Part of the difficulty in unraveling ZeuS botnet infrastructure is mapping it out. Attackers usually plant a generic dropper within an emailed file, disguised to look like a document or via web sites by using popular exploit kits such as Blackhole that can identify vulnerable software on each visitor and deliver the right exploit.
That initial dropper wouldn’t be classified as ZeuS. Instead, it has a list of hard coded addresses to download ZeuS from. After it downloads and executes, a new variant is created on the fly for each infection, then the original dropped ZeuS is deleted. This makes it difficult for antivirus vendors to identify all compromised systems since each infected system has its own unique copy.
A little over a month ago, I analyzed a Gameover sample. Manual analysis uncovered that while installing ZeuS, the dropper quickly ran a special purpose password stealer, designed to grab saved passwords from popular software such as web browsers, then deleted it. That very important detail wasn’t evident in reports generated by automated malware analysis engines.
I shared my analysis in the comments section in this VirusTotal report. Additionally, you can see in this report that as of four weeks ago when the dropped ZeuS sample was last submitted, only 6 of 52 antivirus engines detected it. I submitted all samples to the Antivirus vendors and the detection rate is probably much better now.
ZueS/Zbot botnets are extremely common and simple to operate with minimal investment. Criminals pay for a custom variation of the ZeuS builder which is guaranteed to create new variants undetectable by antivirus software. They then go on their phishing campaigns, which costs them nothing or they pay for an exploit kit so that they don’t have to worry about email attachments getting blocked.
Most security software that detects botnet droppers only has information on one or two servers hosting the botnet executable. It takes manual analysis to uncover all the indicators produced by any given ZeuS campaign. You can see the manual analysis I did on a fresh sample unrelated to Gameover that arrived in my home email on June 1st. See the comments section of this VirusTotal entry for my manual analysis results, then compare to this automated threat report. The automated report identified one domain that the dropper downloads ZeuS from. Manual analysis uncovered all ten and a narrative sequence of events.
People and organizations worried about botnet infections could avoid a lot of hassle by following these recommendations:
1. Block email attachments containing executable files or zip files with executable files like exe and scr.
2. Use vulnerability mitigation software to make up for unpatched software to avoid getting hit by exploit kits. The Microsoft Enhanced Mitigation Experience Toolkit (EMET) has a proven track record of protecting from attacks including rare 0days before software patches are even available. Also, EMET can be managed in corporate environments using group policies.
3. Install antivirus software. Although not perfect, antivirus software can still catch a large percentage of malware and reduce noise.
4. For organizations with in-house security staff, I recommend learning how to do manual analysis so that incidents can be fully investigated to uncover what their existing security products aren’t telling them. Stolen passwords can result in dire consequences such as wire fraud or data theft as we saw in the recent eBay incident where attackers used employee credentials to login and make their way to the database.