Download presentation
Presentation is loading. Please wait.
Published byPhoenix Smithwick Modified over 9 years ago
1
Zeus By Nick
2
Director of Security Research
Nick Bilogorskiy Director of Security Research
3
Agenda What is Zeus Dissecting the malware Attribution
Zeus advanced tricks Recommendations
4
Quick poll Have you heard of Zeus?
5
ZEUS What is it Zeus is the most successful banking malware to date.
Trojan horse targeted at Windows operating systems Tens of millions of computers worldwide infected
6
ZEUS 7 years old
7
ZEUS Prevalence
8
ZEUS History Microsoft legal action through a civil lawsuit dubbed Operation b71 ZeuS source code of version leaked 2007 2008 Apr 2010 April 2011 October 2011 March 2012 December 2013 Peer to Peer version – Zeus Gameover - removes the centralized CnC infrastructure 64-bit version of Zeus appears Version 2.0 Zeus version 1.0
9
CONFIGURATION random.ofu
ZEUS how does it work delete dropper DROPPER random.exe DELETE SCRIPT Random.bat ZBOT Random2.exe CONFIGURATION random.ofu drop Zbot files C&C SERVER control communication and updates
10
The Configuration File
ZEUS Architecture Used to build the exe file Unique to each owner URL and encryption key different for each owner The Builder Entry, Static and Dynamic sections Download URL and exfiltration URL The Configuration File Unique executable file built by the bot owner The Exe File PHP scripts for monitoring and managing bots The Server
11
ZEUS Builder
12
ZEUS Config url_config url_loader url_server AdvancedConfigs
webFilters WebFakes
13
ZEUS PHP backend Google for “inurl: "cp.php?m=login“
Image: Aditya Sood
14
ZEUS PHP backend Image: Aditya Sood
16
ZEUS why is detection hard
17
ZEUS why is detection hard
%APP%\Uwirpa 23:50 %APP%\Woyxhi %APP%\Hibyo 00:10 %APP%\Nezah %APP%\Afqag 23:29 %APP%\Zasi %APP%\Eqzauf 22:23 %APP%\Ubapo %APP%\Ydgowa %APP%\Olosu 23:03 %APP%\Taal %APP%\Taosep %APP%\Wokyco 13:22 %APP%\Semi 16:34 %APP%\Uheh
18
What is the name of Zeus author?
Quick poll What is the name of Zeus author?
19
ZEUS Gameover Attribution
Image source: FBI According to the FBI, losses are “more than $100 million.”
20
ZEUS Gameover Attribution
Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. nickname “Slavik” , indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering . FBI’s Washington Field Office, in coordination with law enforcement counterparts from Canada, Germany, Luxembourg, the Netherlands, United Kingdom, and Ukraine. Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both GameOver Zeus and Cryptolocker.
21
ZEUS JabberZeus
22
ZEUS JabberZeus Attribution
23
ZEUS JabberZeus Attribution
Stole more than $70 million from banks worldwide Karina Kostromina, wife of Kulibaba, 33-year-old Latvian woman jailed for money laundering Ringleader, 32-year-old Ukrainian property developer Yevhen Kulibaba Kulibaba’s right-hand man, 28-year-old Yuriy Konovalenko Photos from krebsonsecurity.com
24
ZEUS Business workflow
Source: Brian Krebs
25
ZEUS Advanced tricks Steganography Rootkit Anti-Debugging
Digital signatures New Hooking implementation
26
ZEUS Steganographic config
27
ZEUS Steganographic config
28
ZEUS Necurs rootkit Access is denied when deleting the malware files.
29
Zeus advanced tricks – Anti-Debugging
Fake Jumps
30
Zeus Advanced Tricks – Digital Certificates
31
Zeus Advanced Tricks - DGA
It also employs DGA – Domain Generation Algorithm. DGA is a way for malware to prevent blacklisting of its CnC site, where an infected machine creates thousands of domain names such as: would attempt to contact a portion of these with the purpose of receiving an update or commands. The technique was popularized by Conficker worm, which generated 50,000 domains a day.
32
„Man-in-the-browser“
33
Modularity. Flexibility. Persistence.
ZEUS why so successful Modularity. Flexibility. Persistence.
34
ZEUS why is removal hard
Registry Key Infector Decrypt & load DLL Inject DLL
35
ZEUS tell tale signs POST /grace/gate.php HTTP/1.1
GET /grace/cfg.bin HTTP/1.
36
ZEUS tell tale signs Zeus version 2 saves encrypted config in registry
HKCU\Software\Microsoft\{Random}
37
Demo ZEUS MALWARE KIT DEMO https://www.youtube.com/watch?v=E0TQW82o8cc
39
Every platform affected by malware
Windows : Zeus, Cryptolocker, 100+ million malware Android : Code4HK Linux: Shellshock Mac: iWorm Reddit worm All platforms are at risk!
40
BREAK THE CHAIN Awareness Behavior Correlation Encryption Intelligence
Malware Kill Chain Awareness Behavior Correlation Encryption Intelligence LURE EXPLOIT INFECT CALL HOME STEAL DATA BREAK THE CHAIN
41
Anti-Sandbox Malware Techniques
October 30: info.cyphort.com/mmwoctober Anti-Sandbox Malware Techniques
42
Thank You! @belogor info.cyphort.com/mmwoctober
Similar presentations
© 2024 SlidePlayer.com Inc.
All rights reserved.