Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.



Published on

Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing.

Published in: Technology
  • Be the first to comment


  1. 1. Virus Programming – Zeus TrojanIntroductionZeus is a Trojan horse that steals banking information by keystroke logging and FormGrabbing. Zeus is spread mainly through drive-by downloads and phishing schemes.Zeus, also known as Zbot, is a malware package that is readily available for sale and alsotraded in underground forums. The package contains a builder that can generate a botexecutable and Web server files (PHP, images, SQL templates) for use as the command andcontrol server. While Zbot is a generic back door that allows full control by an unauthorizedremote user, the primary function of Zbot is financial gain—stealing online credentials suchas FTP, email, online banking, and other online passwords.Zeus is primarily a crimeware kit designed to steal users‟ online banking login credentials,among other things. It is the handiwork of Eastern European organized criminals that hasnow entered the underground cybercriminal market as a commodity.Zeus is a botnet package that can be purchased for as low as 700 USD and up to 15,000 USDfor the newest version with all available features and can also be found freely traded as well.The bot can be found worldwide and thus remains consistently prevalent in compromisingunprotected computers.In short, Zeus is two things:• From a technical perspective, it is a crimeware tool primarily used to steal money.• From another perspective, it signals a new wave in online criminal business enterprisewherein many different organizations cooperate with one another to perpetrate outright onlinetheft and fraud. 1
  2. 2. Virus Programming – Zeus TrojanTechnical FactsThe technical aspect of Zeus is really not that complicated, at least from a functionalperspective. It does use a complex encryption technique but explaining its functionality ispretty simple. It has the three components: 1. Zeus Trojan 2. Zeus configuration file (config) 3. Zeus drop zone where stolen credentials are sentThe Zeus botnet uses several delivery methods in the first stage—the Trojan.Once the Zeus Trojan is executed, it downloads its configuration file from a predeterminedlocation then waits for the victim to log in to a particular target that its configfile has defined,which usually comprises a selection of banks, their login URLs, and the like.Unlike traditional keyloggers, Zeus Trojans are “men-in-the-browser” agents that grabvariables from a browser session such as an online banking session. This makes Zeusespecially dangerous because it also has the ability to inject additional form fields into alegitimate Web session. Injecting these additional fields can fraudulently urge victims tosurrender more information than they would normally be required to in a session, forinstance, with their banks.Some Zeus variants also contain a nasty feature called “JabberZeuS,” which immediatelyrelays victims‟ login credentials to cybercriminals in real-time via an instant messenger (IM).This allows cybercriminals to bypass multifactor authentication schemes to log in to victims‟accounts and to wire money to third parties, virtually piggybacking on the victims‟ sessions.This is where the Zeus botnet‟s real power lays, the core nature of which is wholesale theft. 2
  3. 3. Virus Programming – Zeus TrojanHow it works?Because Zbot is a package that is readily available, vectors of infection vary widely, withpopular methods including drive-by download and SPAM. SPAM runs of Zbot are a regularoccurrence using social engineering tactics, impersonating organizations such as the FDIC,IRS, MySpace, Facebook, and Microsoft, as shown in figure 3 on the next page.Once the bot is executed, the following actions take place:It copies itself to %system32%sdra64.exe.It sets the previous path to HKEY_LOCAL_MACHINESoftwareMicrosoftWindowsNTwinlogonuserinit, so that winlogon.exe spawns the process at startup time.It looks for winlogon.exe, increases its privileges, injects its code and a string table into thisprocess, and creates a thread to execute this code.The main bot executable terminatesThe injected code in winlogon injects additional code into svchost.exe.It also creates a folder named %System%lowsec and puts two files inside: local.ds anduser.ds. Local.ds is the latest dynamic configuration file downloaded from the server. User.dscontains stolen credentials and other information to be transmitted to the server.The code inside svchost is responsible for network communication and third-party processinjection required to hook Internet-related APIs in order to inject or steal information to/frombanking sitesThe communication between these various injected components is done with mutexes andpipes, maliciously named _AVIRA_x, where x is a number (eg: x=2109 in winlogon.exe,x=2108 in svchost.exe).If Zeus is run using an account that does not have Administrator privileges, code will not beinjected into winlogon.exe, but instead into explorer.exe. Also, instead of copying itself to the%System% folder, the bot will copy itself to %UserProfile%Application Datasdra64.exe,and create the folder %UserProfile%Application Datalowsec.Finally, the bot will create a load point under the registry keyHKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”userinit”=”%UserProfile%Application Datasdra64.exe”. 3
  4. 4. Virus Programming – Zeus TrojanFunctionalityThe main purpose of Zeus is to steal online credentials as specified by the hacker. Zeusperforms four main actions:Gathering system information.Stealing protected storage information, FTP passwords, and POP3 passwords.Stealing online credential information as specified by a configuration file.Contacting the command and control server for additional tasks to perform.System Information GatheringBy default Zeus will automatically gather a variety of system information and send thisinformation to the command and control server. This information includes:A unique bot identification stringName of the botnetVersion of the botOperating system versionOperating system languageLocal time of the compromised computerUptime of the botLast report timeCountry of the compromised computerIP address of the compromised computerProcess namesCredential StealingZeus‟ main purpose is to steal online credentials and does so in two manners—by automaticactions hardcoded in the binary and also using configuration files that are included in theZeus binary, but also downloadable from the command and control server.After Zeus is executed, it will automatically steal information stored in the PSTORE(Protected Storage), which usually contains saved Internet Explorer passwords and alsoautomatically captures any FTP or POP3 (email) passwords that are sent across the networkin the clear.However, Zeus‟ most effective means of financial gain is controlled via a configuration filemodified by the distributor of the Trojan. This configuration file specifies actions to performonce Zeus is installed and is updatable via the command and control server.Web Page InjectionMany online banking and other Web sites that require credentials have evolved to evadestandard keystroke logging or network-sniffing attacks. Thus, many credential-stealingthreats now utilize HTML injection techniques to obtain credential information. In particular,these threats inject additional HTML into legitimate pages that cause the user to inputcredential information not actually required by the financial Web site or HTML content that 4
  5. 5. Virus Programming – Zeus Trojandefeats client-side security techniques, such as hashing credentials before they are sent overthe wire.Sample Web injections are provided in the Zeus package and are defined in the configurationfile.Below is an example of injection configuration block:set_urlhttp://www.[REMOVED].com/contact.phpdata_beforename=‟email‟*</tr>data_enddata_inject<tr><td>PIN:</td><td><input type=”text” name=”pinnumber” id=”pinnumber” /></td></tr>data_enddata_afterdata_endOn any Web page matching the URL http://www.[REMOVED].com/content.php, the HTMLdefined by „data_inject‟ is added after the string “email*</tr>” in the existing page. Beforethe injection, the targeted form on the Web page looks like figure1. After the injection, lookslike figure2. When the form is sent, the Zeus will intercept the content of the form includingthe PIN number and send this information to the command and control server, as shown infigure.The syntax also allows for HTML to be replaced rather than just added by also specifying the„data_after‟ field. When this field is specified, then the HTML specified by data_inject willreplace the HTML content between „data_before‟ and „data_after‟. Replacement HTML isusually used to modify or hijack JavaScript that is used for client side security purposes. Forexample, many online banking sites with increased security will hash the credentials beforesending the credentials over the wire. This JavaScript routine used for hashing will behijacked to also preserve the plaintext credentials and send them using non-visible formfields, which will then be intercepted and sent to the command and control servers.Web page before injection :- 5
  6. 6. Virus Programming – Zeus TrojanWeb page after injection :-Zeus Infection ChainThe following figure shows how a typical Zeus infection takes place. 6
  7. 7. Virus Programming – Zeus TrojanConclusionZeus provides a ready-to-deploy package for hackers to distribute their own botnet. Thebotnet is easily purchased and also freely traded online and continues to be updated toprovide new features and functionality. The ease-of-use of Zeus means the Zeus bot is usedwidely and is highly prevalent, allowing the most novice hackers to easily steal onlinebanking credentials and other online credentials for financial gain. 7