For criminals, the botnet Zeus (ZeuS) is becoming more convenient and convenient

Original author: Ellen Messmer
  • Transfer
Yes, I know what recently was about him, and soon there will be more. But this is what the bourgeois think.

Some botnet

Quick reference
  • America's # 1 Most Wanted Botnet List
  • Infected computers: 3.6 million
  • Criminal use: theft of user-entered information (keylogger), insertion of fake HTML forms into online banking systems
For $ 10,000, you can purchase the Zeus module, which gives full control over infected computers.

New features strengthen the Zeus botnet , used by criminals to steal financial information and transfer money in online banking, clearing houses and payroll systems. The cost of its latest version starts at $ 3000, you can also buy a version that allows you to fully control infected computers for $ 10,000.

List of America's 10 most wanted botnets .

The author and owner is supposedly one person and (also allegedly) now in eastern Europe, continues to work on a botnet. So, Zeus version 1.3.4.x received a built-in function of remote control over the botnet. Moreover, the cracker can “gain full control over the infected computer,” says Don Jackson, head of SecureWorks' threat detection department, who released a detailed report on Zeus this week.

Zeus’s new option (taken from the old free AT&T Bell Labs project “ Virtual Network Computing ”) and that allows you to remotely control computers works similar to programs like GoToMyPC, Jackson says. Secure Works call the option "full presence." It is so useful to criminals that it costs $ 10,000.

The Zeus Trojan infects computers running Windows and has a size of about 50,000 bytes. He steals from the user's computer accounts of banking systems of North America and the UK. A crime can be committed from another continent by transferring funds to other accounts using an expertly crafted management system.

Appeared in 2007 (and possibly earlier) Zeus “successfully promoted spyware trojan” has increased its popularity with the spread of botnets.

Initially, UpLevel worked on the writing of Zeus. However, today's researchers believe that Zeus has only one author, who is currently making efforts to fully control Zeus (versions 1.3 and later). So, he introduced a copy protection mechanism, linking each copy of the botnet client to the corresponding computer.

Researcher Kevin Stevens from SecureWorks points out the similarity of the Zeus copy protection mechanism with WinLicense (both use the hardware token method). The mechanism takes into account information about the hardware of the computer before opening access to the ZeuS Builder toolkit code.

Previous versions of Zeus are available for free, but new ones (from the beginning of the year) cost quite a lot. According to SecureWorks in the online criminal community, scammers often pay for programs used in committing crimes through Western Union or Web Money.

In the SecureWorks report published last week, the basic ZeuS Builder toolkit costs between 3 and 4 thousand dollars, and another 1,500 will have to be paid for the Banckconnect module. The module allows you to make transfers from an infected machine, i.e. if the banks tries to track where the criminal made the transfer from, they will see the account holder’s computer. There is a distinction between hacked OS - for the opportunity to hack computers with Windows 7 or Vista, criminals need to pay another 2 thousand dollars, otherwise they can hack only computers with Windows XP.

We list a few more options available. "Firefox form grabber" ($ 2000) sends the criminal information from the input forms that the user fills in Firefox. “Jabber (IM) chat notifier” ($ 500) notifies the attacker about the receipt of stolen data, now if you catch it, you can access the victim’s account using a bank token for randomly generating numbers. VNC module that allows you to bypass the smart cards needed for large transfers ($ 10,000).

The latest version of Zeus can circumvent most two-factor and other banking system protections and is focused on large transfers starting at $ 100,000, Jackson notes.

There are many stories about companies complaining about unauthorized transfers or fraudulently contributed non-existent workers to the payroll system. In such cases, banks cannot roll back large enough transfers.

So, the latest version of Zeus bypasses most advanced online authentication protection mechanisms used by banks, possibly with the exception of a manual transaction approval system in which at least two randomly selected people from the list of specially trained people must approve the transfer. “It's an arms race,” Jackson.

In the forthcoming version of Zeus 1.4 (which is still in beta test), the number of options will increase. For example, the option “Web Injects for Firefox” will allow an attacker to show a fake page with a bank form at any time in Firefox. The reason may be a request for additional information by the bank (during the transfer).

To prevent its detection and difficulty in identifying antiviruses, Zeus uses polymorphic encryption.

You can evaluate how effective this is the most polymorphic encryption

AND article on deletion .

Also popular now: