Dissecting ZeuS malware

download Dissecting ZeuS malware

of 29

  • date post

    15-Jan-2015
  • Category

    Technology

  • view

    813
  • download

    2

Embed Size (px)

description

Zeus, one of the stealthiest advanced malware has ruled the world of botnets and still posses a significant security risk. In the US alone, Zeus is estimated to have control over 4 million devices. Banks, social networks and email accounts, all have fallen prey to its might and despite of its years in service, no anti virus vendor can claim to detect it reliably. Join Cyphort research team as we explain the inner working of Zeus. www.cyphort.com for more information

Transcript of Dissecting ZeuS malware

  • 1. Targetthreatsthattargetyou. 1

2. Targetthreatsthattargetyou.Targetthreatsthattargetyou. Dissec2ngthe ZeusMalware CyphortLabs MalwaresMostWantedSeries April2014 3. Yourspeakerstoday 3 NickBilogorskiy DirectorofSecurityResearch AnthonyJames VPofMarke5ngandProducts 4. Agenda o WhatisZeus o MajorincidentsinvolvingZeus o Dissec2ngthemalware o Zeusadvancedtricks o Wrap-upandQ&A 4 CyphortLabsT-shirt 5. Weworkwiththe securityecosystem Contributetoandlearn frommalwareKB Bestof3rdPartythreat data Weenhancemalware detec2onaccuracy Falseposi2ves/nega2ves Deep-diveresearch Globalmalware researchteam 24X7monitoringfor malwareevents AboutCyphortLabs 5 6. Poll#1 WhatisthemostprevalentuseofZeusmalware? o Espionage o Stealingbankingcreden2alsandinforma2on o Impac2ngindustrialcontrolsystems 6 7. WhatisZeus? o Zeusisthemostsuccessfulbankingmalwaretodate. o TrojanhorsetargetedatWindowsopera2ngsystems o Tensofmillionsofcomputersworldwideinfected o Capableofform-grabbingandmaninthemiddle a`ackstostealnancialinforma2on o Distributedasatoolkit o Ac2vesince2007,s2llusedheavily o Evasiveandchallengingfordetec2onandmi2ga2on 7 8. Zeus:S2llcausinghavoc,severalyearsaderitsbirth 8 9. ZeusHistory 9 2007 2008 Apr 2010 April 2011 October 2011 March 2012 December 2013 PeertoPeer versionZeus Gameover- removesthe centralizedCnC infrastructure Microsodlegal ac2onthrougha civillawsuit dubbed Opera1onb71 64-bit versionof Zeus appears ZeuSsourcecodeof version2.0.8.9 leaked Version2.0Zeusversion 1.0 10. ZeusStats o Zeusisnowbeingusednotjusttoa`acknancial ins2tu2onsbutalsostocktrading,social-networking ande-mailservices,plusportalsforentertainment orda2ng,andevenSalesforce.com 10 11. ZeusHos2ng 11 2% 3% 11% 84% ZeusHos1ngBreakdown Bulletproofhosted HostedonaFastFluxbotnet Freehos2ngservice Hackedwebserver DatafromZeuSTracker 12. ZeusAuthor 12 ZeuSauthorknownvariouslyasSlavikandMonstron criminalforumsin2010gavetheSpyEye authorHardermanstewardshipovertheZeuScodebase,on thecondi2onthatGribodemonagreedtoprovideongoing supportforexis2ngZeuSclients. Goodday! IwillservicetheZeusproductbeginningtodayandfromhereonAllclients whoboughtthesoEwarefromSlavikwillbeservicedfrommeonthesame condi5onsaspreviously.Harderman 13. JabberZeusCrew 13 Ninepeoplelistedintheindictmentthathasbeensealedsince Augustof2012,includingKulibaba,Konovalenko 14. JabberZeusCrew 14 Stolemorethan$70millionfrombanksworldwide Ringleader,32-year-old Ukrainianproperty developerYevhenKulibaba Kulibabasright-handman, 28-year-oldYuriy Konovalenko Karina Kostromina,wife ofKulibaba, 33-year-old Latvianwoman jailedformoney laundering Photosfromkrebsonsecurity.com 15. ZeusOpera2ons 15 Source:BrianKrebs 16. Zeusarchitecture 16 Usedtobuildtheexele Uniquetoeachowner URLandencryp2onkeydierentforeachowner TheBuilder Entry,Sta2candDynamicsec2ons DownloadURLandexltra2onURL The Congura2onFile Uniqueexecutablelebuiltbythebotowner TheExeFile PHPscriptsformonitoringandmanagingbotsTheServer 17. Zeusarchitecture:Builder o Withali`letechnicalknowledgeyoucanrunyour ownbotnet.ScreenshotofZeusbuilder 17 18. Zeusarchitecture:Congle 18 Zeuscongle 19. Zeusarchitecture:Congle 19 Zeusconglecontainsthefollowing: url_cong-wherethecongisdownloaded. url_loader-wherenewbotexecutableisdownloaded url_server-wherethestolendataissent AdvancedCongsalternateloca2onsforcong webFiltersandWebDataFilters- listofwebsitesmonitored.Whenthesesitesarevisite dbytheinfecteduser,anydatasenttothesiteisalso senttotheurl_server. WebFakeslistofwebsitestoredirectstoafakesite. 20. Func2onalityoftheZbotbinary 20 Copy,executeanddeleteitself Changebrowsersevngs Codeinjec2on Creden2althed Dataexltra2on Evasion vRootkit vDigitalcer2cate vDGA vSteganography 21. Poll#2 Ques2on-2:Doyouthinkyou(oryourorganiza2on) havebeenimpactedbyZeus? o Yes o No 21 22. ZeusAdvancedTricksRootkit 22 NecursRootkitComponent WhenGameOver/Necursisfullyinstalled,itwillbecomediculttoremovethe threatusingtradi2onalmethods. Itsimpossibletoaccesstheprocesstoretrieveinforma2onortoterminatethe process. Accessisdeniedwhendele2ng themalwareles. 23. Signedmalwareisquiterare. Stuxnetrootkitcomponents weredigitallysignedwith cer2catesstolenfromRealtek andJmicron.Flameused fraudulentcer2catesaswell. Zeususedthesametrick, authorsgotaccesstoa cer2cateofisonetag Microsod-registeredthird- partydeveloperinSwitzerland. ZeusAdvancedTricksDigitalCer2cates 23 24. ItalsoemploysDGADomainGenera1onAlgorithm.DGAisawayformalware topreventblacklis2ngofitsCnCsite,whereaninfectedmachinecreates thousandsofdomainnamessuchas:www..comandwoulda`empt tocontactapor2onofthesewiththepurposeofreceivinganupdateor commands.ThetechniquewaspopularizedbyConckerworm,which generated50,000domainsaday. ZeusAdvancedTricks-DGA 24 25. Zeusadvancedtricks-Steganography o Steganographyconcealingmessagesorimagesin othermessagesorimages. o Zeushidesitscongleinsideajpegimage 25 Vic2mopensup suspiciousmaila`achment ExecutesFileinA`achment Decryptedcongle hasbanksitesto monitorforthed JPEGlesdowloaded (congura2onle embedded) 26. Zeusadvancedtricks-Steganography o Imagelooksinnocent o ButithasappendedencrypteddataZeuscong. 26 27. Zeusadvancedtricks-Steganography o Thisdataisencryptedwithbase64,RC4andXORed. Decrypted,weseeurlsandbankingsitesittargeted. 27 28. Conclusions 28 Zeushasgrownintooneofthemostpopularand widespreadcrimewarekitsonthemarket.Itseaseofuse andeec2venessmakeitana`rac2vechoicefortodays cybercriminals. Checkforpresenceofunfamiliarnetworkcallbacks Zeusmalwareisverycomplexandiswri`enwithextra caretoavoiddetec2on,soitisnottrivialtotellifyouare infected.YouneedtouseaprofessionalgradeAPTsolu2on todetectthis. 29. QandA 29 o Informa2onsharing andadvancedthreats resources o Blogsonlatest threatsandndings o Toolsforiden2fying malware