batch file programming
Batch file programmingBatch file programming
Batch file programmingswapnil kapate
 
Gears and HTML 5 @media Ajax London 2008
Gears and HTML 5 @media Ajax London 2008Gears and HTML 5 @media Ajax London 2008
Gears and HTML 5 @media Ajax London 2008dion
 
HTML5 & Friends
HTML5 & FriendsHTML5 & Friends
HTML5 & FriendsRemy Sharp
 
The Future of the Web: HTML5
The Future of the Web: HTML5The Future of the Web: HTML5
The Future of the Web: HTML5Derek Bender
 
Html 5 in a big nutshell
Html 5 in a big nutshellHtml 5 in a big nutshell
Html 5 in a big nutshellLennart Schoors
 
What is strategic fit
What is strategic fitWhat is strategic fit
What is strategic fitAnu Vanu
 
The 5 Senses Learning Game
The 5 Senses Learning GameThe 5 Senses Learning Game
The 5 Senses Learning Gameguestc2c57b7
 
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)Clément Wehrung
 

Viewers also liked (20)

Botnets 101
Botnets 101Botnets 101
Botnets 101
 
Computer virus
Computer virusComputer virus
Computer virus
 
Security
SecuritySecurity
Security
 
Html5 with SharePoint 2010
Html5 with SharePoint 2010Html5 with SharePoint 2010
Html5 with SharePoint 2010
 
HTML 5 Step By Step - Ebook
HTML 5 Step By Step - EbookHTML 5 Step By Step - Ebook
HTML 5 Step By Step - Ebook
 
Game Development Using HTML 5
Game Development Using HTML 5Game Development Using HTML 5
Game Development Using HTML 5
 
virus programming using batch file
virus programming using batch filevirus programming using batch file
virus programming using batch file
 
Hello world program
Hello world programHello world program
Hello world program
 
Jsf2 html5-jazoon
Jsf2 html5-jazoonJsf2 html5-jazoon
Jsf2 html5-jazoon
 
Batch file programming
Batch file programmingBatch file programming
Batch file programming
 
Botnets
BotnetsBotnets
Botnets
 
HTML 5 & CSS 3
HTML 5 & CSS 3HTML 5 & CSS 3
HTML 5 & CSS 3
 
Gears and HTML 5 @media Ajax London 2008
Gears and HTML 5 @media Ajax London 2008Gears and HTML 5 @media Ajax London 2008
Gears and HTML 5 @media Ajax London 2008
 
HTML5 & Friends
HTML5 & FriendsHTML5 & Friends
HTML5 & Friends
 
The Future of the Web: HTML5
The Future of the Web: HTML5The Future of the Web: HTML5
The Future of the Web: HTML5
 
Html 5 in a big nutshell
Html 5 in a big nutshellHtml 5 in a big nutshell
Html 5 in a big nutshell
 
What is strategic fit
What is strategic fitWhat is strategic fit
What is strategic fit
 
The 5 Senses Learning Game
The 5 Senses Learning GameThe 5 Senses Learning Game
The 5 Senses Learning Game
 
Up to Speed on HTML 5 and CSS 3
Up to Speed on HTML 5 and CSS 3Up to Speed on HTML 5 and CSS 3
Up to Speed on HTML 5 and CSS 3
 
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
 

Similar to Zeus

Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)Wail Hassan
 
Sophos what-is-zeus-tp
Sophos what-is-zeus-tpSophos what-is-zeus-tp
Sophos what-is-zeus-tpOnet Paradis
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiYury Chemerkin
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesAvinash Sinha
 
Study on Zeus Banking Malware
Study on Zeus Banking MalwareStudy on Zeus Banking Malware
Study on Zeus Banking MalwareShaik Anisa
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHackingAve Nawsh
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Cenzic
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpJoann Davis
 
A security strategy against steal and pass
A security strategy against steal and passA security strategy against steal and pass
A security strategy against steal and passIJNSA Journal
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSIJNSA Journal
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSIJNSA Journal
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiSTO STRATEGY
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Securitybelsis
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Mohammed Jaseem Tp
 
FBI Game over Zeus (GOZ) Botnet poster
FBI Game over Zeus (GOZ) Botnet posterFBI Game over Zeus (GOZ) Botnet poster
FBI Game over Zeus (GOZ) Botnet posterDavid Sweigert
 
INTERNET SECURITY.pptx
INTERNET SECURITY.pptxINTERNET SECURITY.pptx
INTERNET SECURITY.pptxbabepa2317
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacyHaider Ali Malik
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5CAS
 

Similar to Zeus (20)

Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Sophos what-is-zeus-tp
Sophos what-is-zeus-tpSophos what-is-zeus-tp
Sophos what-is-zeus-tp
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
Study on Zeus Banking Malware
Study on Zeus Banking MalwareStudy on Zeus Banking Malware
Study on Zeus Banking Malware
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHacking
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Computer crimes
Computer crimesComputer crimes
Computer crimes
 
A security strategy against steal and pass
A security strategy against steal and passA security strategy against steal and pass
A security strategy against steal and pass
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !
 
FBI Game over Zeus (GOZ) Botnet poster
FBI Game over Zeus (GOZ) Botnet posterFBI Game over Zeus (GOZ) Botnet poster
FBI Game over Zeus (GOZ) Botnet poster
 
INTERNET SECURITY.pptx
INTERNET SECURITY.pptxINTERNET SECURITY.pptx
INTERNET SECURITY.pptx
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacy
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 

Recently uploaded

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?Antenna Manufacturer Coco
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEarley Information Science
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024Results
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsEnterprise Knowledge
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreternaman860154
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Drew Madelung
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsMaria Levchenko
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationSafe Software
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountPuma Security, LLC
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 

Recently uploaded (20)

The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 
What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?What Are The Drone Anti-jamming Systems Technology?
What Are The Drone Anti-jamming Systems Technology?
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptxEIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
EIS-Webinar-Prompt-Knowledge-Eng-2024-04-08.pptx
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024A Call to Action for Generative AI in 2024
A Call to Action for Generative AI in 2024
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
IAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI SolutionsIAC 2024 - IA Fast Track to Search Focused AI Solutions
IAC 2024 - IA Fast Track to Search Focused AI Solutions
 
Presentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreterPresentation on how to chat with PDF using ChatGPT code interpreter
Presentation on how to chat with PDF using ChatGPT code interpreter
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
Strategies for Unlocking Knowledge Management in Microsoft 365 in the Copilot...
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
Handwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed textsHandwritten Text Recognition for manuscripts and early printed texts
Handwritten Text Recognition for manuscripts and early printed texts
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Breaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path MountBreaking the Kubernetes Kill Chain: Host Path Mount
Breaking the Kubernetes Kill Chain: Host Path Mount
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 

Zeus

  • 1. Virus Programming – Zeus Trojan Introduction Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. Zeus, also known as Zbot, is a malware package that is readily available for sale and also traded in underground forums. The package contains a builder that can generate a bot executable and Web server files (PHP, images, SQL templates) for use as the command and control server. While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain—stealing online credentials such as FTP, email, online banking, and other online passwords. Zeus is primarily a crimeware kit designed to steal users‟ online banking login credentials, among other things. It is the handiwork of Eastern European organized criminals that has now entered the underground cybercriminal market as a commodity. Zeus is a botnet package that can be purchased for as low as 700 USD and up to 15,000 USD for the newest version with all available features and can also be found freely traded as well. The bot can be found worldwide and thus remains consistently prevalent in compromising unprotected computers. In short, Zeus is two things: • From a technical perspective, it is a crimeware tool primarily used to steal money. • From another perspective, it signals a new wave in online criminal business enterprise wherein many different organizations cooperate with one another to perpetrate outright online theft and fraud. 1
  • 2. Virus Programming – Zeus Trojan Technical Facts The technical aspect of Zeus is really not that complicated, at least from a functional perspective. It does use a complex encryption technique but explaining its functionality is pretty simple. It has the three components: 1. Zeus Trojan 2. Zeus configuration file (config) 3. Zeus drop zone where stolen credentials are sent The Zeus botnet uses several delivery methods in the first stage—the Trojan. Once the Zeus Trojan is executed, it downloads its configuration file from a predetermined location then waits for the victim to log in to a particular target that its configfile has defined, which usually comprises a selection of banks, their login URLs, and the like. Unlike traditional keyloggers, Zeus Trojans are “men-in-the-browser” agents that grab variables from a browser session such as an online banking session. This makes Zeus especially dangerous because it also has the ability to inject additional form fields into a legitimate Web session. Injecting these additional fields can fraudulently urge victims to surrender more information than they would normally be required to in a session, for instance, with their banks. Some Zeus variants also contain a nasty feature called “JabberZeuS,” which immediately relays victims‟ login credentials to cybercriminals in real-time via an instant messenger (IM). This allows cybercriminals to bypass multifactor authentication schemes to log in to victims‟ accounts and to wire money to third parties, virtually piggybacking on the victims‟ sessions. This is where the Zeus botnet‟s real power lays, the core nature of which is wholesale theft. 2
  • 3. Virus Programming – Zeus Trojan How it works? Because Zbot is a package that is readily available, vectors of infection vary widely, with popular methods including drive-by download and SPAM. SPAM runs of Zbot are a regular occurrence using social engineering tactics, impersonating organizations such as the FDIC, IRS, MySpace, Facebook, and Microsoft, as shown in figure 3 on the next page. Once the bot is executed, the following actions take place: It copies itself to %system32%sdra64.exe. It sets the previous path to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTwinlogonuserinit, so that winlogon.exe spawns the process at startup time. It looks for winlogon.exe, increases its privileges, injects its code and a string table into this process, and creates a thread to execute this code. The main bot executable terminates The injected code in winlogon injects additional code into svchost.exe. It also creates a folder named %System%lowsec and puts two files inside: local.ds and user.ds. Local.ds is the latest dynamic configuration file downloaded from the server. User.ds contains stolen credentials and other information to be transmitted to the server. The code inside svchost is responsible for network communication and third-party process injection required to hook Internet-related APIs in order to inject or steal information to/from banking sites The communication between these various injected components is done with mutexes and pipes, maliciously named _AVIRA_x, where x is a number (eg: x=2109 in winlogon.exe, x=2108 in svchost.exe). If Zeus is run using an account that does not have Administrator privileges, code will not be injected into winlogon.exe, but instead into explorer.exe. Also, instead of copying itself to the %System% folder, the bot will copy itself to %UserProfile%Application Datasdra64.exe, and create the folder %UserProfile%Application Datalowsec. Finally, the bot will create a load point under the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”userinit”=” %UserProfile%Application Datasdra64.exe”. 3
  • 4. Virus Programming – Zeus Trojan Functionality The main purpose of Zeus is to steal online credentials as specified by the hacker. Zeus performs four main actions: Gathering system information. Stealing protected storage information, FTP passwords, and POP3 passwords. Stealing online credential information as specified by a configuration file. Contacting the command and control server for additional tasks to perform. System Information Gathering By default Zeus will automatically gather a variety of system information and send this information to the command and control server. This information includes: A unique bot identification string Name of the botnet Version of the bot Operating system version Operating system language Local time of the compromised computer Uptime of the bot Last report time Country of the compromised computer IP address of the compromised computer Process names Credential Stealing Zeus‟ main purpose is to steal online credentials and does so in two manners—by automatic actions hardcoded in the binary and also using configuration files that are included in the Zeus binary, but also downloadable from the command and control server. After Zeus is executed, it will automatically steal information stored in the PSTORE (Protected Storage), which usually contains saved Internet Explorer passwords and also automatically captures any FTP or POP3 (email) passwords that are sent across the network in the clear. However, Zeus‟ most effective means of financial gain is controlled via a configuration file modified by the distributor of the Trojan. This configuration file specifies actions to perform once Zeus is installed and is updatable via the command and control server. Web Page Injection Many online banking and other Web sites that require credentials have evolved to evade standard keystroke logging or network-sniffing attacks. Thus, many credential-stealing threats now utilize HTML injection techniques to obtain credential information. In particular, these threats inject additional HTML into legitimate pages that cause the user to input credential information not actually required by the financial Web site or HTML content that 4
  • 5. Virus Programming – Zeus Trojan defeats client-side security techniques, such as hashing credentials before they are sent over the wire. Sample Web injections are provided in the Zeus package and are defined in the configuration file. Below is an example of injection configuration block: set_urlhttp://www.[REMOVED].com/contact.php data_before name=‟email‟*</tr> data_end data_inject <tr><td>PIN:</td><td><input type=”text” name=”pinnumber” id=”pinnumber” /></td></tr> data_end data_after data_end On any Web page matching the URL http://www.[REMOVED].com/content.php, the HTML defined by „data_inject‟ is added after the string “email*</tr>” in the existing page. Before the injection, the targeted form on the Web page looks like figure1. After the injection, looks like figure2. When the form is sent, the Zeus will intercept the content of the form including the PIN number and send this information to the command and control server, as shown in figure. The syntax also allows for HTML to be replaced rather than just added by also specifying the „data_after‟ field. When this field is specified, then the HTML specified by data_inject will replace the HTML content between „data_before‟ and „data_after‟. Replacement HTML is usually used to modify or hijack JavaScript that is used for client side security purposes. For example, many online banking sites with increased security will hash the credentials before sending the credentials over the wire. This JavaScript routine used for hashing will be hijacked to also preserve the plaintext credentials and send them using non-visible form fields, which will then be intercepted and sent to the command and control servers. Web page before injection :- 5
  • 6. Virus Programming – Zeus Trojan Web page after injection :- Zeus Infection Chain The following figure shows how a typical Zeus infection takes place. 6
  • 7. Virus Programming – Zeus Trojan Conclusion Zeus provides a ready-to-deploy package for hackers to distribute their own botnet. The botnet is easily purchased and also freely traded online and continues to be updated to provide new features and functionality. The ease-of-use of Zeus means the Zeus bot is used widely and is highly prevalent, allowing the most novice hackers to easily steal online banking credentials and other online credentials for financial gain. 7