- Zeus (trojan horse)
-
"Zbot" redirects here. For the action figures, see Zbots.For other uses, see Zeus (disambiguation).
Zeus is a Trojan horse that steals banking information by keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation,[1] it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek.[2]
The various Zeus' botnets are estimated to include millions of compromised computers (around 3.6 million in the United States).[3] As of October 28, 2009 over 1.5 million phishing messages were sent on Facebook with the purpose of spreading the Zeus' trojan. On November 3, 2009 a British couple was arrested for allegedly using Zeus to steal personal data.[4] From November 14–15, 2009 Zeus spread via e-mails purporting to be from Verizon Wireless. A total of nine million of these phishing e-mails were sent.[5]
It was still active in 2010.[6][7] On July 14, 2010, security firm Trusteer filed a report, which says that the credit cards of more than 15 unnamed US banks have been compromised.[8][9]
On October 1, 2010, FBI announced it had discovered a major international cyber crime network which had used Zeus to hack into US computers and steal around $70m. More than 90 suspected members of the ring were arrested in the US, and arrests were also made in UK and Ukraine.[10]
In May, 2011, source code of Zeus has been published as public domain.[11] [12]
Contents
Proliferation
The Zeus Trojan-controlled machines are in 196 countries. The five countries with the most significant instances of infected machines are Egypt, the United States, Mexico, Saudi Arabia, and Turkey. Altogether, 2,411 companies and organizations are said to have been affected by the criminal operations running the botnet.[13]
Targeted OS
The Zeus botnet only targets Microsoft Windows machines, and computers running Windows Vista make up the majority of the botnet, though Zeus newer than Version 1.4.0.0 can also affect Windows Vista SP1.
Targeted information
Every criminal can control which information he's interested in and fine tune his copy of Zeus to only steal those. Examples include login credentials for online social networks, e-mail accounts, online banking or other online financial services. The top sites with stolen login credentials, according to Netwitness' report are Facebook, Yahoo, Hi5, Metroflog, Sonico and Netlog.
Availability
Zeus is readily available to buy in underground forums for as little as 700 USD (if sold from a reseller) and up to 15,000 USD for the newest version with all available features.[14] The package contains a builder that can generate a bot executable, web server files (PHP, images, SQL templates) for use as the command and control server. While Zbot is a generic back door that allows full control by an unauthorized remote user, the primary function of Zbot is financial gain - stealing online credentials such as FTP, email, online banking, and other online passwords. The latest public version that is available is 2.0.8.9.[14][15]
Since May 2011 the source code of Zeus has been leaked.[16]
Also the current version of the Zeus botnet uses classical copy protection mechanisms to prevent the use of unlicensed pirate copies. Security firm SecureWorks has discovered that the Zeus server only works with a system specific key. Similar to the Windows OS, the malware creates a kind of fingerprint of the respective hardware configuration when first started. The vendor then provides the user with a personalised licence key for this configuration.[17]
Removal and detection
Zeus is very difficult to detect even with up-to-date antivirus software. This is the primary reason why its malware family is considered the largest botnet on the internet: Some 3.6 million PCs are said to be infected in the U.S. alone. Security experts are advising that businesses continue to offer training to users to prevent them from clicking hostile or suspicious links in emails or on the web while also keeping up with antivirus updates. Symantec claims its Symantec Browser Protection can prevent "some infection attempts"[9] but it remains unclear if modern antivirus software is effective at preventing all of its variants from taking root.
FBI crackdown
In October 2010, FBI announced that using Zeus, hackers in Eastern Europe managed to infect computers around the world. The virus was disseminated in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the trojan software installed itself on the victimized computer, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.
The hackers then used this information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of “money mules.” Many of the U.S. money mules were recruited from overseas. They created bank accounts using fake documents and phony names. Once the money was in their accounts, the mules could either wire it back to their bosses in Eastern Europe, or turn it into cash and smuggle it out of the country. For their work, they were paid a commission.[18]
More than 100 people were arrested on charges of conspiracy to commit bank fraud and money laundering. Of those, over 90 were in US, and the other arrests were made in UK and Ukraine.[19]
Before they were caught, members of the theft ring managed to steal $70 million.
Retirement
In late 2010, a number of Internet security vendors including McAfee and Internet Identity claimed that the creator of Zeus had said that he was retiring and had given the source code and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, those same experts warned the retirement was a ruse and expect the hacker to return with new tricks.[20][21]
See also
- Conficker
- Timeline of computer viruses and worms
- Torpig
- Web 2.0 Suicide Machine
References
- ^ Jim Finkle (July 17, 2007). "Hackers steal U.S. government, corporate data from PCs". Reuters. http://www.reuters.com/article/domesticNews/idUSN1638118020070717. Retrieved November 17, 2009.
- ^ Steve Ragan (June 29, 2009). "ZBot data dump discovered with over 74,000 FTP credentials". The Tech Herald. http://www.thetechherald.com/article.php/200927/3960/ZBot-data-dump-discovered-with-over-74-000-FTP-credentials. Retrieved November 17, 2009.
- ^ "UAB computer forensics links internet postcards to virus". The Hindu (Chennai, India). July 27, 2009. http://www.hindu.com/thehindu/holnus/008200907271321.htm. Retrieved November 17, 2009.
- ^ "Two held in global PC fraud probe". BBC News. November 18, 2009. http://news.bbc.co.uk/2/hi/uk_news/england/manchester/8366504.stm. Retrieved November 17, 2009.
- ^ "New Verizon Wireless-themed Zeus campaign hits". SC Magazine. November 16, 2009. http://www.scmagazineus.com/new-verizon-wireless-themed-zeus-campaign-hits/article/157848/. Retrieved November 17, 2009.
- ^ Dan Goodin (February 18, 2010). "Almost 2,500 firms breached in ongoing hack attack". The Register. http://www.theregister.co.uk/2010/02/18/massive_hack_attack/. Retrieved February 23, 2010.
- ^ Siobhan Gorman (February 18, 2010). "Broad New Hacking Attack Detected". Wall Street Journal. http://online.wsj.com/article/SB10001424052748704398804575071103834150536.html. Retrieved February 23, 2010.
- ^ Raju PP (July 15, 2010). "Zeus/Zbot Trojan Attacks Credit Cards of 15 US Banks". TechPP. http://techpp.com/2010/07/15/zeuszbot-trojan-attacks-credit-cards-of-banks/. Retrieved July 15, 2010.
- ^ a b "Trojan.Zbot". Symantec. http://www.symantec.com/security_response/writeup.jsp?docid=2010-011016-3514-99. Retrieved February 19, 2010.
- ^ FBI (October 1, 2010). "CYBER BANKING FRAUD Global Partnerships Lead to Major Arrests". http://www.fbi.gov/page2/oct10/cyber_100110.html. Retrieved October 2, 2010.[dead link]
- ^ Peter Kruse (May 9, 2011). "Complete ZeuS sourcecode has been leaked to the masses". http://www.csis.dk/en/csis/blog/3229. Retrieved May 15, 2011.
- ^ Larry Seltzer (May 10, 2011). "Zeus Source Code Released". http://blogs.pcmag.com/securitywatch/2011/05/zeus_source_code_released.php. Retrieved May 15, 2011.
- ^ Christopher Null (February 18, 2010). "Scary "global hacking offensive" finally outed". Yahoo! Tech. http://tech.yahoo.com/blogs/null/160657. Retrieved February 23, 2010.[dead link]
- ^ a b Kevin Stevens and Don Jackson, Security Researchers SecureWorks Counter Threat Unit SM (CTU) (March 11, 2010). "ZeuS Banking Trojan Report". secureworks.com. http://www.secureworks.com/research/threats/zeus/?threat=zeus. Retrieved March 17, 2010.
- ^ "Zeus: King of the Bots" (PDF). Symantec. http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf. Retrieved February 20, 2010.
- ^ Peter Kruse (2011-05-09). "Complete ZeuS sourcecode has been leaked to the masses". CSIS. http://csis.dk/en/csis/blog/3229/.
- ^ Kevin Stevens, Don Jackson (11 March 2010). "ZeuS Banking Trojan Report". Secure Works. http://www.secureworks.com/research/threats/zeus/?threat=zeus. Retrieved March 29, 2010.
- ^ FBI (October 1, 2010). "CYBER BANKING FRAUD Global Partnerships Lead to Major Arrests". http://www.fbi.gov/page2/oct10/cyber_100110.html. Retrieved October 2, 2010.[dead link]
- ^ BBC (October 1, 2010). "More than 100 arrests, as FBI uncovers cyber crime ring". BBC News. http://www.bbc.co.uk/news/world-us-canada-11457611. Retrieved October 2, 2010.
- ^ Diane Bartz (October 29, 2010). "Top hacker "retires"; experts brace for his return". Reuters. http://www.reuters.com/article/idUSTRE69S54Q20101029. Retrieved December 16, 2010.
- ^ Internet Identity (December 6, 2010). "Growth in Social Networking, Mobile and Infrastructure Attacks Threaten Corporate Security in 2011". Yahoo! Finance. http://finance.yahoo.com/news/Growth-in-Social-Networking-bw-1970284612.html?x=0&.v=1. Retrieved December 16, 2010.
External links
- "Measuring the in-the-wild effectiveness of Antivirus against Zeus" Study by Internet security firm Trusteer.
- "A summary of the ZeuS Bot" A summary of ZeuS as a Trojan and Botnet, plus vector of attacks.
- Video on YouTube
- "The Kneber BotNet" by Alex Cox NetWitness Whitepaper on the Kneber botnet.
- "België legt fraude met onlinebankieren bloot" Dutch news article about a banking trojan
- "Indications in affected systems" Files and registry keys created by different versions of Zeus Trojan.
- (French) Zeus, le dieu des virus contre les banques
- Zeus Bot's User Guide
Botnets Notable botnets Main articles Categories:- Windows trojans
- Botnets
- Rootkits
Wikimedia Foundation. 2010.