Evolution of Zeus. Part I

Intro

Bot Zeus, perhaps one of the most famous representatives of malicious software. Zeus has its history since 2007 (or even 2006). Many people mistakenly believe that Zeus - just another trojan, but it is not. In fact, Zeus is a sample of so-called crimeware - software designed to commit illegal acts. In this case, the main purpose of crimeware Zeus is the theft of credentials used to conduct financial transactions. According to analysts, he is responsible for 90% of cases of banking fraud in the world.

Another misconception is the statement about the existence of one huge Zeus botnet. In fact, Zeus underlies a very large number — probably several hundred — of different botnets, and all of them are controlled by different cybercriminal groups. The creators of Zeus just sell it to interested parties, and they already use it to form their own botnets. Thus, it’s right to talk not about the Zeus botnet, but about the botnets created with the help of Zeus. To track information about the Zeus command servers in February 2009, Roman Hussy, a Swiss computer security specialist, created ZeusTracker .

Zeus, version 1

ZeuS developer is known by nicknames Slavik and Monstr, it was he who until 2010 alone sold and supported his product.

Structurally, Zeus consists of several parts - the builder of the bot and the administrative panel.
The main module of the Zeus bot and the builder is written in Visual Studio in C and partially C ++. The final Zeus bot executable code was created by the builder and contained the core module itself and the configuration file. The configuration file contains the address of the control center, the paths to the scripts and other data necessary for operation. The builder has a hardware binding to the computer of the buyer, that is, it could only run if there is a certain configuration.
')
The researchers note that the Zeus family does not use any hiding techniques (rootkit) or exploits to increase their privileges in the system. The main focus was on the stability of operation, including when working with limited user rights.
Zeus first generation features using the example of version 1.3.4.x, March 2010 ( source ):

• theft of credentials entered in the browser;
• theft of credentials stored in Windows Protected Storage;
• theft of X.509 client certificates;
• theft of FTP and POP credentials;
• theft and deletion of HTTP and Flash cookies;
• Modification of requested HTML pages for subsequent theft of credentials (Web Injects);
• redirect user requests to other sites;
• screen capture;
• search and download files to a remote server;
• modification of the hosts file;
• download and subsequent launch of a file from a remote server;
• removal of critical registry keys for the inability to load the operating system.

Starting with version 1.4, the functionality of Web Injects in Firefox has appeared. Web Injects is a set of HTML and JavaScript code that provides the display of input forms for the credentials of RBS systems (remote banking services) that imitate real data. When you try to visit the site of any RB System through a browser, the Trojan intercepts the request and displays a fake form. Credentials stolen in this way are sent to the attacker's command center. To make it difficult to detect antivirus software, Zeus began to use polymorphic encryption and a mechanism for resizing its file. At the same time, the Zeus file on each infected system encrypted itself anew with new parameters, so that the same build on different computers looked completely different.

Pricing for Zeus 1.3.4.x components:

• bilder and adminpanel - from $ 3000 to $ 4000;
• Back Connect module (any port, for example, allows connecting via RDP) - $ 1500;
• credential theft module from Firefox browser (form grabber) - $ 2000;
• module for notifying and sending stolen information via Jabber - $ 500;
• private (made to order) module VNC (remote control, analogue of RDP) - $ 10,000;
• Windows Vista / Seven operation support - $ 2000.

Zeus bots have been distributed in a variety of ways. For example, in the fall of 2009, it was distributed in spam messages sent on behalf of the US tax authorities. In another case, the letter reported a universal vaccination against swine flu H1N1. The links in the letters led to fake sites created by hackers. The sites offered to download and run an executable exe file, supposedly containing certain instructions. In fact, the file was a Zeus bot. The “power” of the Cutwail botnet (also known as Pushdo and Oficla) was used to send spam. Later, the tactic was changed and in the letters began to send links to sites containing an iframe or jscript, leading to any exploit pack. This allowed the infection to occur without any user actions - it was enough for him to click on the link, and Zeus was installed automatically, of course, if the browser was vulnerable (did not have the appropriate security update). In the process of writing letters, social engineering methods were widely used.

Some Zeus admin panels had the function of checking FTP accounts “on the fly” - as soon as a new batch of stolen credentials was sent, a check was made for the availability of FTP accounts and such accounts were immediately checked. If the check revealed that there is access, a separate script searched for files on a remote FTP server with the .htm, .html and .php extensions (since the FTP service is often used to upload content to the site) and iframe or jscript is inserted into these files leading to any exploit pack. Thus, there was an infection of sites in automatic mode.

In April 2010, Zeus received additional functionality for implementing its dropper in executable files ( source ), 512 bytes of the code being injected performed the following actions:

• Downloading a remote file whose URL was specified inside;
• launching the downloaded file for execution;
• launch the original code of the infected program.

This functionality is somewhat viral. However, if the antivirus was treating the infected file, the virus no longer had the opportunity to run. In this case, there was still a chance that the antivirus would remove the main Zeus module and not drop the dropper, which allows the computer to re-infect, possibly with a new version of Zeus.

Competitor

Approximately in December 2009, a competitor Zeus - SpyEye appeared on the “black market”, the functionality and composition (builder and admin panel) of which were very similar to Zeus, but the price was lower, for basic modules it was about $ 500. In the future, the competitive struggle led to the appearance in SpyEye version 1.0.7 of February 2010 of the Zeus Killer function, designed to remove Zeus. To complete the operation of all copies of Zeus, SpyEye sent a command through a named pipe opened by each copy of Zeus for its own needs. SpyEye detected Zeus by the specific name of the mutex that was used by Zeus to detect its copy and prevent restart. In addition, SpyEye could intercept reports sent by Zeus, and thus not do double work. Another new feature is a module designed to bypass the Trusteer’s Rapport security system, which is aimed at blocking the possibility of introducing malware into the browser, which was created, among other things, to counteract Zeus. The SpyEye builder, like the Zeus builder, contained a licensing system based on a specific hardware configuration. It was implemented using VMProtect hinged protection.

According to information from the forum , in October 2010, the creator of Zeus Slavik transferred the source codes to its competitor - the SpyEye developer, and ceased further development. The code was transferred to the person with the nickname Harderman, also known as Gribodemon. According to Harderman, he received the source codes free of charge and took care of all the former Slavik clients, later a kind of merging of the source codes Zeus and SpyEye was assumed. Indeed, since January 2011, researchers at antivirus companies have begun to discover new hybrid versions of SpyEye, their numbering has begun with version 1.3.

Pricing for SpyEye version components 1.3.45, August 2011:

• bilder and adminpanel - $ 2000;
• Web Injects module for Firefox browser - $ 2000;
• Rapport protection bypass module - $ 500;
• Socks5 proxy module - $ 1000;
• RDP access module - $ 3000;
• FTP Back Connect module - $ 300;
• certificate theft module from Mozilla Firefox browser - $ 300;
• Credit Card Theft Module — $ 200;
• credential theft module from Opera & Chrome browsers (form grabber) - $ 1000.

The user manual for this version is available on the XyliBox personal blog.

Zeus, version 2.1

At the same time, researchers from RSA discovered some facts that allow Slavik to doubt his words about quitting the business. In August 2010, that is, two months before the “official” announcement of the cessation of work on Zeus, a botnet was discovered, created with the help of the Zeus bot, which had version 2.1.0.10. The investigation revealed that the kit of this version was not sold on the black market. Subsequent discoveries of a bot of this type assured RSA experts that one person (or a group of persons) owned this modification - in contrast to past incidents, the bot configuration file of version 2.1.0.10 did not undergo significant changes for a long time (previously every operator of a botnet based on Zeus used its unique configuration file).

A key feature of Zeus 2.1.0.10 was the change in the communication scheme with the management servers. Now the server addresses were not fixed in the configuration file. The list of addresses was formed using the DGA (Domain Generation Algorithm - Domain Name Generation Algorithm). Previously, this technique was repeatedly used in such samples of HVT as Bobax, Kraken, Sinowal (aka Torpig), Srizbi and Conficker. At the generated addresses, Zeus was looking for its command servers. To protect against interception of control, the digital signature of the downloaded file was checked during its update (also using the Windows Crypto API). For this, the Zeus code contained the RSA public key with a length of 1024 bits.

Researchers from RSA in 2011 were able to access one of the servers of Zeus version 2.1.0.10. They found that between August 2010 and August 2011, more than 210,000 computers contacted this server, to which about 200 gigabytes of data were transferred from infected computers. About 42% of infected computers were located in the United States. It was also possible to find out that one of the logins for authorizing access to this command server was “Slavik”. Therefore, RSA experts suggest that Slavik is actually engaged in the creation of its own botnet (perhaps not one).

Continued here .