SlideShare a Scribd company logo

Zeus

Download as DOCX, PDF
M
MaGn3t0

Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing.

Technology
1 of 7
Virus Programming – Zeus Trojan Introduction Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. Zeus, also known as Zbot, is a malware package that is readily available for sale and also traded in underground forums. The package contains a builder that can generate a bot executable and Web server files (PHP, images, SQL templates) for use as the command and control server. While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain—stealing online credentials such as FTP, email, online banking, and other online passwords. Zeus is primarily a crimeware kit designed to steal users‟ online banking login credentials, among other things. It is the handiwork of Eastern European organized criminals that has now entered the underground cybercriminal market as a commodity. Zeus is a botnet package that can be purchased for as low as 700 USD and up to 15,000 USD for the newest version with all available features and can also be found freely traded as well. The bot can be found worldwide and thus remains consistently prevalent in compromising unprotected computers. In short, Zeus is two things: • From a technical perspective, it is a crimeware tool primarily used to steal money. • From another perspective, it signals a new wave in online criminal business enterprise wherein many different organizations cooperate with one another to perpetrate outright online theft and fraud. 1
Virus Programming – Zeus Trojan Technical Facts The technical aspect of Zeus is really not that complicated, at least from a functional perspective. It does use a complex encryption technique but explaining its functionality is pretty simple. It has the three components: 1. Zeus Trojan 2. Zeus configuration file (config) 3. Zeus drop zone where stolen credentials are sent The Zeus botnet uses several delivery methods in the first stage—the Trojan. Once the Zeus Trojan is executed, it downloads its configuration file from a predetermined location then waits for the victim to log in to a particular target that its configfile has defined, which usually comprises a selection of banks, their login URLs, and the like. Unlike traditional keyloggers, Zeus Trojans are “men-in-the-browser” agents that grab variables from a browser session such as an online banking session. This makes Zeus especially dangerous because it also has the ability to inject additional form fields into a legitimate Web session. Injecting these additional fields can fraudulently urge victims to surrender more information than they would normally be required to in a session, for instance, with their banks. Some Zeus variants also contain a nasty feature called “JabberZeuS,” which immediately relays victims‟ login credentials to cybercriminals in real-time via an instant messenger (IM). This allows cybercriminals to bypass multifactor authentication schemes to log in to victims‟ accounts and to wire money to third parties, virtually piggybacking on the victims‟ sessions. This is where the Zeus botnet‟s real power lays, the core nature of which is wholesale theft. 2
Virus Programming – Zeus Trojan How it works? Because Zbot is a package that is readily available, vectors of infection vary widely, with popular methods including drive-by download and SPAM. SPAM runs of Zbot are a regular occurrence using social engineering tactics, impersonating organizations such as the FDIC, IRS, MySpace, Facebook, and Microsoft, as shown in figure 3 on the next page. Once the bot is executed, the following actions take place: It copies itself to %system32%sdra64.exe. It sets the previous path to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTwinlogonuserinit, so that winlogon.exe spawns the process at startup time. It looks for winlogon.exe, increases its privileges, injects its code and a string table into this process, and creates a thread to execute this code. The main bot executable terminates The injected code in winlogon injects additional code into svchost.exe. It also creates a folder named %System%lowsec and puts two files inside: local.ds and user.ds. Local.ds is the latest dynamic configuration file downloaded from the server. User.ds contains stolen credentials and other information to be transmitted to the server. The code inside svchost is responsible for network communication and third-party process injection required to hook Internet-related APIs in order to inject or steal information to/from banking sites The communication between these various injected components is done with mutexes and pipes, maliciously named _AVIRA_x, where x is a number (eg: x=2109 in winlogon.exe, x=2108 in svchost.exe). If Zeus is run using an account that does not have Administrator privileges, code will not be injected into winlogon.exe, but instead into explorer.exe. Also, instead of copying itself to the %System% folder, the bot will copy itself to %UserProfile%Application Datasdra64.exe, and create the folder %UserProfile%Application Datalowsec. Finally, the bot will create a load point under the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”userinit”=” %UserProfile%Application Datasdra64.exe”. 3
Virus Programming – Zeus Trojan Functionality The main purpose of Zeus is to steal online credentials as specified by the hacker. Zeus performs four main actions: Gathering system information. Stealing protected storage information, FTP passwords, and POP3 passwords. Stealing online credential information as specified by a configuration file. Contacting the command and control server for additional tasks to perform. System Information Gathering By default Zeus will automatically gather a variety of system information and send this information to the command and control server. This information includes: A unique bot identification string Name of the botnet Version of the bot Operating system version Operating system language Local time of the compromised computer Uptime of the bot Last report time Country of the compromised computer IP address of the compromised computer Process names Credential Stealing Zeus‟ main purpose is to steal online credentials and does so in two manners—by automatic actions hardcoded in the binary and also using configuration files that are included in the Zeus binary, but also downloadable from the command and control server. After Zeus is executed, it will automatically steal information stored in the PSTORE (Protected Storage), which usually contains saved Internet Explorer passwords and also automatically captures any FTP or POP3 (email) passwords that are sent across the network in the clear. However, Zeus‟ most effective means of financial gain is controlled via a configuration file modified by the distributor of the Trojan. This configuration file specifies actions to perform once Zeus is installed and is updatable via the command and control server. Web Page Injection Many online banking and other Web sites that require credentials have evolved to evade standard keystroke logging or network-sniffing attacks. Thus, many credential-stealing threats now utilize HTML injection techniques to obtain credential information. In particular, these threats inject additional HTML into legitimate pages that cause the user to input credential information not actually required by the financial Web site or HTML content that 4
Virus Programming – Zeus Trojan defeats client-side security techniques, such as hashing credentials before they are sent over the wire. Sample Web injections are provided in the Zeus package and are defined in the configuration file. Below is an example of injection configuration block: set_urlhttp://www.[REMOVED].com/contact.php data_before name=‟email‟*</tr> data_end data_inject <tr><td>PIN:</td><td><input type=”text” name=”pinnumber” id=”pinnumber” /></td></tr> data_end data_after data_end On any Web page matching the URL http://www.[REMOVED].com/content.php, the HTML defined by „data_inject‟ is added after the string “email*</tr>” in the existing page. Before the injection, the targeted form on the Web page looks like figure1. After the injection, looks like figure2. When the form is sent, the Zeus will intercept the content of the form including the PIN number and send this information to the command and control server, as shown in figure. The syntax also allows for HTML to be replaced rather than just added by also specifying the „data_after‟ field. When this field is specified, then the HTML specified by data_inject will replace the HTML content between „data_before‟ and „data_after‟. Replacement HTML is usually used to modify or hijack JavaScript that is used for client side security purposes. For example, many online banking sites with increased security will hash the credentials before sending the credentials over the wire. This JavaScript routine used for hashing will be hijacked to also preserve the plaintext credentials and send them using non-visible form fields, which will then be intercepted and sent to the command and control servers. Web page before injection :- 5
Virus Programming – Zeus Trojan Web page after injection :- Zeus Infection Chain The following figure shows how a typical Zeus infection takes place. 6
Virus Programming – Zeus Trojan Conclusion Zeus provides a ready-to-deploy package for hackers to distribute their own botnet. The botnet is easily purchased and also freely traded online and continues to be updated to provide new features and functionality. The ease-of-use of Zeus means the Zeus bot is used widely and is highly prevalent, allowing the most novice hackers to easily steal online banking credentials and other online credentials for financial gain. 7

Recommended

Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online banking
Scientia Groups
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail Breach
IBM Security
 
Software security
Software securitySoftware security
Software security
jes_d
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems design
drewz lin
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
Yury Chemerkin
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 

Recommended

Cybercriminals target online banking
Cybercriminals target online bankingCybercriminals target online banking
Cybercriminals target online banking
Scientia Groups
 
System hacking
System hackingSystem hacking
System hacking
CAS
 
Anatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail BreachAnatomy of an Advanced Retail Breach
Anatomy of an Advanced Retail Breach
IBM Security
 
Software security
Software securitySoftware security
Software security
jes_d
 
2 secure systems design
2 secure systems design2 secure systems design
2 secure systems design
drewz lin
 
Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7Kheirkhabarov24052017_phdays7
Kheirkhabarov24052017_phdays7
Teymur Kheirkhabarov
 
Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...Windows 8. important considerations for computer forensics and electronic dis...
Windows 8. important considerations for computer forensics and electronic dis...
Yury Chemerkin
 
Hunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows InfrastructureHunting Lateral Movement in Windows Infrastructure
Hunting Lateral Movement in Windows Infrastructure
Sergey Soldatov
 
Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
Positive Hack Days
 
Surat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSurat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware Kuba
System 021
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShell
JamieWilliams130
 
Hackers dictionary
Hackers dictionaryHackers dictionary
Hackers dictionary
Tabraiz Bukhari
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee Roundtable
Harvard PR
 
Атаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетовАтаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетов
Positive Hack Days
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System Threats
Reddhi Basu
 
Operating system security
Operating system securityOperating system security
Operating system security
Rachel Jeewa
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)
Mikko Ohtamaa
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
Mikko Ohtamaa
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013
STO STRATEGY
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
Fernando Lopez Aguilar
 
Understanding Windows Lateral Movements
Understanding Windows Lateral MovementsUnderstanding Windows Lateral Movements
Understanding Windows Lateral Movements
Daniel López Jiménez
 
Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)
Mikko Ohtamaa
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft Maalware
Vishal Kumar
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
Jesse Burke
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session Management
Sehan Lee
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session Management
Websecurify
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
Felipe Japm
 
Botnets 101
Botnets 101Botnets 101
Botnets 101
Aung Thu Rha Hein
 
Computer virus
Computer virusComputer virus
Computer virus
kiran_a_c
 

More Related Content

What's hot

Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
Positive Hack Days
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShell
JamieWilliams130
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee Roundtable
Harvard PR
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System Threats
Reddhi Basu
 
Operating system security
Operating system securityOperating system security
Operating system security
Rachel Jeewa
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
Mikko Ohtamaa
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013
STO STRATEGY
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
Yury Chemerkin
 

What's hot (20)

Горизонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре WindowsГоризонтальные перемещения в инфраструктуре Windows
Горизонтальные перемещения в инфраструктуре Windows
 
Surat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware KubaSurat peringatan kilat kepada Kelompok Ransomware Kuba
Surat peringatan kilat kepada Kelompok Ransomware Kuba
 
Getting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShellGetting Bear-y Cozy with PowerShell
Getting Bear-y Cozy with PowerShell
 
Hackers dictionary
Hackers dictionaryHackers dictionary
Hackers dictionary
 
091209 Mc Afee Roundtable
091209 Mc Afee Roundtable091209 Mc Afee Roundtable
091209 Mc Afee Roundtable
 
Атаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетовАтаки на платформу Java Card с использованием вредоносных апплетов
Атаки на платформу Java Card с использованием вредоносных апплетов
 
Program and System Threats
Program and System ThreatsProgram and System Threats
Program and System Threats
 
Operating system security
Operating system securityOperating system security
Operating system security
 
Operations security (OPSEC)
Operations security (OPSEC)Operations security (OPSEC)
Operations security (OPSEC)
 
Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015Operations Security - SF Bitcoin Hackday March 2015
Operations Security - SF Bitcoin Hackday March 2015
 
(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013(Pdf) yury chemerkin def_con_2013
(Pdf) yury chemerkin def_con_2013
 
Krzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comesKrzysztof kotowicz. something wicked this way comes
Krzysztof kotowicz. something wicked this way comes
 
Adding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, AuthorizationAdding Identity Management and Access Control to your Application, Authorization
Adding Identity Management and Access Control to your Application, Authorization
 
Understanding Windows Lateral Movements
Understanding Windows Lateral MovementsUnderstanding Windows Lateral Movements
Understanding Windows Lateral Movements
 
Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)Operations security - SyPy Dec 2014 (Sydney Python users)
Operations security - SyPy Dec 2014 (Sydney Python users)
 
Hawkeye the Credential Theft Maalware
Hawkeye the Credential Theft MaalwareHawkeye the Credential Theft Maalware
Hawkeye the Credential Theft Maalware
 
Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7Jesse Burke RDPwned HackMiami7
Jesse Burke RDPwned HackMiami7
 
Attacking Session Management
Attacking Session ManagementAttacking Session Management
Attacking Session Management
 
Web Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session ManagementWeb Application Security 101 - 07 Session Management
Web Application Security 101 - 07 Session Management
 
DNS Rebinding Attack
DNS Rebinding AttackDNS Rebinding Attack
DNS Rebinding Attack
 

Viewers also liked

virus programming using batch file
virus programming using batch filevirus programming using batch file
virus programming using batch file
Aris Suryadi
 
Batch file programming
Batch file programmingBatch file programming
Batch file programming
swapnil kapate
 
What is strategic fit
What is strategic fitWhat is strategic fit
What is strategic fit
Anu Vanu
 
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
Clément Wehrung
 

Viewers also liked (20)

Botnets 101
Botnets 101Botnets 101
Botnets 101
 
Computer virus
Computer virusComputer virus
Computer virus
 
Security
SecuritySecurity
Security
 
Html5 with SharePoint 2010
Html5 with SharePoint 2010Html5 with SharePoint 2010
Html5 with SharePoint 2010
 
HTML 5 Step By Step - Ebook
HTML 5 Step By Step - EbookHTML 5 Step By Step - Ebook
HTML 5 Step By Step - Ebook
 
Game Development Using HTML 5
Game Development Using HTML 5Game Development Using HTML 5
Game Development Using HTML 5
 
virus programming using batch file
virus programming using batch filevirus programming using batch file
virus programming using batch file
 
Hello world program
Hello world programHello world program
Hello world program
 
Jsf2 html5-jazoon
Jsf2 html5-jazoonJsf2 html5-jazoon
Jsf2 html5-jazoon
 
Batch file programming
Batch file programmingBatch file programming
Batch file programming
 
Botnets
BotnetsBotnets
Botnets
 
HTML 5 & CSS 3
HTML 5 & CSS 3HTML 5 & CSS 3
HTML 5 & CSS 3
 
Gears and HTML 5 @media Ajax London 2008
Gears and HTML 5 @media Ajax London 2008Gears and HTML 5 @media Ajax London 2008
Gears and HTML 5 @media Ajax London 2008
 
HTML5 & Friends
HTML5 & FriendsHTML5 & Friends
HTML5 & Friends
 
The Future of the Web: HTML5
The Future of the Web: HTML5The Future of the Web: HTML5
The Future of the Web: HTML5
 
Html 5 in a big nutshell
Html 5 in a big nutshellHtml 5 in a big nutshell
Html 5 in a big nutshell
 
What is strategic fit
What is strategic fitWhat is strategic fit
What is strategic fit
 
The 5 Senses Learning Game
The 5 Senses Learning GameThe 5 Senses Learning Game
The 5 Senses Learning Game
 
Up to Speed on HTML 5 and CSS 3
Up to Speed on HTML 5 and CSS 3Up to Speed on HTML 5 and CSS 3
Up to Speed on HTML 5 and CSS 3
 
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
ePub 3, HTML 5 & CSS 3 (+ Fixed-Layout)
 

Similar to Zeus

Sophos what-is-zeus-tp
Sophos what-is-zeus-tpSophos what-is-zeus-tp
Sophos what-is-zeus-tp
Onet Paradis
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
Avinash Sinha
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
IJNSA Journal
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
IJNSA Journal
 
A security strategy against steal and pass
A security strategy against steal and passA security strategy against steal and pass
A security strategy against steal and pass
IJNSA Journal
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
STO STRATEGY
 

Similar to Zeus (20)

Module 5 (system hacking)
Module 5 (system hacking)Module 5 (system hacking)
Module 5 (system hacking)
 
Sophos what-is-zeus-tp
Sophos what-is-zeus-tpSophos what-is-zeus-tp
Sophos what-is-zeus-tp
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Ransomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation TechniquesRansomware Trends 2017 & Mitigation Techniques
Ransomware Trends 2017 & Mitigation Techniques
 
Study on Zeus Banking Malware
Study on Zeus Banking MalwareStudy on Zeus Banking Malware
Study on Zeus Banking Malware
 
Information security & EthicalHacking
Information security & EthicalHackingInformation security & EthicalHacking
Information security & EthicalHacking
 
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
Drive By Downloads: How To Avoid Getting a Cap Popped in Your App
 
Mitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 AitpMitigating Malware Presentation Jkd 11 10 08 Aitp
Mitigating Malware Presentation Jkd 11 10 08 Aitp
 
Computer Security
Computer SecurityComputer Security
Computer Security
 
Computer crimes
Computer crimesComputer crimes
Computer crimes
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
 
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKSA SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
A SECURITY STRATEGY AGAINST STEAL-AND-PASS CREDENTIAL ATTACKS
 
A security strategy against steal and pass
A security strategy against steal and passA security strategy against steal and pass
A security strategy against steal and pass
 
When developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part iiWhen developers api simplify user mode rootkits development – part ii
When developers api simplify user mode rootkits development – part ii
 
Introduction To Information Security
Introduction To Information SecurityIntroduction To Information Security
Introduction To Information Security
 
Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !Type of Malware and its different analysis and its types !
Type of Malware and its different analysis and its types !
 
FBI Game over Zeus (GOZ) Botnet poster
FBI Game over Zeus (GOZ) Botnet posterFBI Game over Zeus (GOZ) Botnet poster
FBI Game over Zeus (GOZ) Botnet poster
 
INTERNET SECURITY.pptx
INTERNET SECURITY.pptxINTERNET SECURITY.pptx
INTERNET SECURITY.pptx
 
Computer security and privacy
Computer security and privacyComputer security and privacy
Computer security and privacy
 
RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5RRB JE Stage 2 Computer and Applications Questions Part 5
RRB JE Stage 2 Computer and Applications Questions Part 5
 

Recently uploaded

TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Victor Rentea
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Orbitshub
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
WSO2
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Jeffrey Haguewood
 

Recently uploaded (20)

How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Introduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDMIntroduction to use of FHIR Documents in ABDM
Introduction to use of FHIR Documents in ABDM
 
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUKSpring Boot vs Quarkus the ultimate battle - DevoxxUK
Spring Boot vs Quarkus the ultimate battle - DevoxxUK
 
Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)Introduction to Multilingual Retrieval Augmented Generation (RAG)
Introduction to Multilingual Retrieval Augmented Generation (RAG)
 
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
Apidays New York 2024 - APIs in 2030: The Risk of Technological Sleepwalk by ...
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
ICT role in 21st century education and its challenges
ICT role in 21st century education and its challengesICT role in 21st century education and its challenges
ICT role in 21st century education and its challenges
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
Navigating the Deluge_ Dubai Floods and the Resilience of Dubai International...
 
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin WoodPolkadot JAM Slides - Token2049 - By Dr. Gavin Wood
Polkadot JAM Slides - Token2049 - By Dr. Gavin Wood
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Six Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal OntologySix Myths about Ontologies: The Basics of Formal Ontology
Six Myths about Ontologies: The Basics of Formal Ontology
 
Architecting Cloud Native Applications
Architecting Cloud Native ApplicationsArchitecting Cloud Native Applications
Architecting Cloud Native Applications
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
AI+A11Y 11MAY2024 HYDERBAD GAAD 2024 - HelloA11Y (11 May 2024)
 
FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024FWD Group - Insurer Innovation Award 2024
FWD Group - Insurer Innovation Award 2024
 

Zeus

  • 1. Virus Programming – Zeus Trojan Introduction Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. Zeus, also known as Zbot, is a malware package that is readily available for sale and also traded in underground forums. The package contains a builder that can generate a bot executable and Web server files (PHP, images, SQL templates) for use as the command and control server. While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain—stealing online credentials such as FTP, email, online banking, and other online passwords. Zeus is primarily a crimeware kit designed to steal users‟ online banking login credentials, among other things. It is the handiwork of Eastern European organized criminals that has now entered the underground cybercriminal market as a commodity. Zeus is a botnet package that can be purchased for as low as 700 USD and up to 15,000 USD for the newest version with all available features and can also be found freely traded as well. The bot can be found worldwide and thus remains consistently prevalent in compromising unprotected computers. In short, Zeus is two things: • From a technical perspective, it is a crimeware tool primarily used to steal money. • From another perspective, it signals a new wave in online criminal business enterprise wherein many different organizations cooperate with one another to perpetrate outright online theft and fraud. 1
  • 2. Virus Programming – Zeus Trojan Technical Facts The technical aspect of Zeus is really not that complicated, at least from a functional perspective. It does use a complex encryption technique but explaining its functionality is pretty simple. It has the three components: 1. Zeus Trojan 2. Zeus configuration file (config) 3. Zeus drop zone where stolen credentials are sent The Zeus botnet uses several delivery methods in the first stage—the Trojan. Once the Zeus Trojan is executed, it downloads its configuration file from a predetermined location then waits for the victim to log in to a particular target that its configfile has defined, which usually comprises a selection of banks, their login URLs, and the like. Unlike traditional keyloggers, Zeus Trojans are “men-in-the-browser” agents that grab variables from a browser session such as an online banking session. This makes Zeus especially dangerous because it also has the ability to inject additional form fields into a legitimate Web session. Injecting these additional fields can fraudulently urge victims to surrender more information than they would normally be required to in a session, for instance, with their banks. Some Zeus variants also contain a nasty feature called “JabberZeuS,” which immediately relays victims‟ login credentials to cybercriminals in real-time via an instant messenger (IM). This allows cybercriminals to bypass multifactor authentication schemes to log in to victims‟ accounts and to wire money to third parties, virtually piggybacking on the victims‟ sessions. This is where the Zeus botnet‟s real power lays, the core nature of which is wholesale theft. 2
  • 3. Virus Programming – Zeus Trojan How it works? Because Zbot is a package that is readily available, vectors of infection vary widely, with popular methods including drive-by download and SPAM. SPAM runs of Zbot are a regular occurrence using social engineering tactics, impersonating organizations such as the FDIC, IRS, MySpace, Facebook, and Microsoft, as shown in figure 3 on the next page. Once the bot is executed, the following actions take place: It copies itself to %system32%sdra64.exe. It sets the previous path to HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTwinlogonuserinit, so that winlogon.exe spawns the process at startup time. It looks for winlogon.exe, increases its privileges, injects its code and a string table into this process, and creates a thread to execute this code. The main bot executable terminates The injected code in winlogon injects additional code into svchost.exe. It also creates a folder named %System%lowsec and puts two files inside: local.ds and user.ds. Local.ds is the latest dynamic configuration file downloaded from the server. User.ds contains stolen credentials and other information to be transmitted to the server. The code inside svchost is responsible for network communication and third-party process injection required to hook Internet-related APIs in order to inject or steal information to/from banking sites The communication between these various injected components is done with mutexes and pipes, maliciously named _AVIRA_x, where x is a number (eg: x=2109 in winlogon.exe, x=2108 in svchost.exe). If Zeus is run using an account that does not have Administrator privileges, code will not be injected into winlogon.exe, but instead into explorer.exe. Also, instead of copying itself to the %System% folder, the bot will copy itself to %UserProfile%Application Datasdra64.exe, and create the folder %UserProfile%Application Datalowsec. Finally, the bot will create a load point under the registry key HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun”userinit”=” %UserProfile%Application Datasdra64.exe”. 3
  • 4. Virus Programming – Zeus Trojan Functionality The main purpose of Zeus is to steal online credentials as specified by the hacker. Zeus performs four main actions: Gathering system information. Stealing protected storage information, FTP passwords, and POP3 passwords. Stealing online credential information as specified by a configuration file. Contacting the command and control server for additional tasks to perform. System Information Gathering By default Zeus will automatically gather a variety of system information and send this information to the command and control server. This information includes: A unique bot identification string Name of the botnet Version of the bot Operating system version Operating system language Local time of the compromised computer Uptime of the bot Last report time Country of the compromised computer IP address of the compromised computer Process names Credential Stealing Zeus‟ main purpose is to steal online credentials and does so in two manners—by automatic actions hardcoded in the binary and also using configuration files that are included in the Zeus binary, but also downloadable from the command and control server. After Zeus is executed, it will automatically steal information stored in the PSTORE (Protected Storage), which usually contains saved Internet Explorer passwords and also automatically captures any FTP or POP3 (email) passwords that are sent across the network in the clear. However, Zeus‟ most effective means of financial gain is controlled via a configuration file modified by the distributor of the Trojan. This configuration file specifies actions to perform once Zeus is installed and is updatable via the command and control server. Web Page Injection Many online banking and other Web sites that require credentials have evolved to evade standard keystroke logging or network-sniffing attacks. Thus, many credential-stealing threats now utilize HTML injection techniques to obtain credential information. In particular, these threats inject additional HTML into legitimate pages that cause the user to input credential information not actually required by the financial Web site or HTML content that 4
  • 5. Virus Programming – Zeus Trojan defeats client-side security techniques, such as hashing credentials before they are sent over the wire. Sample Web injections are provided in the Zeus package and are defined in the configuration file. Below is an example of injection configuration block: set_urlhttp://www.[REMOVED].com/contact.php data_before name=‟email‟*</tr> data_end data_inject <tr><td>PIN:</td><td><input type=”text” name=”pinnumber” id=”pinnumber” /></td></tr> data_end data_after data_end On any Web page matching the URL http://www.[REMOVED].com/content.php, the HTML defined by „data_inject‟ is added after the string “email*</tr>” in the existing page. Before the injection, the targeted form on the Web page looks like figure1. After the injection, looks like figure2. When the form is sent, the Zeus will intercept the content of the form including the PIN number and send this information to the command and control server, as shown in figure. The syntax also allows for HTML to be replaced rather than just added by also specifying the „data_after‟ field. When this field is specified, then the HTML specified by data_inject will replace the HTML content between „data_before‟ and „data_after‟. Replacement HTML is usually used to modify or hijack JavaScript that is used for client side security purposes. For example, many online banking sites with increased security will hash the credentials before sending the credentials over the wire. This JavaScript routine used for hashing will be hijacked to also preserve the plaintext credentials and send them using non-visible form fields, which will then be intercepted and sent to the command and control servers. Web page before injection :- 5
  • 6. Virus Programming – Zeus Trojan Web page after injection :- Zeus Infection Chain The following figure shows how a typical Zeus infection takes place. 6
  • 7. Virus Programming – Zeus Trojan Conclusion Zeus provides a ready-to-deploy package for hackers to distribute their own botnet. The botnet is easily purchased and also freely traded online and continues to be updated to provide new features and functionality. The ease-of-use of Zeus means the Zeus bot is used widely and is highly prevalent, allowing the most novice hackers to easily steal online banking credentials and other online credentials for financial gain. 7