500 likes | 856 Views
Zeus. By Nick Bilogorskiy @belogor nick@cyphort.com. Nick Bilogorskiy Director of Security Research. Agenda. What is Zeus Dissecting the malware Attribution Zeus advanced tricks Recommendations. Quick poll. Have you heard of Zeus?. ZEUS What is it.
E N D
Zeus By Nick Bilogorskiy@belogornick@cyphort.com
Nick Bilogorskiy Director of Security Research
Agenda • What is Zeus • Dissecting the malware • Attribution • Zeus advanced tricks • Recommendations
Quick poll Have you heard of Zeus?
ZEUS What is it • Zeus is the most successful banking malware to date. • Trojan horse targeted at Windows operating systems • Tens of millions of computers worldwide infected
ZEUS History Microsoft legal action through a civil lawsuit dubbed Operation b71 ZeuS source code of version 2.0.8.9 leaked March 2012 December 2013 • 2007 2008 Apr 2010 October 2011 April 2011 Peer to Peer version – Zeus Gameover - removes the centralized CnC infrastructure 64-bit version of Zeus appears Version 2.0 Zeus version 1.0
ZEUS how does it work delete dropper DROPPERrandom.exe drop Zbotfiles DELETE SCRIPT Random.bat C&C SERVER control communication and updates ZBOT Random2.exe CONFIGURATIONrandom.ofu
ZEUSConfig • url_config • url_loader • url_server • AdvancedConfigs • webFilters • WebFakes
ZEUSPHP backend • Google for “inurl: "cp.php?m=login“ Image: Aditya Sood
ZEUSPHP backend Image: Aditya Sood
Quick poll What is the name of Zeus author?
ZEUSGameover Attribution Image source: FBI According to the FBI, losses are “more than $100 million.”
ZEUSGameover Attribution Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia.nickname “Slavik” , indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering . Bogachevis identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both GameOver Zeus and Cryptolocker.
ZEUSJabberZeus Attribution Stole more than $70 million from banks worldwide Karina Kostromina, wife of Kulibaba, 33-year-old Latvian woman jailed for money laundering Ringleader, 32-year-old Ukrainian property developer YevhenKulibaba Kulibaba’s right-hand man, 28-year-oldYuriyKonovalenko Photos from krebsonsecurity.com
ZEUS Business workflow Source: Brian Krebs
ZEUSAdvanced tricks • Steganography • Rootkit • Anti-Debugging • Digital signatures • New Hooking implementation
ZEUS Necurs rootkit Access is denied when deleting the malware files.
Zeus advanced tricks – Anti-Debugging • Fake Jumps
Zeus Advanced Tricks - DGA It also employs DGA – Domain Generation Algorithm. DGA is a way for malware to prevent blacklisting of its CnC site, where an infected machine creates thousands of domain names such as: www.<gibberish>.com and would attempt to contact a portion of these with the purpose of receiving an update or commands. The technique was popularized by Conficker worm, which generated 50,000 domains a day.
ZEUSwhy so successful Modularity. Flexibility. Persistence.
ZEUS why is removal hard Registry Key Infector Decrypt & load DLL Inject DLL
ZEUStell tale signs POST /grace/gate.phpHTTP/1.1 GET /grace/cfg.bin HTTP/1.
ZEUStell tale signs • Zeus version 2 saves encrypted config in registry • HKCU\Software\Microsoft\{Random}
ZEUSMALWARE KIT DEMO https://www.youtube.com/watch?v=E0TQW82o8cc Demo
Every platform affected by malware • Windows : Zeus, Cryptolocker, 100+ million malware • Android : Code4HK • Linux: Shellshock • Mac: iWorm Reddit worm All platforms are at risk! http://www.securelist.com/en/analysis/204792318/Kaspersky_Security_Bulletin_2013_Overall_statistics_for_2013 http://www.sophos.com/en-us/medialibrary/PDFs/other/sophos-security-threat-report-2014.pdf
Malware Kill Chain • Awareness • Behavior • Correlation • Encryption • Intelligence BREAK THE CHAIN
October 30: info.cyphort.com/mmwoctober Anti-Sandbox Malware Techniques
Thank You! nick@cyphort.com@belogor info.cyphort.com/mmwoctober