3. contents of presentation
✘ Introduction
✘ Case study
✘ What does Zeus Malware do to Computers?
✘ How does it work?
✘ Types of data targeted by Zeus
✘ Impact of Zeus
✘ Detection of ZeuS
✘ Protection
✘ Conclusion
✘ References
3
4. introduction
✘ With the rise of widespread broadband Internet access, malware has now
emerged as the primary vehicle for organized cybercrime.
✘ Most malwares are now geared towards making profit and enabling
financial gain. This has led to an increased attack on banking and financial
systems.
✘ Zeus (also known as Zbot, Kneber, PRG, NTOS, Wsnpoem and Gorhax) is a
crimeware kit designed to steal banking information and credentials .
✘ It is used by cyber criminals across the Globe, and is designed to steal users’
online banking details as well as other important credentials. Today, Zeus is
estimated to account for some 44% of the banking malware infections
4
5. “
I didn’t invent forensic science
and medicine. I just was one of
the people to recognize how
interesting it is.
-Patricia Cornwell
5
7. Overview of the case
✘ County treasurer had ZeuS malware on his PC
✘ ƒ
Criminals stole credentials and logged in to bank accounts from
treasurer’s PC .
• Reconnaissance used to plan theft
• Mule recruitment via Careerbuilder.com
• Created mules as fictitious employees
• Mules receive $9700 and sent $8700 to Ukraine via Western Union ƒ
✘ Transactions were wire transfers
✘ Total of $415k stolen
7
8. Background story….!
1. The first is that stolen credentials are sent immediately via instant
message to the attackers.
2. The second more interesting feature, that it creates a direct
connection between the infected Microsoft Windows system and the
attackers, allowing the bad guys to log in to the victim's bank account
using the victim's own Internet connection.
3. By connecting through the victim's PC or Internet connection, the bad
guys can avoid raising any suspicions.
9. Forensic Investigation Report
✘ The attackers somehow got the Zeus Trojan on the county treasurer's
PC, and used it to steal the username and password the treasurer
needed to access e-mail and the county's bank account.
✘ Once logged in, the criminals changed the judge's password, as well as
e-mail address tied to the judge's account.
✘ They then created several fictitious employees of the county and
created a batch of wire transfers to those individuals to be approved.
✘ The attackers then retrieved the passphrase from the e-mail, and
logged in again with the judge's new credentials and the one-time
passphrase.
9
10. The Role of the Money Mules - Scammed Into Serving
✘ Both were females under the age of 35 who initially were contacted
after placing their resumes on Careerbuilder.com. Each received e-
mails from a company calling itself Fairlove Delivery Service. Both
women agreed to speak with Security Fix on the condition of
anonymity.
✘ There were hired by Fairlove to edit documents for grammar and flow,
and promised a pay of $8 for each kilobyte of data they processed (see
the initial Careerbuilder scam e-mail here. The documents they were
hired to edit often were full of grammatical errors and faulty or missing
punctuation. Both money mules said it appeared that whoever wrote
the letters was not a native English speaker.
10
11. Zeus
✘ Zeus was first used in 2007 to steal information from the United States
Department of Transportation, but has evolved over time. The ease of
use of Zeus has made it an ideal tool for even novice hackers to easily
steal the banking-related information from an individual or customer-
related data from a server. Being freely traded in underground forums,
it has become widely prevalent and is now being distributed by
multiple, unrelated parties.
✘ Zeus had compromised over 74,000 FTP accounts on websites of such
companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco,
Amazon, and BusinessWeek.
11
12. What does Zeus Malware do to Computers?
Zeus malware can do a variety of things once it affects a system, however, it
actually has two main sections of functionality.
• Primarily, it creates a botnet, it is managed as a group without the owners’
knowledge by a command and control server under the control of the
malware’s owner. The botnet enables the owner to gather massive
amounts of information or execute large-scale attacks.
• The malware is designed to recognize when the user is on a banking
website and records the keystrokes used to log in. Now, Zeus malware has
been mainly neutralized, the Trojan lives on as its components are used in a
large number of new and emerging malware.
12
15. How does it spread?
✘ Drive-By Downloads
• A drive-by download happens when
the user visits a website or clicks a
misleading pop-up window.
• usually exploits outdated systems
with security flaws.
✘ Spam campaigns
• user receives an e-mail message
from a well-known organization with
some false banking information
attached or with a link included in the
e-mail.
• Once, the user clicks the link or
downloads the attached file to the e-
mail, the system will be infected
15
17. Fig: Sample of banking information collected from an infected system.
17
Types of data being targeted by ZeuS
18. Fig: Sample of banking transaction information collected from an infected system.
18
19. The Screenshot shows the
same user posting account
usernames and passwords
to try to prove that there is
valuable data in the stolen
ZeuS database file.
19
20. Impact of zeus
✘ Financial Damage
• According to security company
Trusteer, Zeus alone accounts for 44%
of all banking malware infections. Many
cases involve SMBs who have had
huge amounts transferred out of their
accounts without their knowledge.
✘ Damage to Goodwill
• Such incidents, however, cause a huge
loss of reputation and bad publicity for
the bank, in addition to loss of
confidence among customers who
transfer their accounts to other banks.
Since trust is fundamental to banking
institutions, such incidents lead to
decreased growth
20
21. Zeus has been the reason for millions of infected PCs
A criminal gang wielding a new version of
Zeus malware that's designed for mobile
devices has stolen an estimated 36 million
euros, or $47 million, from more than
30,000 corporate and private banking
customers.
21
22. Top 10 Most Dangerous Malware That Can Empty
Your Bank Account .
22
https://heimdalsecurity.com/blog/top-financial-malware/
23. Detection of ZeuS
✘ With Administrator rights:
%systemroot%system32sdra64.exe
(malware)
%systemroot%system32lowsec
%systemroot%system32lowsecuser.
ds (encrypted stolen data file)
%systemroot%system32lowsecuser.
ds.lll (temporary file for stolen data)
%systemroot%system32lowseclocal.
ds (encrypted configuration file)
✘ Without Administrator rights:
%appdata%sdra64.exe
%appdata%lowsec
%appdata%lowsecuser.ds
%appdata%lowsecuser.ds.lll
%appdata%lowseclocal.ds
23
24. PROTECTION of endpoints
✘ For Individual Users:
• Never visit suspicious websites
• Be careful when opening e-mails or
attachments from unknown sources.
• Back up your files regularly
• Have the popup blockers enabled
always
• Keep your computer OS and antivirus
software up-to-date
✘ For Businesses (Corporates):
• Implement stringent controls on
privileged accounts
• Have a proper data backup and
recovery plan
• Make sure all the corporate-
connected devices are up to date
24
25. Top 5 victim countries affected by Zeus
MEXICO
25
EGYPT
SAUDI
ARABIA
TURKEY
USA
26. conclusion
ZeuS is the most significant banking malware currently in existence. The
scope of threat from ZeuS and its derivatives has been growing as the
functionality of its toolkit expands. Mobile malware is a new frontier and
the rise in mobile devices means a rise in mobile botnets. All internet and
mobile device users are potential targets and the threat will increase as
malware continues to extend in functionality, availability and ease of use.
Organizations need to understand that the Zeus virus is still out there and
take steps to protect their finances and sensitive information.
26
27. References
✘ “2009 Internet Crime Report” released by the Internet Crime Complaints Center
(iC3)
✘ https://www.networkworld.com/article/2226723/us-takes-out-gang-that-used-
zeus-malware-to-steal-millions.html
✘ www.unisys.com
✘ https://enterprise.comodo.com/blog/what-is-zeus-malware/
✘ Adham, Manal, Azodi, Amir, Desmedt, Yvo, & Karaolis, Ioannis. (2013). How to Attack
Two-Factor Authentication Internet Banking. In A.-R. Sadeghi (Ed.), Financial
Cryptography and Data Security (pp. 322-328): Springer Berlin Heidelberg.
✘ https://econinfosec.org/archive/weis2014/papers/Tajalizadehkhoob-WEIS2014.pdf
✘ https://ieeexplore.ieee.org/abstract/document/7345443
27