Presentation is loading. Please wait.

Presentation is loading. Please wait.

Zeus By Nick Bilogorskiy @belogor

Similar presentations

Presentation on theme: "Zeus By Nick Bilogorskiy @belogor"— Presentation transcript:

1 Zeus By Nick

2 Director of Security Research
Nick Bilogorskiy Director of Security Research

3 Agenda What is Zeus Dissecting the malware Attribution
Zeus advanced tricks Recommendations

4 Quick poll Have you heard of Zeus?

5 ZEUS What is it Zeus is the most successful banking malware to date.
Trojan horse targeted at Windows operating systems Tens of millions of computers worldwide infected

6 ZEUS 7 years old

7 ZEUS Prevalence

8 ZEUS History Microsoft legal action through a civil lawsuit dubbed  Operation b71 ZeuS source code of version leaked 2007 2008 Apr 2010 April 2011 October 2011 March 2012 December 2013 Peer to Peer version – Zeus Gameover - removes the centralized CnC infrastructure 64-bit version of Zeus appears Version 2.0 Zeus version 1.0

9 CONFIGURATION random.ofu
ZEUS how does it work delete dropper DROPPER random.exe DELETE SCRIPT Random.bat ZBOT Random2.exe CONFIGURATION random.ofu drop Zbot files C&C SERVER control communication and updates

10 The Configuration File
ZEUS Architecture Used to build the exe file Unique to each owner URL and encryption key different for each owner The Builder Entry, Static and Dynamic sections Download URL and exfiltration URL The Configuration File Unique executable file built by the bot owner The Exe File PHP scripts for monitoring and managing bots The Server

11 ZEUS Builder

12 ZEUS Config url_config ­ url_loader url_server AdvancedConfigs
webFilters  WebFakes 

13 ZEUS PHP backend Google for “inurl: "cp.php?m=login“
Image: Aditya Sood

14 ZEUS PHP backend Image: Aditya Sood


16 ZEUS why is detection hard

17 ZEUS why is detection hard
%APP%\Uwirpa 23:50 %APP%\Woyxhi %APP%\Hibyo 00:10 %APP%\Nezah %APP%\Afqag 23:29 %APP%\Zasi %APP%\Eqzauf 22:23 %APP%\Ubapo %APP%\Ydgowa %APP%\Olosu 23:03 %APP%\Taal %APP%\Taosep %APP%\Wokyco 13:22 %APP%\Semi 16:34 %APP%\Uheh

18 What is the name of Zeus author?
Quick poll What is the name of Zeus author?

19 ZEUS Gameover Attribution
Image source: FBI According to the FBI, losses are “more than $100 million.”

20 ZEUS Gameover Attribution
Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. nickname “Slavik” , indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering . FBI’s Washington Field Office, in coordination with law enforcement counterparts from Canada, Germany, Luxembourg, the Netherlands, United Kingdom, and Ukraine. Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both  GameOver Zeus and Cryptolocker. 

21 ZEUS JabberZeus

22 ZEUS JabberZeus Attribution

23 ZEUS JabberZeus Attribution
Stole more than $70 million from banks worldwide Karina Kostromina, wife of Kulibaba, 33-year-old Latvian woman jailed for money laundering Ringleader, 32-year-old Ukrainian property developer Yevhen Kulibaba Kulibaba’s right-hand man, 28-year-old Yuriy Konovalenko Photos from

24 ZEUS Business workflow
Source: Brian Krebs

25 ZEUS Advanced tricks Steganography Rootkit Anti-Debugging
Digital signatures New Hooking implementation

26 ZEUS Steganographic config

27 ZEUS Steganographic config

28 ZEUS Necurs rootkit Access is denied when deleting the malware files.

29 Zeus advanced tricks – Anti-Debugging
Fake Jumps

30 Zeus Advanced Tricks – Digital Certificates

31 Zeus Advanced Tricks - DGA
It also employs DGA – Domain Generation Algorithm. DGA is a way for malware to prevent blacklisting of its CnC site, where an infected machine creates thousands of domain names such as: www.<gibberish>.com and would attempt to contact a portion of these with the purpose of receiving an update or commands. The technique was popularized by Conficker worm, which generated 50,000 domains a day.

32 „Man-in-the-browser“

33 Modularity. Flexibility. Persistence.
ZEUS why so successful Modularity. Flexibility. Persistence.

34 ZEUS why is removal hard
Registry Key Infector Decrypt & load DLL Inject DLL

35 ZEUS tell tale signs POST /grace/gate.php HTTP/1.1
GET /grace/cfg.bin HTTP/1.

36 ZEUS tell tale signs Zeus version 2 saves encrypted config in registry



39 Every platform affected by malware
Windows : Zeus, Cryptolocker, 100+ million malware Android : Code4HK Linux: Shellshock Mac: iWorm Reddit worm All platforms are at risk!

40 BREAK THE CHAIN Awareness Behavior Correlation Encryption Intelligence
Malware Kill Chain Awareness Behavior Correlation Encryption Intelligence LURE EXPLOIT INFECT CALL HOME STEAL DATA BREAK THE CHAIN

41 Anti-Sandbox Malware Techniques
October 30: Anti-Sandbox Malware Techniques

42 Thank You! @belogor

Download ppt "Zeus By Nick Bilogorskiy @belogor"

Similar presentations

Ads by Google