1 / 42

Zeus

Zeus. By Nick Bilogorskiy @belogor nick@cyphort.com. Nick Bilogorskiy Director of Security Research. Agenda. What is Zeus Dissecting the malware Attribution Zeus advanced tricks Recommendations. Quick poll. Have you heard of Zeus?. ZEUS What is it.

reuben-monroe
Download Presentation

Zeus

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Zeus By Nick Bilogorskiy@belogornick@cyphort.com

  2. Nick Bilogorskiy Director of Security Research

  3. Agenda • What is Zeus • Dissecting the malware • Attribution • Zeus advanced tricks • Recommendations

  4. Quick poll Have you heard of Zeus?

  5. ZEUS What is it • Zeus is the most successful banking malware to date. • Trojan horse targeted at Windows operating systems • Tens of millions of computers worldwide infected

  6. ZEUS 7 years old

  7. ZEUSPrevalence

  8. ZEUS History Microsoft legal action through a civil lawsuit dubbed Operation b71 ZeuS source code of version 2.0.8.9 leaked March 2012 December 2013 • 2007 2008 Apr 2010 October 2011 April 2011 Peer to Peer version – Zeus Gameover - removes the centralized CnC infrastructure 64-bit version of Zeus appears Version 2.0 Zeus version 1.0

  9. ZEUS how does it work delete dropper DROPPERrandom.exe drop Zbotfiles DELETE SCRIPT Random.bat C&C SERVER control communication and updates ZBOT Random2.exe CONFIGURATIONrandom.ofu

  10. ZEUSArchitecture

  11. ZEUSBuilder

  12. ZEUSConfig • url_config ­  • url_loader • url_server • AdvancedConfigs • webFilters • WebFakes

  13. ZEUSPHP backend • Google for “inurl: "cp.php?m=login“ Image: Aditya Sood

  14. ZEUSPHP backend Image: Aditya Sood

  15. ZEUS why is detection hard

  16. ZEUS why is detection hard

  17. Quick poll What is the name of Zeus author?

  18. ZEUSGameover Attribution Image source: FBI According to the FBI, losses are “more than $100 million.”

  19. ZEUSGameover Attribution Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia.nickname “Slavik” , indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering . Bogachevis identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both  GameOver Zeus and Cryptolocker. 

  20. ZEUS JabberZeus

  21. ZEUSJabberZeus Attribution

  22. ZEUSJabberZeus Attribution Stole more than $70 million from banks worldwide Karina Kostromina, wife of Kulibaba, 33-year-old Latvian woman jailed for money laundering Ringleader, 32-year-old Ukrainian property developer YevhenKulibaba Kulibaba’s right-hand man, 28-year-oldYuriyKonovalenko Photos from krebsonsecurity.com

  23. ZEUS Business workflow Source: Brian Krebs

  24. ZEUSAdvanced tricks • Steganography • Rootkit • Anti-Debugging • Digital signatures • New Hooking implementation

  25. ZEUSSteganographic config

  26. ZEUSSteganographic config

  27. ZEUS Necurs rootkit Access is denied when deleting the malware files.

  28. Zeus advanced tricks – Anti-Debugging • Fake Jumps

  29. Zeus Advanced Tricks – Digital Certificates

  30. Zeus Advanced Tricks - DGA It also employs DGA – Domain Generation Algorithm. DGA is a way for malware to prevent blacklisting of its CnC site, where an infected machine creates thousands of domain names such as: www.<gibberish>.com and would attempt to contact a portion of these with the purpose of receiving an update or commands. The technique was popularized by Conficker worm, which generated 50,000 domains a day.

  31. „Man-in-the-browser“

  32. ZEUSwhy so successful Modularity. Flexibility. Persistence.

  33. ZEUS why is removal hard Registry Key Infector Decrypt & load DLL Inject DLL

  34. ZEUStell tale signs POST /grace/gate.phpHTTP/1.1 GET /grace/cfg.bin HTTP/1.

  35. ZEUStell tale signs • Zeus version 2 saves encrypted config in registry •  HKCU\Software\Microsoft\{Random}

  36. ZEUSMALWARE KIT DEMO https://www.youtube.com/watch?v=E0TQW82o8cc Demo

  37. Every platform affected by malware • Windows : Zeus, Cryptolocker, 100+ million malware • Android : Code4HK • Linux: Shellshock • Mac: iWorm Reddit worm All platforms are at risk! http://www.securelist.com/en/analysis/204792318/Kaspersky_Security_Bulletin_2013_Overall_statistics_for_2013 http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf

  38. Malware Kill Chain • Awareness • Behavior • Correlation • Encryption • Intelligence BREAK THE CHAIN

  39. October 30: info.cyphort.com/mmwoctober Anti-Sandbox Malware Techniques

  40. Thank You! nick@cyphort.com@belogor info.cyphort.com/mmwoctober

More Related