Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zeus By Nick Bilogorskiy @belogor nick@cyphort.com.

Published byPhoenix Smithwick Modified over 9 years ago

Similar presentations

Presentation on theme: "Zeus By Nick Bilogorskiy @belogor nick@cyphort.com."— Presentation transcript:

1 Zeus By Nick

2 Director of Security Research
Nick Bilogorskiy Director of Security Research

3 Agenda What is Zeus Dissecting the malware Attribution
Zeus advanced tricks Recommendations

4 Quick poll Have you heard of Zeus?

5 ZEUS What is it Zeus is the most successful banking malware to date.
Trojan horse targeted at Windows operating systems Tens of millions of computers worldwide infected

6 ZEUS 7 years old

7 ZEUS Prevalence

8 ZEUS History Microsoft legal action through a civil lawsuit dubbed  Operation b71 ZeuS source code of version leaked 2007 2008 Apr 2010 April 2011 October 2011 March 2012 December 2013 Peer to Peer version – Zeus Gameover - removes the centralized CnC infrastructure 64-bit version of Zeus appears Version 2.0 Zeus version 1.0

9 CONFIGURATION random.ofu
ZEUS how does it work delete dropper DROPPER random.exe DELETE SCRIPT Random.bat ZBOT Random2.exe CONFIGURATION random.ofu drop Zbot files C&C SERVER control communication and updates

10 The Configuration File
ZEUS Architecture Used to build the exe file Unique to each owner URL and encryption key different for each owner The Builder Entry, Static and Dynamic sections Download URL and exfiltration URL The Configuration File Unique executable file built by the bot owner The Exe File PHP scripts for monitoring and managing bots The Server

11 ZEUS Builder

12 ZEUS Config url_config ­ url_loader url_server AdvancedConfigs
webFilters  WebFakes 

13 ZEUS PHP backend Google for “inurl: "cp.php?m=login“
Image: Aditya Sood

14 ZEUS PHP backend Image: Aditya Sood

15

16 ZEUS why is detection hard

17 ZEUS why is detection hard
%APP%\Uwirpa 23:50 %APP%\Woyxhi %APP%\Hibyo 00:10 %APP%\Nezah %APP%\Afqag 23:29 %APP%\Zasi %APP%\Eqzauf 22:23 %APP%\Ubapo %APP%\Ydgowa %APP%\Olosu 23:03 %APP%\Taal %APP%\Taosep %APP%\Wokyco 13:22 %APP%\Semi 16:34 %APP%\Uheh

18 What is the name of Zeus author?
Quick poll What is the name of Zeus author?

19 ZEUS Gameover Attribution
Image source: FBI According to the FBI, losses are “more than $100 million.”

20 ZEUS Gameover Attribution
Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. nickname “Slavik” , indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering . FBI’s Washington Field Office, in coordination with law enforcement counterparts from Canada, Germany, Luxembourg, the Netherlands, United Kingdom, and Ukraine. Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both  GameOver Zeus and Cryptolocker. 

21 ZEUS JabberZeus

22 ZEUS JabberZeus Attribution

23 ZEUS JabberZeus Attribution
Stole more than $70 million from banks worldwide Karina Kostromina, wife of Kulibaba, 33-year-old Latvian woman jailed for money laundering Ringleader, 32-year-old Ukrainian property developer Yevhen Kulibaba Kulibaba’s right-hand man, 28-year-old Yuriy Konovalenko Photos from krebsonsecurity.com

24 ZEUS Business workflow
Source: Brian Krebs

25 ZEUS Advanced tricks Steganography Rootkit Anti-Debugging
Digital signatures New Hooking implementation

26 ZEUS Steganographic config

27 ZEUS Steganographic config

28 ZEUS Necurs rootkit Access is denied when deleting the malware files.

29 Zeus advanced tricks – Anti-Debugging
Fake Jumps

30 Zeus Advanced Tricks – Digital Certificates

31 Zeus Advanced Tricks - DGA
It also employs DGA – Domain Generation Algorithm. DGA is a way for malware to prevent blacklisting of its CnC site, where an infected machine creates thousands of domain names such as:  would attempt to contact a portion of these with the purpose of receiving an update or commands. The technique was popularized by Conficker worm, which generated 50,000 domains a day.

32 „Man-in-the-browser“

33 Modularity. Flexibility. Persistence.
ZEUS why so successful Modularity. Flexibility. Persistence.

34 ZEUS why is removal hard
Registry Key Infector Decrypt & load DLL Inject DLL

35 ZEUS tell tale signs POST /grace/gate.php HTTP/1.1
GET /grace/cfg.bin HTTP/1.

36 ZEUS tell tale signs Zeus version 2 saves encrypted config in registry
 HKCU\Software\Microsoft\{Random}

37 Demo ZEUS MALWARE KIT DEMO https://www.youtube.com/watch?v=E0TQW82o8cc

38

39 Every platform affected by malware
Windows : Zeus, Cryptolocker, 100+ million malware Android : Code4HK Linux: Shellshock Mac: iWorm Reddit worm All platforms are at risk!

40 BREAK THE CHAIN Awareness Behavior Correlation Encryption Intelligence
Malware Kill Chain Awareness Behavior Correlation Encryption Intelligence LURE EXPLOIT INFECT CALL HOME STEAL DATA BREAK THE CHAIN

41 Anti-Sandbox Malware Techniques
October 30: info.cyphort.com/mmwoctober Anti-Sandbox Malware Techniques

42 Thank You! @belogor info.cyphort.com/mmwoctober

Download ppt "Zeus By Nick Bilogorskiy @belogor nick@cyphort.com."

Similar presentations

Implementing Tableau Server in an Enterprise Environment

Implementing Tableau Server in an Enterprise Environment
Malware Artifacts.

Malware Artifacts.
MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.

MIRAGE MALWARE SIDDARTHA ELETI CLEMSON UNIVERSITY.
Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.

Next Generation Endpoint Security Jason Brown Enterprise Solution Architect McAfee May 23, 2013.
Www.thevigilant.com Copyright 2009, Vigilant LLC Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21 st,

Copyright 2009, Vigilant LLC Spy VS Spy Countering SpyEye with SpyEye Lance James Director of Intelligence Vigilant, LLC March 21 st,
Malware and ACH/EFT Fraud

Malware and ACH/EFT Fraud
Your Botnet is My Botnet: Analysis of a Botnet Takeover

Your Botnet is My Botnet: Analysis of a Botnet Takeover
ZeuS: God of All Cyber-Theft

ZeuS: God of All Cyber-Theft
Trojan Horse Program Presented by : Lori Agrawal.

Trojan Horse Program Presented by : Lori Agrawal.
Computer Viruses.

Computer Viruses.
Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.

Malicious Attacks. Introduction Commonly referred to as: malicious software/ “malware”, computer viruses Designed to enter computers without the owner’s.
Browser Exploitation Framework (BeEF) Lab

Browser Exploitation Framework (BeEF) Lab
Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.

Guide to Operating System Security Chapter 2 Viruses, Worms, and Malicious Software.
Automated Malware Analysis

Automated Malware Analysis
Advanced Persistent Threats CS461/ECE422 Spring 2012.

Advanced Persistent Threats CS461/ECE422 Spring 2012.
Internet Safety CSA 105 1.0 September 21, 2010. Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.

Internet Safety CSA September 21, Internet Threats Malware (viruses) Spyware Spam Hackers Cyber-criminals.
11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang 2010/3/29.

11 The Ghost In The Browser Analysis of Web-based Malware Reporter: 林佳宜 Advisor: Chun-Ying Huang /3/29.
Tyler’s Malware Jeopardy $100 VirusWormSpyware Trojan Horses Ransomware /Rootkits $200 $300 $400 $500 $400 $300 $200 $100 $500 $400 $300 $200 $100 $500.

Tyler’s Malware Jeopardy $100 VirusWormSpyware Trojan Horses Ransomware /Rootkits $200 $300 $400 $500 $400 $300 $200 $100 $500 $400 $300 $200 $100 $500.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

1 Chap 10 Malicious Software. 2 Viruses and ”Malicious Programs ” Computer “Viruses” and related programs have the ability to replicate themselves on.

Similar presentations

Ads by Google