The Zeus malware R&D program
Trusteer captured and analyzed a new version (2.1) of the Zeus financial malware and found that it has added sophisticated new mechanisms to commit online fraud and remain the Trojan of choice for criminals.
Zeus has not only improved its business logic but also its ability to avoid detection and automatic analysis by antivirus vendors. Zeus is under the spotlight of security vendors, banks, and law enforcement, which forces its developers to continually improve it to avoid losing business to competing malware like Bugat, Clampi, and SpyEye.
Just like commercial application developers, the creators of Zeus run an R&D program to ensure it can avoid detection and side-step the growing number of IT security mechanisms designed to detect, block and eliminate it.
New capabilities in Zeus 2.1 include:
- URL matching based on a full implementation of the Perl Compatible Regular Expressions (PCRE) library. This allows much more flexibility for Zeus’s configuration to define targets. For example, Zeus can now target all URLs that start with “https” and then zero in on those that contain specific digits and keywords. Earlier Zeus versions had a primitive regular expression implementation which provided very little flexibility in specifying target URLs.
- The injection mechanism (Zeus’s main “work horse”) now uses sophisticated regular expressions based on PCRE as well, which helps avoid detection. It can target individual web pages with elaborate injections, while not injecting into other pages. This surgical injection method creates more convincing pages and can target more banks using a single attack.
- Zeus now has a fine-grained “grabbing” mechanism, again based on PCRE, which can extract very specific areas of the page (e.g. the account balance) and report them to the C&C host. The grab mechanism provides an efficient way of collecting user data (such as account balance), as opposed to the cumbersome and wasteful way (supported by earlier Zeus variants) of having to copy the full page.
- As other researchers have already pointed out Zeus 2.1 completely changed the way it communicated with its Command &Control (C&C) servers with a daily list of hundreds of C&C hostnames, through which it cycles trying to find a live one which is a considerable improvement over the previous scheme.
- Zeus has added a 1024-bit RSA public key, which will probably be used for one-way encryption of data and authenticating the C&C server to Zeus clients.
Previous malware has risen in popularity, then been tweaked and then faded away, the enhancements in Zeus show no signs of abating, largely because of the modular coding structure of Zeus.
The modular approach, for example means that exploit hacks can be used to enhance the ability of Zeus to stage a real-time bank access attack, and so greatly extend its useful lifetime to the cybercriminals.
As with any commercial application, software product maintenance and support are two of the more important reasons why users buy and use products, and Zeus has proven over the last three years that it does both very well for the cybercriminals.
The Zeus developers keep releasing new features – such as a highly granular browser injection facility – that allow them to stay one step ahead of the IT security community, as well as fixing bugs and other issues in previous versions.
This level of commitment attracts the fraudsters’ business and maintains interest in the Trojan amongst security vendors, banks and law enforcement officials. And this in turn re-enforces the security circle, with hacker coders constantly tweaking and improving the malware as time goes on.
IT security teams trying to defend against Zeus should:
1. Recognize that antivirus technology is only partially effective against modern malware such as Zeus, Bugat, and SpyEye. Many of these fly under the radar of antivirus solutions while targeting employees and stealing sensitive corporate information. This version of Zeus is extremely elusive and is virtually undetectable by antivirus products.
2. Recognize that the browser has emerged as the weakest link in the enterprise security infrastructure and is being exploited by malware authors and criminals to infect computers and steal sensitive information.
3. Protect employees, contractors, and unmanaged computers with secure browsing services, which can detect, block, and remove browser-borne malware from computers.
4. Put in place technology and processes that enable effective, and instant investigation of malware-related fraud incidents.