On July, 2007 United States Department of Transportation was declared to be compromised by new type of Trojan named Zeus also known as ZBot. Trojan main target is to steal information from banks using keystroke logging and form grabbing techniques. For propagation Zeus make use of drive-by-downloads and phishing schemes. Prevex, a security company revealed on June 2009 that until now Zeus had compromised over 74,000 accounts on websites of companies like Bank of America, NASA, Monster, ABC, Oracle,Play.com Cisco, Amazon, and BusinessWeek. FBI report on Zeus revealed that hackers of Eastern Europe steal confidential data from individuals at businesses and municipalities by sending virus through emails. Thus, transferring million of dollars to their own accounts.
Zeus uses different techniques to make it spread on internet; on October 28, 2009, around 1.5 million phishing messages were sent on Facebook, on November 14, 2009, 9 millions phishing e-mails were sent with the purpose of spreading Zeus Trojan. Similarly, one of the security companies named Trusteer menti on on July 14, 2010 in his report, that 14 more US banks have been compromised by Zeus. Destruction does not stop here, On October 1, 2010; FBI reported that they had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal $70m. In May, 2011, source code of Zeus got published. Reports filed that Zeus machines are running in 196 countries infecting 2411 companies and organizations altogether. FBI is active since 2009 to arrest the people involved in using of Zeus.
Technically speaking Zeus main target is Microsoft Windows Machines including Windows Vista SP1.
Once compromised, attacker can fine tune Zeus to steal any kind of data from computer e.g. Login Credentials, E-mail Accounts etc. Zeus also uses copy protection mechanisms to reduce the distribution of pirated copies. Zeus server works with the system specific key. The malware sits in the background silently and when a banking site is accessed, Zeus is able to gain access as well and initiate a transfer of funds to bank accounts set up by “mules” for the malware operation.
Zeus is considered to be the largest botnet on the internet because it is very difficult to detect it even with the upgraded antivirus software. Security professionals and trainers are advising employees of organizations to prevent themselves from clicking any suspicious links in web sites and emails. Symantec update their Symantec Browser that can prevent user computer from infection attempts but still it can’t be say by surety that modern anti-virus software’s prevent computers from the infection of Zeus.
Different versions of Zeus are available from underground forums. This Selling package of Zeus contains bot executable, web server files for Command and Control (C&C) server. Different Security Vendors claimed that Zeus creator had retired and had given the source code to its competitor SpyEye but this seems to be the trick of hackers to return with new destruction in technology world. There are many botnets that use the Zeus and SpyEye code. This latest one with the improvements is dubbed “Ice IX.”
According to security researchers after the leakage of Zeus source code; this malware is now being updated with new functions. This time it is taking the shape of SpyEye by merging many of its functions into it. Aviv Raff CTO and cofounder of Seculert says that until now improvements in SpyEye is minor such as tricks to ensure that malware does not get detected by security software programs, harder to detect C&C servers that hosts malware configuration files. This improvement creates problems for the trackers of Zeus and SpyEye to monitor and analysis presence of malwares on a system. Security Researchers are now analyzing and studying this new variant of Zeus to protect world from cybercrime war.
Mieres wrote on Kaspersky Blog that from now onwards more of the cybercrime will be based on Zeus and its different versions. Raff prediction is that with the publically availability of the source code of Zeus, Cyber criminals can now add more harmful feature in this code to hack the organizations accounts internationally. According to Kevin McName, security architect at the identity theft protection firm Kindsight, making improvements in the source code will allow hackers to attack on other platforms like ecommerce websites as well.
Kelly Jackson Higgins of Dark reading reported on 15th of this month that according to newly released data of software giant Microsoft detects and remove 60,000 to 100,000 computers in every month. The software giant detected 103,391 Zeus-infected machines in March; 113,814 in April; 60,385 in May; 83,555 in June; 61,323 in July; and 89,994 in August. From results it can be seen that report that Zeus is still alive. Microsoft is updating their Malicious Software Removal Tool (MSRT) to fight against Zeus.
How to stay safe McName suggests that all banks should review ins and outs of their online systems as Zeus is designed particularly to steal bank credentials. McName said:”Be familiar with way your bank website appears, Read the security page of your bank. If you’re doing online banking, you owe it to yourself to become familiar with the way your online banking works.”
For customers and bank authorities to stay safe MacName advises:
1. If bank websites does not have browser bar in green with an image of a padlock next to it then user must not enter personal information in that page.
2. Online banking sites will never ask for the PIN used at ATM but sites infected with Zeus asks you to enter PIN Number.
3. Install and continuously update anti-virus software and firewalls on computers.
By: Rahat Masood
image credit: worsttech.com
Ref:
[1] http://en.wikipedia.org/wiki/Zeus_%28trojan_horse%29
[2] http://www.infoworld.com/d/security/researchers-see-improvements-in-breakaway-zeus-malware-170814
[3] http://www.darkreading.com/vulnerability-management/167901026/security/attacks-breaches/231601507/microsoft-still-spots-lots-of-zeus-infections.html
[4] http://www.msnbc.msn.com/id/43015477/ns/technology_and_science-security/t/zeus-trojans-source-code-leaked-masses/
[5]http://www.pcworld.com/businesscenter/article/206726/zeus_botnet_bust_shows_malware_is_all_about_money.html
