Assignment-project 2

Project Report: Zeus Botnet

AbstractNow a day, computer networks and communications systems have become the backbone

of all the businesses as well as play crucial role in fulfilling necessities of our daily life. Since we are sharing cyberspace for our daily life, everyone needs a flexible and easily accessible but reliable and secure cyber environment from business to personal life. Banking and e-commerce, online shopping and entertainment are some of the requirement of our daily life that rely on shared cyber space. Therefore, our personal data is scattered and placed on different location within the cyber environment and there is always risk that someone can steal our confidential data by gaining unauthorized access to system where our information is located. To prevent unauthorized access to our confidential data and ensure its integrity, we need secure cyberspace.

Cybersecurity is not limited to advanced understanding of computer systems, data and networking; it rather involves understanding the mathematics of cryptography, social philosophy to understand business processes and organization theory as well. According to experts, security issues and threats we face today for our cyber environment will drastically be different from those we will face five years from now. Therefore, effective learning approach and adaptability to new realities and quick understanding of their impacts makes a security expert more efficient. Attackers/hackers use different methods to gain unauthorized access to data and exploit systems.

This report is based on a project to set up a botnet environment using Zeus botnet in virtual network to learn the procedures and methods used to gain unauthorized access to someone's confidential data or exploit their systems using someone else's computers while concealing actual attacker's identity. By understanding these processes, we can develop effective methods and approach to ensure security of our systems. This report explains all the concepts and practical worked involved to accomplish the desired. To explain concepts and further details, information has been gathered from some books, internet resources and class lectures and wherever it draws on the work of others, such sources are clearly acknowledged

1


Table of ContentsAbstract.......................................................................................................................................- 2 -

1.0. Introduction:.........................................................................................................................- 5 -

2.0. Cybersecurity:......................................................................................................................- 6 -

2.1. Complexities in Defense against Attacks:.......................................................................- 6 -

3.0. Classes of Malicious Software:............................................................................................- 7 -

3.1. Virus:................................................................................................................................- 7 -

3.2. Worms:.............................................................................................................................- 7 -

3.3. Trojans:............................................................................................................................- 7 -

3.4. Bots:.................................................................................................................................- 8 -

4.0. Botnet:..................................................................................................................................- 9 -

4.1. Uses of Botnets:...............................................................................................................- 9 -

4.2. Types of Bots:................................................................................................................- 10 -

4.3. Types of Botnets:...........................................................................................................- 10 -

5.0. Zeus Botnet:.......................................................................................................................- 11 -

5.1. Overview of Zeus CNC control panel:..........................................................................- 11 -

5.2. Zeus bots activities:........................................................................................................- 12 -

5.2.1 Intercepting HTTP/HTTPS requests:.......................................................................- 13 -

5.2.2. Webpage injections:................................................................................................- 13 -

5.2.3 Gathering information from user’s programs:.........................................................- 14 -

5.2.4. Control panel scripts command:.............................................................................- 14 -

6.0. Requirements to create Zeus botnet:..................................................................................- 15 -

6.1 Zeus botnet files:.............................................................................................................- 15 -

7.0. Zeus botnet implementation:..............................................................................................- 16 -

7.1. Database configuration:.................................................................................................- 16 -

7.2. Configuration of Zeus builder:.......................................................................................- 17 -

7.3. Creating Trojan horse:...................................................................................................- 18 -

7.4. Gathering information from zombie machine:...............................................................- 18 -

7.4.1. Grabbing information from forms:.........................................................................- 19 -

7.4.2. Executing scripts:....................................................................................................- 22 -

2


8.0. Detecting and deleting Zeus bot:.......................................................................................- 23 -

8.1. Windows default programs behavior:............................................................................- 23 -

8.2. Malware detection software:..........................................................................................- 25 -

9.0. Summary:...........................................................................................................................- 26 -

References.................................................................................................................................- 27 -

3


1.0. Introduction:Internet has become the essential requirement of human life and shared cyberspace is

used to interact with rest of the world. Therefore, incidents like stealing confidential data, outages, virus/malware infection, hacking, etc. can gravely influence our lives. Opportunities to exploit systems increase with the advent of newer technologies. Moreover, processing and storage of confidential data on various different locations and transmitting it across multiple networks needs more security measures and safeguard policies to prevent any potential cyber attacks.

There are different cybersecurity threats, which need our attention on daily basis. Some important threats include initiate attack with botnet on other networks using your PC while you are unaware of it, viruses and malwares that crash complete systems, illicit access to your resources and data modification, stealing your bank account and credit card information and identity theft.

To secure cyberspace, we need to ensure that security properties of assets of both organizations and users are accomplished/continued in an appropriate fashion in order to minimize cybersecurity threats. No matter how effective security measures you take, it is not viable to attain 100% security. However, several safeguard policies can be implemented to minimize the risk.

This report discusses some cybersecurity terms and key threats. In addition, the technical bits of Zeus botnet and its functionality based on implementation of Zeus network in a lab environment have also been discussed in this report while explaining the systematic configuration process of implementing Zeus botnet in virtual lab environment. At the end, this report illustrates some methods to avoid devastations of Zeus and a summary of complete report.

4


2.0. Cybersecurity:Security, in general context, is the quality of being free from danger or degree of

resistance to threats. Whereas, cybersecurity is a combination of processes and policies, risk management strategies, safeguard principles and best practices to design and implement modern tools and technologies to secure our cyberspace and assets. Integrity and protection of information/data can be achieved by detection of attacks as well as applying suitable prevention mechanisms to eliminate threats and minimize risk.

However, it is impossible to acquire perfection in security because it is not the absolute rather a process. There should be considerable balance between protection and availability which can be achieved by allowing reasonable access to resources with a defined level of security while minimizing risk from potential threats.

Cyberspace is comprise of user and organizational assets including, but not limited to, telecommunications infrastructure, applications and services, connected systems and devices, and stored/transmitted data in cyberspace.

2.1. Complexities in Defense against Attacks: One of the major causes behind increase in cybersecurity breaches is the growth in computer power and vulnerabilities in software systems. Further, simplicity and ease of access to exploitation tools permit hackers to initiate attacks on cyberspace assets in order to exploit systems without even having enough knowledge and skills. In contrast, security professionals should be skilled enough and aware of all kind of potential hacks and attacks in order to prevent any malicious activities on their network/systems. However, there are some complexities in defense against attacks, which are enumerated below.

While not being much skillful, hackers can still create enough trouble because of the simplicity and ease of access to exploitation tools.

Suppleness of exploitation tools permit same attack to be simulated differently making attacks more sophisticated.

Since devices are connected universally, attack can be kicked off by anyone from anywhere in the worldwide.

Enhanced attack speed i.e. targeting many computers at same time. Distributed attacks i.e. one network or system is attacked by multiple infected machines

at once. Quicker detection of security holes and vulnerabilities in both hardware and software

systems Impediment and incompetent release of product's security patches makes security weaker Users need to take crucial steps with minimal instructions that often create confusion.

5


3.0. Classes of Malicious Software:Trojans, worms, viruses and bots are part of software class knows as Malware or

malicious code (malcode), which is short form of malicious software. Malware is designed to disrupt, harm, steal, or perform illegal action on data, nodes, or networks. There are many classes of malware, which infect systems diversely and propagate themselves. Majority of malware involve users' action in installation such as downloading files from internet or by clicking email attachment. There are different methods by which a malware can infect a system including:

Attached as micros to files Bundled with other programs Installed by exploiting different hardware and software vulnerabilities

Damage caused by malware can vary from minor irritation to destroying data/disabling systems and stealing confidential information. However, malware can only damage the software and data residing on the systems/equipment and not the physical hardware.

Some common types of malware include viruses, Trojans, worms, back doors, spyware, bots, and adware. Some major classes of malware are described as under.

3.1. Virus:Virus is a type of malicious software that propagates by becoming a part of another

program when inserted its copy into the system. Usually viruses are attached with executable files and will not be active until user installs that program. It spreads computer to computer, while leaving infection, when infected program is transferred via any communication channel. Severity of virus can range from causing meek annoy to data loss or creating denial-of-service conditions.

3.2. Worms:Similar to viruses, worms replicate their copies and cause same kind of harm as viruses

do. However, worms are standalone and do not entail human interaction or host program for propagation. Worms are spread by either social engineering to trick users or vulnerability exploitation on target system and then travel using some file/information transport features.

3.3. Trojans:Trojan is a malware that looks legitimate but is very harmful. Users' are tricked to load

and execute it on their systems. It then starts attacking infected host and damage data, steal information, and/or activate/spread other viruses. However, Trojans are usually used to create back doors in system to give malicious users access. Instead of reproducing while infecting other files or by self-replication, Trojans spread involving some user interaction i.e. opening email attachment or downloading programs form internet.

6


3.4. Bots:Bot refers to automated process adopted to interact with other network services.

Information gathering, dynamic website interaction and automatic interaction with Internet Relay Chat (IRC) or Instant Messaging (IM) are some common uses of bots. Bot is self-propagating malicious software that infects and connects a host back to command and control (C&C) center server creating network of compromised devices, commonly known as 'Botnet'.

Attackers can launch remotely controlled broad-based flood-type attacks against their target systems. Bots have ability to capture and analyze packets, gather credentials and log keystrokes, collect financial information, relay spam, open back doors on infected systems and launch denial-of-service attacks.

7


4.0. Botnet:Botnet is a network of malicious/infected computers (also known as zombies) under the

control of botmaster (human operator). Malicious software (malwares) distributed by criminals turn your computer into a bot, which then performs automated tasks over internet without being in your knowledge. Botnets are used to spread viruses, attack networked devices, send spam emails, theft identity and commit other crimes.

Because of their huge size, botnets cause severe threats even if we only consider DoS attack. Due to combined bandwidth effect, a small botnet of 1000 bots can even create big mess. Below calculations show the combined average bandwidth of 1000 bots is approximately 128Mbps, which is more than internet connection of most organizations' systems.

Average upstream of 1 home PC = 128kbpsAverage upstream of 1000 PCs = 1000 x 128kbps = 128Mbps

Furthermore, it is difficult to construct, deploy, and maintain filters because of bots' IP based distribution.

Bots cause background noise on the internet, particularly on TCP ports 445 and 135, because of their dispersion/propagation method. TCP port 445 is used for resource sharing (Microsoft-DS Service) whereas Microsoft Remote Procedure Call Service uses port 135.

4.1. Uses of Botnets:Botnet is used as tool with different motives behind it. Most common use of botnet is

either monetary or destruction. Some of the common uses of botnets are enumerated below.

Spread Malware Distributed Denial-of-Service Attacks Sniff Traffic Mass Identity Theft Spamming Keylogging Google AdSense Abuse Install Advertisement Addons and Browser Helper Objects Attacking IRC Chat Network Manipulate Online Polls/Games

Above enumeration shows that botnets can be employed to cause large destruction and criminal acts while making it difficult to prevent threats on target systems.

8


4.2. Types of Bots:There are different types of bots based on functionality and concept. Some well-known

and widespread bots are listed below.

Forbot/Agobot/XtremBot/Phatbot (best known bot, written in C++ with cross-platform capabilities)

RBot/UrXBot/SDBot/UrBot (written in C but not designed/written well - very often used most active family of malware)

GT-Bots (mIRC-based Bot) Perl-based bots (very small and most often used for DDoS attacks) Kaiten (written for Unix/Linux systems) DSNX Bots (Dataspy Network X - written in C++ with plug-in interface) Q8 Bots (very small bot written for Unix/Linux systems)

4.3. Types of Botnets:Enumerated below are some well-known types of botnets.

Mytob (first piece of malware to combine the features of a bot and mass-mailer) Storm Botnet (first peer-to-peer architecture based botnet with decentralized command) Zeus Botnet (king of botnet kits) Ikee (harmless iPhone threat caused by jailbreaking) Operation Aurora (Early Advance Persistent Threat) Stuxnet (executes form infected USB) Flashback (designed to target Mac OS X and Java)

9


5.0. Zeus Botnet:Zeus, known as "King of botnet kits," is a malware platform used to create Trojan horse

in order to steal secret banking information with man-in-the-browser keystroke logging and form grabbing. It is also known as Zbot and is not a single botnet or trojan. Zeus is a family of trojans/botnets. There are many variants of Zeus because it constantly updates itself.

To remain hidden on infected systems, Zeus installs a rootkit component. It also has the ability to disable antivirus and other security programs to avoid any detection. It injects itself in the address space of other processes to remain active.

Zeus does not target Mac OS X or Linux and only can infect machines running windows OS. Some malicious applications have also been discovered that are used by Zeus to infect mobile devices. Type of crimes using Zeus involves data larceny, stealing bank information, identity theft, corporate and governments' intellectual property theft, phishing attacks on individuals etc.

Because of stealthy nature, it is difficult to detect Zeus even with updated antivirus and therefore, is considered largest botnet on internet.

5.1. Overview of Zeus CNC control panel:Picture below shows Zeus CNC control panel main page

10


Control panel side menu is divided into 4 major categories:

Statistics (summary, OS) Botnet (bot, scripts) Reports (searching database, searching files, jabber notifier) System (information, options, user, users)

Statistic page is divided on summary and OS pages. Summary section contains the information about total reports, bots and bot versions information. Also it shows current botnets, new bots and online bots. OS section shows which operation systems are used by bots.

Bot’s section on botnet page shows all information about bots that can be filtered by different parameters. We can also access bot’s action from this page, for example we can get the full information and screenshot from the infected machine. Scripts section allows to run scripts on chosen bots.

Report’s page is mainly used for searching database. Database search can be implemented by bots, botnets, IP addresses or countries. As a result of the search we can read the information that bot gathered from the zombie machine. Also CNC server can send notifications to Jabber client of a hacker, for example when user on infected machine goes to online bank.

On the system’s page the general information and options of Zeus botnet CNC is located. Also we can create and modify users to operate with botnet and control panel.

5.2. Zeus bots activities:Zeus bot is written to be used on Vista/7 Windows OS even if UAC enabled. Moreover

bot can be run even with minimum privileges (guest). However bot can infect all users on zombie machine. When bot is installed it copies itself to home directory. Session with bot and server uses “white list” applications that allow bypassing some firewalls. Bot sends the information over HTTP-protocol, all data is encrypted by a specific encryption key.

When the bot successfully executes on the victim’s machine it goes to the website stored in its configuration and downloads a new encrypted configuration file. Also it opens a backdoor that allows exchanging the information with CNC server. This information contains updates of the configuration file, uploads the stolen information. The bot also starts grabbing the financial information when user types the credit card number. Finally Zeus bot takes the real time screenshots, reads cookies and digital certificates.

There are several steps in a communication between zombie machine and command server:

The bot sends HTTP GET request for configuration file

11


The server replies with encrypted configuration file The bot provides to the server public IP address Connection between victim’s machine and CNC server is established Uploading/downloading the information to/from victim’s machine

5.2.1 Intercepting HTTP/HTTPS requests:Mozilla Firefox uses nspr4.dll library for HTTP/HTTPS requests and Internet Explorer

and other browsers use wininet.dll library. Bot can intercept the following requests from wininet.dll and nspr4.dll(Spider security, 2011):

modification of web pages forms web pages redirection grabbing useful web page content temporary denying access to selected web pages denying log on to selected web pages force log off from selected web pages creating snapshot getting web pages cookies

5.2.2. Webpage injections:As it is mentioned above dynamical configuration allows dynamical injections into the

web pages forms on a zombie machine. Web injections can be written manually. The file contains table of web sites, which could be injected or modified.

List of web injection parameters (Spider security, 2011):

set_url - target web page that will be hacked unit list can be written in random order: data_before - information before injection data_inject - information that will be injected data_end - stop sign

Screenshot below shows part of webinject.txt file

12


5.2.3 Gathering information from user’s programs:Bot is specified to collect information from different software and it can track which keys

on keyboard are pressed. The following programs and software can be tracked:

log on information from FTP programs flash player cookies windows certificate store

5.2.4. Control panel scripts command:In script web page of CNC control panel hacker can write different commands, which

will activate the bot to perform defined actions on the zombie machine. List of some commands is shown below (Spider security, 2011):

os_shutdown/os_reboot - this commands executes shutdown/reboot of zombie machine bot_uninstall - full removal of bot from user bot_update - update bot configuration bot_bc_add/remove - adding and removing constant backconnect session user_cookies_get/remove - get or delete all cookies from all supported browsers user_certs_get/remove - get or delete all certificates saved in user’s folder user_url_block/unblock - block or unblock URL for the user user_ftpclients_get - grab FTP logon information user_flashplayer_get/remove - grab or remove cookies of flash player to/from the current

user

13


6.0. Requirements to create Zeus botnet:To create botnet, hacker should have web server where C&C are located. In real world

this servers are located on black hosting providers. These “black” hosting providers are immune to reports and somehow covers botnets.

In this research, we create our own website hosting based on Windows Server 2008 R2 in virtual environment. To manage up web server we install these roles and software’s on server:

IIS 7 DNS and DHCP MySQL community-5.6.14.0 PHP-5.3.27-Win32-VC9-x86 phpMyAdmin-4.0.8-rc1 Firefox browser to configure bot server.

It is preferred to use computer with Windows 2008 Server with following minimal configuration:

2 Gb of RAM 2x CPU HDD 7200 RPM

For HTTP server we used IIS on port 80 or 443. It is recommended not to use PHP with HTTP-CGI. On PHP configuration file we put following parameters:

save_mod = off magic_quotes_gpc = off magic_quotes_runtime = off

6.1 Zeus botnet files:It is hard to find and download newest version of Zeus botnet 3.0 because of it is very

dangerous. In our project we installed Zeus 2.1.0.1. Zeus botnet archive mainly contains following files and folders:

install folder - installer of botnet system folder - system files location config.php file - main configuration file theme folder - design of the Zeus control panel cp.php - logon page of control panel gate.php - gates for bots index.php - empty file that hides files to be listed

14


7.0. Zeus botnet implementation:Below is the systematic process of how we configured and implemented Zeus botnet in

lab environment.

7.1. Database configuration: Zeus uses MySQL database where all information about bots and victims are stored. By

using phpMyAdmin we create SQL database and assign new user to have accesses to it. Than we move Zeus installation folder to our webserver and access installation web page (see screenshot below). On the installation web page we provided this parameters:

Username/password – for administrator logon to botnet C&C. MySQL server details – previously created database. Reports folder – for reports Online bot timeout – this timeout shows how long bots will be remaining online in

minutes. Encryption key – to encrypt bots and configuration.

After installation is completed we will have new database tables prepared.

15


7.2. Configuration of Zeus builder:All Zeus CNC server settings are located in the settings.txt file. There are two types of

Zeus bot configuration: static and dynamic. Static configuration is a configuration created by builder program, it contains instructions for bot. These instructions include commands such as to steal passwords, bank accounts logins, website logs and cookies. Static configuration also contains botnet name, time options and websites to operate with. Dynamic configuration is for target operations. This configuration provides automatic malicious actions to bot such as webinjections. The list of websites which are to be attacked by webinjections locates in webinjects file. Dynamic configuration also has a list of websites from where to collect transaction authentication numbers used by banks for online authentication.

Configuration file of Zeus bot contains following commands:

url_server and url_location - contains information about Zeus server webfilters - website URLs with signature pattern, information from this URLs AdvancedConfigs - website that provides configuration files DNSMap blocks selected websites and give hosts fake websites instead of blocked

To configure builder we should run Zeus builder program (see screenshot below). In this program we locate source configuration file and encryption key. As a result of executing builder we get bot configuration and bot executable files. The configuration file should be uploaded to webserver. Bot executable file is to infect victim’s machines to manipulate them.

16


7.3. Creating Trojan horse:Best practice to spread bots is hacking webpages by cross-site scripting or phishing

messages via email or facebook.

One of the ways to create zombie machine is to send the bot executable file as a Trojan horse. In our project we combine a simple game and a bot. By launching this game, user’s machine automatically executes the script file and becomes a part of a botnet. For creation of a Trojan horse we used Chilcat ZIP 2 Secure program (see screenshot below) that allows making an executable archive. In this archive we add a script that runs both the game and the bot. The bot executes in a stealth mod and does not appear in processes neither in Windows.

7.4. Gathering information from zombie machine:Once we spread bot on victim machine, it can be seen on control panel and we can grab

different details about that infected machine including OS version information, IP Address etc. Below screenshot shows one zombie machine listed on control panel under active bots. This is a windows XP machine in virtual environment which we infected using our Trojan horse.

17


We can also get more information about zombie machine, which includes getting real-time screenshots, cookies information, and login details to different web pages etc. (see screenshots below).

7.4.1. Grabbing information from forms:When users on zombie machine log in to web site that we created on our windows 2008

server, bot steals his/her logon details. Bot can steal logon details when user try to log in to any website over the internet but in this case, since we are using virtual environment, we will be able to see the credential details gathered while user logging in to web page hosted on server in same network. See the screenshots below.

18


In the CNC webpage we can obtain in reports information from zombie machine.

As shown on screenshot below, Zeus bot successfully grabbed login information and even password.

19


However, we used extra NIC to go to internet from zombie and steal login details for Gmail account as well. See the screenshots below.

20


7.4.2. Executing scripts:Script section on Zeus control panel web page allows running scripts such as rebooting zombie machine. If script executes successfully it shown in column “Message” as a “Ok” status.

21


8.0. Detecting and deleting Zeus bot:There are several foundations in the world that fights against botnets. One of them is

“Anti-Botnet Advisory Centre” which is a service of Association of the German Internet Industry with support from Federal Office for Information security (BSI) (Eco, 2010). That web resource contains up-to-date useful information about botnets and 3 main steps in protection from bots:

Inform – inform service providers and send reports if malware founds. Clean – Eco advise to check and clean your system with EU-Cleaner powered by Avira

or ED-Cleaner powered by Kaspersky. Prevent – To prevent infection from botnets, your system must be up-to-date and

antivirus and firewalls installed.

8.1. Windows default programs behavior: Even with windows firewall enabled Zeus bot can infect victim's machine. On screenshot

below, we choose “Keep Blocking” option when default windows xp firewall alerts on launched Trojan game. However, turning on firewall did not prevent bot activities; it can fully operate with infected machine for example in stealing passwords and other secret information. Only one exception we noticed with firewall we cannot obtain real-time screenshots from zombie machine.

Windows 7 with UAC and Firewall enabled poped-up with “Security alert” displayed following message when bot executes. However, even clicking “cancel” button windows 7 machine get infected, see screenshots below.

22


Windows 8 “Defender” automatically detected malware when we copy game from server and deleted it. Even disabling “Windows Defender” and firewall bot cannot be spread on Windows 8 machine and Windows 8 machine did not displayed in Zeus CNC panel.

23


8.2. Malware detection software:Almost every antivirus program prevents to copy or execute bot with the game. In our

project we used Avast Free Antivirus. This antivirus successfully deleted bot.exe executable file when we launch game.

In our project, we used EU-Cleaner powered by Avira recommended by “Anti-Botnet Advisory Centre.” EU-Cleaner detected and completely deleted bot performing “full scan.” However, performing “quick scan” it could not see bot footprints. Screenshot below shows report from “full scan.”

24


9.0. Summary:In brief, there is a vital need of implementing and ensuring strict security in order to

secure our cyberspace and prevent any crimes. Since, everyday new viruses, threats and vulnerabilities are introduces, we need to have a continual process of security policies implementation and risk management.

Although, threats are always there and we cannot achieve perfect security but we can minimize the risk to the maximum. Specially, if we need to secure our systems form Zeus and other botnet, we need to understand the functionality, command and control, and communication process of Zombie machines. Effective security can only be implemented to counter botnet attacks if we are able to understand the logic and working of botnets.

25


References

1. (n.d.). What is the difference: viruses, worms, trojans, and bots? Retrieved Sep 23, 2013 Fromhttp://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html

2. Waston D. (2009). The Honeynet Project. Retrieved Sep 27, 2013 Fromhttp://www.honeynet.org/node/51http://www.honeynet.org/node/52http://www.honeynet.org/node/53

3. Landesman M. (n.d.). Zeus botnet. Retrieved Oct 01, 2013 Fromhttp://antivirus.about.com/od/virusdescriptions/p/zeusbotnet.htm

4. Eco. (2010). Anti-Botnet advisory centre. Retrieved Oct 01, 2013 From https://www.botfrei.de/en/index.html

5. Spider Security. (2011). Zeus user guide. Retrieved Oct 03, 2013 From http://www.spidersecurity.org/zeusguide.html

6. Macdonald D., Manky D. (n.d.). Zeus: God of DIY Botnets. Retrieved Oct 12, 2013 From http://www.fortiguard.com/legacy/analysis/zeusanalysis.html

26

http://www.spidersecurity.org/zeusguide.html

https://www.botfrei.de/en/index.html

Assignment-project 2

Documents

Transcript of Assignment-project 2