General News
Antivirus Reviews
Network Defense
Phishing Scams
Virus Alerts
Security Forums
Desktop Security
Malware Removal Help
Spam Blocking
Patches and Hotfixes
Antivirus Support

Network Security
Firewalls and Routers
Intrusion Detection
Web Proxies
Quick Resources
About Antisource
Malware Threats Triangle
Free Virus Scan
Virus Map


Sunday, February 07, 2010
Author: Richard S. Westmoreland
Permalink: zeus-botnet-summary
Network Defense
Email Article to a Colleague Printer-Friendly Version Author's Profile

ZeuS is a nasty piece of malware to be compromised with.

This is a generic summary of ZeuS and its origins:

Zeus (also known as Zbot, Kneber, PRG, NTOS, Wsnpoem and Gorhax) is a crimeware kit designed to steal banking information and credentials through various means. The Zeus trojan is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Cisco, Amazon, and BusinessWeek.

This trojan has many versions, botnets (each owned by different groups), and vectors of attack. It started out as a Do-It-Yourself kit, purchased and modified with its own features. Some of the more common variants are easier to recognize, but some compromises are very stealthy targeted attacks. The polymorphic nature of ZeuS can be seen over the years:

On April 22nd, 2008:

The phishing Web site tries to exploit any software vulnerabilities, and if it finds one, will then load the Zeus Trojan onto the PC. Zeus is particularly dangerous: it can collect data on forms, take screen shots, pilfer passwords from browsers and remotely control the computer, Maimon wrote.

Zeus also comes in at least 150 flavors. One of the phishing kits being sold now for US$700 masks how Zeus appears to security programs. That kit uses a binary generator, which creates a new binary file for Zeus for every kit.

Antivirus programs uses signatures, or data files, that describe what malicious programs "look" like in order to be detected. But creating new binaries can render security programs blind. Most of the popular antivirus programs can't detect the variants.

On May 15th, 2008:

Online fraudsters that aren't highly skilled in the arts of cyber crime can now rent a service that offers an all-in-one hosting server with a built-in Zeus trojan administration panel and infecting tools, allowing them to create their own botnet.

EMC's security division, the RSA Anti-Fraud Command Centre (AFCC), cited an increase in the use of the Zeus trojan in attacks against financial institutions in its April online fraud report, claiming the trojan is "extremely user friendly and easy to operate".

Over the years it has continued to show up in the news with additional twists and turns:

On May 8th, 2009:

Botnets aren't just dangerous because they can steal massive amounts of personal data and launch denial-of-service attacks�they can also self-destruct, leaving the owners of affected machines in the dust. The controllers of one such botnet recently hit the kill switch for one reason or another, taking down some 100,000 infected computers with it.

On September 12, 2009:

Researchers at the University of Alabama at Birmingham continue to study the Zeus Bot trojan this week as a new spam campaign seeks to extend this already prolific bank robbery malware. This is the fourth major Zeus-spreading spam campaign that we've seen hit the UAB Spam Data Mine in the past few months.

The email, which uses a subject line "Notice of Underreported Income" and claims to be sent from "Internal Revenue Service" claims that you need to visit a website to review an issue of "Unreported/Underreported Income" which seems to have been detected by the "Fraud Application" at the IRS.

On October 28th, 2009:

The new phishing email, which masquerades as a message from Facebook, promises to give users a new and easier login process. The "new login system" is thoughtfully sent with the user's username already filled in, researchers say. All the user has to do is "give your password to update your account."

According to a blog by researchers at security company AppRiver, the phishing attack has been spotted on smartphones using Facebook applications, where it carries the actual Facebook logo.

On November 12th, 2009:

Spam has been detected as being sent from the Zeus botnet that prompts users to update their MySpace account.

Trend Micro senior security advisor Rik Ferguson claimed that the spam is similar to the Facebook-related spam seen last week, with the user �required to update' their MySpace account with a link provided.

Ferguson said: �The link in the mail leads to a standard fake MySpace login page, so of course your account details are stolen. Once you have �logged in' though, the supposed �MySpace Update Tool' is waiting to trick the unwary into installing their very own variant of the Zeus agent.� Trend Micro detected this threat as TSPY_ZBOT.SMP.,zeus-botnet-pushes-fake-myspace-update.aspx

On November 18th, 2009:

Two suspected computer hackers have been arrested in Manchester in a major inquiry into a global internet scam designed to steal personal details.

The investigation focused on the ZeuS or Zbot trojan - "a sophisticated malicious computer program", said police.

The pair being questioned were arrested on 3 November under the 1990 Computer Misuse Act and the 2006 Fraud Act.

On December 9th, 2009:

A new wave of a Zeus bot (Zbot) variant was spotted taking advantage of Amazon EC2�s cloud-based services for its C&C (command and control) functionalities.

On January 11th, 2010:

Zeus fake OWA was already spotted last year, and its come back scene displays more custom targets.

Don�t be fooled by these compelling words, clicking URLs may lead your browser to drive-by known exploit attack, and/or installation of Zeus bot variant.

On January 22nd, 2010:

A new iteration of Zeus, a notorious password-stealing trojan, is victimizing users of AOL Instant Messenger (AIM), according to researchers at anti-virus vendor Webroot.

People using the popular instant messaging platform receive an email message announcing an update and are then prompted to click through to download what appears to be a legitimate file, aimupdate_7.1.6.475.exe. However, the so-called update is, in fact, the Zeus installer, which can then transfer itself onto the victim's machine, whether or not the AIM user clicks on the link to download the executable file.

This article highlights the ZeuS Tracker, a site successful at tracking command and control servers:

In the twelve months since the ZeuS Tracker was born, on 2 February 2009, the site has tracked more then 2,800 malicious botnet command and control servers associated with ZeuS. The site has logged around 360MB ZeuS config files and 330MB in binaries.

The ZeuS Tracker mentioned in the article is a publicly available and relatively up to date list of known C&C servers participating in a ZeuS botnet. Here are some quick stats from the site (as of 2/3/2010):

* ZeuS C&C servers tracked: 1196
* ZeuS C&C servers online: 606
* Average binary Antivirus detection rate: 51.29%

And a lookup tool:

To learn more about how ZeuS works, here are really good analyses that picks apart the bot:

Zeus: God of DIY Botnets

VRT Labs - Zeus Trojan Analysis

ZeuS Banking Trojan Report

- This article updated on 10/20/2010 to include additional information, more to come


Comment about ZeuS | 0 comments |

The following comments are owned by whomever posted them. This site is not responsible for what they say.