The evolution of Zeus. Part i
Intro
The Zeus bot is perhaps one of the most famous representatives of malicious software. Zeus has its history since 2007 (or even 2006). Many mistakenly believe that Zeus is just another trojan, but this is not so. In fact, Zeus is an example of the so-called crimeware - software designed to commit unlawful acts. In this case, the main purpose of crimeware Zeus is to steal the credentials used to conduct financial transactions. According to analysts, he is responsible for 90% of cases of banking fraud in the world.
Another misconception is the claim that there is one huge Zeus botnet. In fact, Zeus is the basis of a very large number - probably several hundred - of various botnets, and all of them are controlled by different groups of cybercriminals. Zeus creators simply sell it to interested parties, and they already use it to create their own botnets. Thus, it is right to speak not about the Zeus botnet, but about the botnets created using Zeus. In February 2009, Roman Hussy, a Swiss computer security specialist, created the ZeusTracker website to track information about Zeus team servers .
Zeus, version 1
ZeuS developer is known under the nicknames Slavik and Monstr, it was he who until 2010 alone sold and supported his product.
Structurally, Zeus consists of several parts - the builder of the bot and the administrative panel.
The main module of the Zeus bot and the builder is written in Visual Studio in C and partially C ++. The final executable code of the Zeus bot was created by the builder and contained the main module itself and the configuration file. The configuration file contains the address of the control center, paths to scripts and other data necessary for work. The builder has hardware binding to the buyer's computer, that is, it could only be launched if there was a certain configuration.
Researchers note that the Zeus family does not use any rootkit or exploit techniques to enhance its privileges on the system. The main emphasis was placed on the stability of operation, including when working with limited user rights.
Features of Zeus of the first generation on the example of version 1.3.4.x, March 2010 ( source ):
- theft of credentials entered in the browser;
- identity theft stored in Windows Protected Storage;
- theft of client certificates X.509;
- FTP and POP credentials theft
- theft and removal of HTTP and Flash cookies;
- Modification of requested HTML pages for subsequent identity theft (Web Injects);
- redirecting user requests to other sites;
- creating screenshots;
- search and upload files to a remote server;
- modifying the hosts file;
- download and subsequent launch of the file from a remote server;
- removal of critical registry branches for the inability to load the operating system.
Starting with version 1.4, the functionality for implementing Web Injects in Firefox has appeared. Web Injects is a set of HTML and JavaScript code that provides the display of input forms for the credentials of remote banking systems that simulate real ones. When you try to visit the site of any RB system through a browser, the trojan intercepts the request and displays a fake form. Credentials stolen in this way are sent to the attackers command center. To make antivirus software more difficult to detect, Zeus began using polymorphic encryption and a mechanism for resizing its file. At the same time, the Zeus file on each infected system encrypted itself anew with new parameters, so that the same build on different computers looked completely different.
Pricing for the components of the version Zeus 1.3.4.x:
- builder and adminpanel - from $ 3000 to $ 4000;
- Back Connect module (any port, for example, allows you to connect via RDP) - $ 1,500;
- Firefox credential theft module (form grabber) - $ 2000;
- module for notification and sending stolen information through Jabber - $ 500;
- private (custom-made) VNC (remote control, RDP analog) module - $ 10,000;
- support for working in Windows Vista / Seven - $ 2000.
Zeus bots were distributed in various ways. For example, in the fall of 2009, it was distributed in spam messages sent on behalf of the US tax service. In another case, the letter stated that universal vaccination against swine flu H1N1 was carried out. The links in the letters led to fake sites created by cybercriminals. The sites offered to download and run an exe format executable file, supposedly containing certain instructions. Actually the file was a Zeus bot. The spammers used the “power” of the Cutwail botnet (also known as Pushdo and Oficla) to send spam. Later, the tactic was changed and links to sites containing an iframe or jscript leading to some exploit pack began to be sent in letters. This allowed you to infect without any user action - all that was needed was to click on the link, and Zeus was installed automatically, of course, if the browser was vulnerable (did not have a corresponding security update). In the process of writing letters, methods of social engineering were widely used.
Some Zeus admin panels had the function of checking FTP accounts “on the fly” - as soon as a new portion of stolen credentials was sent, an FTP account was checked and such accounts were immediately checked. If as a result of the check it turned out that there is access, a separate script searched for files on a remote FTP server with the extensions .htm, .html and .php (since the FTP service is often used to upload content to the site) and iframe or jscript was inserted into these files leading to an exploit pack. Thus, the sites were infected automatically.
In April 2010, Zeus received additional functionality for introducing its dropper into executable files ( source ), 512 bytes of embedded code performed the following actions:
- downloading a remote file whose URL was set internally;
- launching the downloaded file for execution;
- running the original code of the infected program.
This functionality is somewhat reminiscent of a viral one. However, if the antivirus disinfected the infected file, the virus was no longer able to start. In this case, there was a chance that the antivirus would remove the main Zeus module and not touch the dropper, which allows you to infect the computer again, possibly with the new version of Zeus.
Competitor
Around December 2009, the Zeus rival SpyEye appeared on the “black market”, the functionality and composition (builder and admin panel) of which were very similar to Zeus, but the price was lower, for basic modules it was about $ 500. Subsequently, the competition led to the appearance in SpyEye version 1.0.7 of February 2010, the function "Zeus Killer", designed to remove Zeus. To shut down all copies of Zeus, SpyEye sent a command through a named pipe that each Zeus copy opens for its needs. SpyEye detected Zeus by the specific mutex name that Zeus used to detect its copy and prevent re-launch. In addition, SpyEye could intercept reports sent by Zeus, and thus do not do double work. Another novelty is the module, Created to bypass Trusteer’s Rapport security system, aimed at blocking the possibility of malware introduction into the browser, which was created, inter alia, to counter Zeus. The SpyEye builder, like the Zeus builder, contained a licensing system based on binding to a given hardware configuration. It was implemented using the VMProtect hinged protection.
According to information from the forum , in October 2010, the creator of Zeus Slavik transferred the source codes to his competitor, the SpyEye developer, and stopped further development. The code was transferred to a person with the nickname Harderman, also known as Gribodemon. According to Harderman, he received the source codes free of charge and took care of all former Slavik customers, later some kind of merger of the Zeus and SpyEye source codes was assumed. Indeed, since January 2011, researchers at antivirus companies have begun to detect new hybrid versions of SpyEye, their numbering has begun with version 1.3.
Pricing for components of SpyEye version 1.3.45, August 2011:
- builder and adminpanel - $ 2000;
- Web Injects module for Firefox browser - $ 2000;
- Rapport protection bypass module - $ 500;
- Socks5 proxy module - $ 1000;
- RDP protocol access module - $ 3000;
- FTP Back Connect module - $ 300;
- Mozilla Firefox browser certificate theft module - $ 300;
- credit card credential theft module - $ 200;
- Opera & Chrome (form grabber) credential theft module - $ 1000.
The user guide for this version is available on the XyliBox personal blog.
Zeus, version 2.1
At the same time, researchers at RSA discovered some facts that cast doubt on Slavik's words about quitting the business. In August 2010, that is, two months before the "official" announcement of the termination of work on Zeus, a botnet was discovered using the Zeus bot, which had version 2.1.0.10. The investigation showed that the kit of this version was not sold on the “black market”. Subsequent discoveries of this type of bot assured RSA experts that only one person (or a group of persons) owned this modification - in contrast to past incidents, the configuration file of the bot version 2.1.0.10 did not undergo significant changes for a long time (previously each botnet operator based on Zeus used its unique configuration file).
A key feature of Zeus 2.1.0.10 was the change in the communication scheme with the management servers. Now the server addresses were not hardcoded in the configuration file. The list of addresses was formed using DGA (Domain Generation Algorithm). Previously, a similar technique was repeatedly used in such malware samples as Bobax, Kraken, Sinowal (aka Torpig), Srizbi and Conficker. Zeus was looking for its command servers at the generated addresses. To protect against interception of control, the digital signature of the downloaded file was verified during its update (also using the Windows Crypto API). To do this, Zeus code contained a 1024-bit RSA public key.
Researchers from RSA in 2011 were able to access one of the Zeus servers version 2.1.0.10. They discoveredbetween August 2010 and August 2011, more than 210,000 computers contacted this server, which received about 200 gigabytes of data from infected computers. About 42% of infected computers were in the United States. It was also possible to find out that one of the logins for authorizing access to this command server was “Slavik”. Therefore, RSA experts suggest that Slavik actually set about creating its own botnet (maybe not one).
Continued here .