8ZEUS HistoryMicrosoft legal action through a civil lawsuit dubbed Operation b71ZeuS source code of version leaked20072008Apr2010April2011October2011March2012December2013Peer to Peer version – Zeus Gameover - removes the centralized CnC infrastructure64-bit version of Zeus appearsVersion 2.0Zeus version 1.0
9CONFIGURATION random.ofu ZEUS how does it workdelete dropperDROPPER random.exeDELETE SCRIPTRandom.batZBOTRandom2.exeCONFIGURATION random.ofudrop Zbot filesC&C SERVERcontrol communication and updates
10The Configuration File ZEUS ArchitectureUsed to build the exe fileUnique to each ownerURL and encryption key different for each ownerThe BuilderEntry, Static and Dynamic sectionsDownload URL and exfiltration URLThe Configuration FileUnique executable file built by the bot ownerThe Exe FilePHP scripts for monitoring and managing botsThe Server
17ZEUS why is detection hard %APP%\Uwirpa23:50%APP%\Woyxhi%APP%\Hibyo00:10%APP%\Nezah%APP%\Afqag23:29%APP%\Zasi%APP%\Eqzauf22:23%APP%\Ubapo%APP%\Ydgowa%APP%\Olosu23:03%APP%\Taal%APP%\Taosep%APP%\Wokyco13:22%APP%\Semi16:34%APP%\Uheh
18What is the name of Zeus author? Quick pollWhat is the name of Zeus author?
19ZEUS Gameover Attribution Image source: FBIAccording to the FBI, losses are “more than $100 million.”
20ZEUS Gameover Attribution Evgeniy Mikhailovich Bogachev, 30, of Anapa, Russia. nickname “Slavik” ,indicted for conspiracy, computer hacking, wire fraud, bank fraud, and money laundering .FBI’s Washington Field Office, in coordination with law enforcement counterparts from Canada, Germany, Luxembourg, the Netherlands, United Kingdom, and Ukraine.Bogachev is identified as a leader of a cyber gang of criminals based in Russia and Ukraine that is responsible both GameOver Zeus and Cryptolocker.
23ZEUS JabberZeus Attribution Stole more than $70 million from banks worldwideKarina Kostromina, wife of Kulibaba, 33-year-old Latvian woman jailed for money launderingRingleader, 32-year-old Ukrainian property developer Yevhen KulibabaKulibaba’s right-hand man, 28-year-old Yuriy KonovalenkoPhotos from krebsonsecurity.com
31Zeus Advanced Tricks - DGA It also employs DGA – Domain Generation Algorithm. DGA is a way for malware to prevent blacklisting of its CnC site, where an infected machine creates thousands of domain names such as: www.<gibberish>.com and would attempt to contact a portion of these with the purpose of receiving an update or commands. The technique was popularized by Conficker worm, which generated 50,000 domains a day.