Date post: | 15-Jan-2015 |
Category: |
Technology |
Upload: | cyphort |
View: | 828 times |
Download: | 2 times |
Target threats that target you.
1
Target threats that target you. Target threats that target you.
Dissec2ng the Zeus Malware
Cyphort Labs Malware’s Most Wanted Series
April 2014
Your speakers today
3
Nick Bilogorskiy Director of Security Research
Anthony James VP of Marke5ng and Products
Agenda
o What is Zeus o Major incidents involving Zeus o Dissec2ng the malware o Zeus advanced tricks o Wrap-‐up and Q&A
4
Cyphort Labs T-‐shirt
We work with the security ecosystem
•••••
Contribute to and learn from malware KB
•••••
Best of 3rd Party threat data
We enhance malware detec2on accuracy
•••••
False posi2ves/nega2ves
•••••
Deep-‐dive research
Global malware research team
•••••
24X7 monitoring for malware events
About Cyphort Labs
5
Poll #1
What is the most prevalent use of Zeus malware? o Espionage o Stealing banking creden2als and informa2on o Impac2ng industrial control systems
6
What is Zeus?
o Zeus is the most successful banking malware to date. o Trojan horse targeted at Windows opera2ng systems o Tens of millions of computers worldwide infected o Capable of “form-‐grabbing” and “man in the middle”
a`acks to steal financial informa2on o Distributed as a toolkit o Ac2ve since 2007, s2ll used heavily o Evasive and challenging for detec2on and mi2ga2on
7
Zeus: S2ll causing havoc, several years ader its birth
8
Zeus History
9
2007 2008 Apr 2010
April 2011
October 2011
March 2012
December 2013
Peer to Peer version – Zeus Gameover -‐ removes the centralized CnC infrastructure
Microsod legal ac2on through a civil lawsuit dubbed Opera1on b71
64-‐bit version of Zeus appears
ZeuS source code of version 2.0.8.9 leaked
Version 2.0 Zeus version 1.0
Zeus Stats
o Zeus is now being used not just to a`ack financial ins2tu2ons but also stock trading, social-‐networking and e-‐mail services, plus portals for entertainment or da2ng, and even Salesforce.com
10
Zeus Hos2ng
11
2% 3%
11%
84%
Zeus Hos1ng Breakdown
Bulletproof hosted
Hosted on a FastFlux botnet
Free hos2ng service
Hacked webserver
Data from ZeuS Tracker
Zeus Author
12
ZeuS author — known variously as “Slavik” and “Monstr” on criminal forums — in 2010 gave the SpyEye author Harderman stewardship over the ZeuS code base, on the condi2on that Gribodemon agreed to provide ongoing support for exis2ng ZeuS clients.
Good day! I will service the Zeus product beginning today and from here on… All clients who bought the soEware from Slavik will be serviced from me on the same condi5ons as previously. Harderman
Jabber Zeus Crew
13
Nine people listed in the indictment that has been sealed since August of 2012, including Kulibaba, Konovalenko
Jabber Zeus Crew
14
Stole more than $70 million from banks worldwide
Ringleader, 32-‐year-‐old Ukrainian property developer Yevhen Kulibaba
Kulibaba’s right-‐hand man, 28-‐year-‐old Yuriy Konovalenko
Karina Kostromina, wife of Kulibaba, 33-‐year-‐old Latvian woman jailed for money laundering
Photos from krebsonsecurity.com
Zeus Opera2ons
15
Source: Brian Krebs
Zeus architecture
16
• Used to build the exe file • Unique to each owner • URL and encryp2on key different for each owner
The Builder
• Entry, Sta2c and Dynamic sec2ons • Download URL and exfiltra2on URL
The Configura2on File
• Unique executable file built by the bot owner The Exe File
• PHP scripts for monitoring and managing bots The Server
Zeus architecture: Builder
o With a li`le technical knowledge you can run your own botnet. Screenshot of Zeus builder
17
Zeus architecture: Config file
18
Zeus config file
Zeus architecture: Config file
19
Zeus config file contains the following:
• url_config -‐ where the config is downloaded. • url_loader -‐where new bot executable is downloaded • url_server -‐ where the stolen data is sent • AdvancedConfigs alternate loca2ons for config • webFilters and WebDataFilters -‐list of websites monitored. When these sites are visitedby the infected user, any data sent to the site is also sent to the url_server.
• WebFakes list of websites to redirects to a fake site.
Func2onality of the Zbot binary
20
• Copy, execute and delete itself • Change browser sevngs • Code injec2on • Creden2al thed • Data exfiltra2on • Evasion
v Rootkit v Digital cer2ficate v DGA v Steganography
Poll #2
Ques2on-‐2: Do you think you (or your organiza2on) have been impacted by Zeus? o Yes o No
21
Zeus Advanced Tricks – Rootkit
22
Necurs Rootkit Component When GameOver / Necurs is fully installed, it will become difficult to remove the threat using tradi2onal methods. It’s impossible to access the process to retrieve informa2on or to terminate the process.
Access is denied when dele2ng the malware files.
Signed malware is quite rare. Stuxnet rootkit components were digitally signed with cer2ficates stolen from Realtek and Jmicron. Flame used fraudulent cer2ficates as well . Zeus used the same trick, authors got access to a cer2ficate of isonet ag Microsod-‐registered third-‐ party developer in Switzerland.
Zeus Advanced Tricks – Digital Cer2ficates
23
It also employs DGA – Domain Genera1on Algorithm. DGA is a way for malware to prevent blacklis2ng of its CnC site, where an infected machine creates thousands of domain names such as: www.<gibberish>.com and would a`empt to contact a por2on of these with the purpose of receiving an update or commands. The technique was popularized by Conficker worm, which generated 50,000 domains a day.
Zeus Advanced Tricks -‐ DGA
24
Zeus advanced tricks -‐ Steganography
o Steganography – concealing messages or images in other messages or images.
o Zeus hides its config file inside a jpeg image
25
Vic2m opens up suspicious mail a`achment
Executes File in A`achment
Decrypted config file has bank sites to monitor for thed
JPEG files dowloaded (configura2on file embedded)
Zeus advanced tricks -‐ Steganography
o Image looks innocent
o But it has appended encrypted data – Zeus config.
26
Zeus advanced tricks -‐ Steganography
o This data is encrypted with base64, RC4 and XORed. Decrypted, we see urls and banking sites it targeted.
27
Conclusions
28
• Zeus has grown into one of the most popular and widespread crimeware kits on the market. Its ease of use and effec2veness make it an a`rac2ve choice for today’s cyber criminals.
• Check for presence of unfamiliar network callbacks
• Zeus malware is very complex and is wri`en with extra care to avoid detec2on, so it is not trivial to tell if you are infected. You need to use a professional grade APT solu2on to detect this.
Q and A
29
o Informa2on sharing and advanced threats resources
o Blogs on latest threats and findings
o Tools for iden2fying malware