8 ZEUS HistoryMicrosoft legal action through a civil lawsuit dubbed Operation b71ZeuS source code of version leaked20072008Apr2010April2011October2011March2012December2013Peer to Peer version – Zeus Gameover - removes the centralized CnC infrastructure64-bit version of Zeus appearsVersion 2.0Zeus version 1.0
9 CONFIGURATION random.ofu ZEUS how does it workdelete dropperDROPPER random.exeDELETE SCRIPTRandom.batZBOTRandom2.exeCONFIGURATION random.ofudrop Zbot filesC&C SERVERcontrol communication and updates
10 The Configuration File ZEUS ArchitectureUsed to build the exe fileUnique to each ownerURL and encryption key different for each ownerThe BuilderEntry, Static and Dynamic sectionsDownload URL and exfiltration URLThe Configuration FileUnique executable file built by the bot ownerThe Exe FilePHP scripts for monitoring and managing botsThe Server
17 ZEUS why is detection hard %APP%\Uwirpa23:50%APP%\Woyxhi%APP%\Hibyo00:10%APP%\Nezah%APP%\Afqag23:29%APP%\Zasi%APP%\Eqzauf22:23%APP%\Ubapo%APP%\Ydgowa%APP%\Olosu23:03%APP%\Taal%APP%\Taosep%APP%\Wokyco13:22%APP%\Semi16:34%APP%\Uheh
18 What is the name of Zeus author? Quick pollWhat is the name of Zeus author?
19 ZEUS Gameover Attribution Image source: FBIAccording to the FBI, losses are “more than $100 million.”
20 ZEUS Gameover Attribution Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. nickname “Slavik” ,indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering .FBI’s Washington Field Office, in coordination with law enforcement counterparts from Canada, Germany, Luxembourg, the Netherlands, United Kingdom, and Ukraine.Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both GameOver Zeus and Cryptolocker.
23 ZEUS JabberZeus Attribution Stole more than $70 million from banks worldwideKarina Kostromina, wife of Kulibaba, 33-year-old Latvian woman jailed for money launderingRingleader, 32-year-old Ukrainian property developer Yevhen KulibabaKulibaba’s right-hand man, 28-year-old Yuriy KonovalenkoPhotos from krebsonsecurity.com
31 Zeus Advanced Tricks - DGA It also employs DGA – Domain Generation Algorithm. DGA is a way for malware to prevent blacklisting of its CnC site, where an infected machine creates thousands of domain names such as: www.<gibberish>.com and would attempt to contact a portion of these with the purpose of receiving an update or commands. The technique was popularized by Conficker worm, which generated 50,000 domains a day.