Presentation is loading. Please wait.

Presentation is loading. Please wait.

ZeuS: God of All Cyber-Theft

Published byImogene Knight Modified over 9 years ago

Similar presentations

Presentation on theme: "ZeuS: God of All Cyber-Theft"— Presentation transcript:

1 ZeuS: God of All Cyber-Theft
Read malware battle card ZeuS: God of All Cyber-Theft Roland Dela Paz and Jasper Manuel Threat Researchers Classification 4/15/2017

2 Greek Mythology Read malware battle card Classification 4/15/2017 2

3 Virtual Landscape Read malware battle card Classification 4/15/2017 3

4 Commercial crimeware for stealing online banking credentials
Fast Facts on ZeuS Commercial crimeware for stealing online banking credentials Authored by “Slavik”/“Monstr” Has been in the wild since late 2005

5 The ZeuS Infection Chain
via spammed messages

6 The ZeuS Infection Chain
via spammed messages via malicious websites

7 ZeuS and Spam

8 ZeuS and Spam

9 ZeuS and Spam

10 ZeuS: The How ZeuS is configured to target a list of bank-related websites or financial institutions from which they try to steal sensitive online banking information

11 ZeuS: The How

12 ZeuS: The How

13 ZeuS: The How

14 ZeuS: The How

15 ZeuS – a Cyber-Theft God

16 ZeuS – a Cyber-Theft God

17 ZeuS – a Cyber-Theft God

18 ZeuS – a Cyber-Theft God

19 ZeuS – a Cyber-Theft God

20 ZeuS – a Cyber-Theft God

21 ZeuS – a Cyber-Theft God

22 ZeuS – a Cyber-Theft God

23 ZeuS – a Cyber-Theft God

24 ZeuS Toolkit Components
ZeuS Builder Web Panel Configuration Files

25 ZeuS Toolkit Components
Zeus Builder

26 ZeuS Toolkit Components
Web Panel

27 ZeuS Toolkit Components
Web Panel

28 Configuration Files ZeuS Toolkit Components Config.txt:
Webinjects.txt:

29 Configuration Files ZeuS Toolkit Components Config.txt:
Webinjects.txt:

30 Configuration Files ZeuS Toolkit Components Config.txt:
Webinjects.txt:

31 Configuration Files ZeuS Toolkit Components Config.txt:
Webinjects.txt:

32 Gathering Intelligence
Downloaded configuration file

33 Gathering Intelligence
Downloaded configuration file

34 Where is the decryption key???
Gathering Intelligence Breaking the encryption Where is the decryption key???

35 ZeuS 1.x encryption algorithm
Gathering Intelligence Breaking the encryption ZeuS 1.x encryption algorithm

36 Gathering Intelligence
Breaking the encryption Finding the key stream

37 Encryption key in config.txt
Gathering Intelligence Breaking the encryption Encryption key in config.txt

38 RC4 function used by ZeuS
Gathering Intelligence Breaking the encryption RC4 function used by ZeuS

39 ZeuS builder - key stream generation
Gathering Intelligence Breaking the encryption ZeuS builder - key stream generation

40 ZeuS 2.x encryption algorithm
Gathering Intelligence Breaking the encryption ZeuS 2.x encryption algorithm

41 Gathering Intelligence
Breaking the encryption Finding the key stream

42 Gathering Intelligence
Breaking the encryption Finding the key stream

43 Gathering Intelligence
Breaking the encryption Finding the key stream

44 Encrypted HTTP traffic
Gathering Intelligence Breaking the encryption Encrypted HTTP traffic

45 Decryption key in ZeuS CP
Gathering Intelligence ZeuS POST data decryption Decryption key in ZeuS CP

46 Gathering Intelligence
ZeuS POST data decryption

47 Gathering Intelligence
ZeuS POST data decryption

48 What to do with gathered intelligence?
Use to source and monitor ZeuS binaries for detection, malware development, and solution creation Use to source and monitor malicious ZeuS domains for blocking Share with law enforcement agencies to help in investigations, arrests, C&C take-downs, etc. Use to identify target (financial) firms and country

49 What makes financial firms attractive targets?
Volume of customers Online security measures Availability of webinject scripts

50 What makes a country/region an attractive target?
Internet population Online banking population Value of money Locality

51 Geographic Distribution
data taken from Trend Micro Smart Protection Network

52 Is the Philippines safe from ZeuS?

53 Is the Philippines safe from ZeuS?
Online Banking Category Visitation by Market January 2011 vs. January 2010 Total Audience, Age Home & Work Locations* Source: comScore Media Metrix Total Unique Visitors (000)   Country Jan-2010 Jan-2011 % Change Malaysia 2,360 2,746 16% Hong Kong 1,304 1,543 18% Vietnam 701 949 35% Singapore 779 889 14% Indonesia 435 749 72% Philippines 377 525 39% statistics taken from

54 Is the Philippines safe from ZeuS?
Top 3 Online Banking Sites by Unique Visitors for Individual Markets January 2011 Total Audience, Age Home & Work Locations* Source: comScore Media Metrix Country 1st Online Banking Destination 2nd Online Banking Destination 3rd Online Banking Destination Malaysia Maybank Group Cimbclicks.com.my Pbebank.com Hong Kong HSBC Bochk.com Standard Chartered Vietnam Vietcombank.com.vn Acb.com.vn Dongabank.com.vn Singapore DBS.com.sg United Overseas Bank Group Citigroup Indonesia Bankmandiri.co.id BNI.co.id Philippines Bpiexpressonline.com statistics taken from

55 TrendLabs encountered at least two ZeuS binaries that
Is the Philippines safe from ZeuS? TrendLabs encountered at least two ZeuS binaries that target online banking sites in the Philippines

56 So what can I do?

57 Prevention is still key
Keep machines up-to-date by regularly patching software and operating systems. Do not click on links or open attachments in messages, instant messages, or messages that arrive via social media. Organizations should likewise cascade pertinent information to employees to prevent ZeuS from penetrating network security. Dear All, There has been increased concern on news of a massive system compromise that recently hit the headlines. The attack, which involves thousands of computers and organizations, was found to be result of work of a specific ZeuS botnet compromise dubbed as the Kneber botnet. As some of you know, the ZeuS botnet has been around for years and is best known for its crimeware tactics. It is primarily designed for data theft or to steal account information related to online banking transactions. Everyone is thus advised to exercise caution in opening messages. Avoid downloading suspicious attachments and clicking on URLs, especially those from unknown senders. Since the ZeuS malware perpetrators are constantly finding new ways to attack users, it would be wise to maintain safe computing practices. Be wary of phishing pages that purport to be legitimate websites, as these are primarily designed to fool unwitting users into handing over their personal information. The absence of visible infection markers makes it challenging to detect a ZeuS compromise. As such, should you receive suspicious messages via or instant messaging, please report them immediately. Your cooperation and vigilance would be extremely valuable in ensuring the continued security of our network.

58 data taken from Trend Micro Smart Protection Network
What’s next for ZeuS? Slavik/Monstr halted ZeuS’ development in late 2010. What now? data taken from Trend Micro Smart Protection Network

59 What’s next for ZeuS? Source code was leaked Effect of the leak: Improved SpyEye, LICAT(Murofet), RAMNIT, Ice IX Bot, and a few others

60 Demo

61 CONCLUSION

62 Questions?

63 Thank you. Classification 4/15/2017

64 Backup slide Classification 4/15/2017

65 ZBOT related Spam Blocked (2010 Data)
Most ZBOT related spam detections came from Brazil – 39% with India following in second place at 8% USA followed in 3rd place with 3.25% This is consistent with

66 ZBOT related URLs Blocked (2010 Data)
Most ZBOT related URL detections came from the United States (54%) How the threat travels virtually across the globe (spam on one side of the world, URL on the other)

67 ZBOT Files Blocked (2010 Data)
US clients had the highest no. of ZBOT file detections (61%)

Download ppt "ZeuS: God of All Cyber-Theft"

Similar presentations

Intrusion Prevention anno 2012: Widening the IPS concept.

Intrusion Prevention anno 2012: Widening the IPS concept.
HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.

HQ in Israel Threat research, security operations center 24/7. In-depth understanding and insight into how cyber crime works. Over 10 million online identities.
The Threat Landscape Jan 2013. 2013 Threat Report 2.

The Threat Landscape Jan Threat Report 2.
Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.

Supplied on \web site. on January 10 th, 2008 Customer Security Management Reducing Internet fraud June 1 st, 2008 eSAC Walk Thru © Copyright Prevx Limited.
7 Effective Habits when using the Internet Philip O’Kane 1.

7 Effective Habits when using the Internet Philip O’Kane 1.
Security for Today’s Threat Landscape Kat Pelak 1.

Security for Today’s Threat Landscape Kat Pelak 1.
Social media threats. Warning! May contain mild peril.

Social media threats. Warning! May contain mild peril.
Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.

Facebook Security and Privacy Issues Brian Allen Network Security Analyst Washington University December 2, 2010 Alumni House.
Security for Internet Every Day Use Standard Security Practices and New Threats.

Security for Internet Every Day Use Standard Security Practices and New Threats.
Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.

Online Banking Fraud Prevention Recommendations and Best Practices This document provides you with fraud prevention best practices that every employee.
 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.

 Malicious or unsolicited mail sent to a mailbox without the option to unsubscribe  Often used as a catch-all of any undesired or questionable mail.
From AV to Internetized Security Solution 马杰 Jeffrey Beijing Rising Tech. Co., Ltd. --- The Analysis Report of Malware Technology in China in 2005.

From AV to Internetized Security Solution 马杰 Jeffrey Beijing Rising Tech. Co., Ltd. --- The Analysis Report of Malware Technology in China in 2005.
8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.

8.1 © 2007 by Prentice Hall 8 Chapter Securing Information Systems.
Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.

Copyright 2011 Trend Micro Inc. Trend Micro Web Security- Overview.
What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:

What Are Malicious Attacks? Malicious Attacks are any intentional attempts that can compromise the state of your computer. Including but not limited to:
1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.

1. Introduction The underground Internet economy Web-based malware The system analyzing the post-infection network behavior of web-based malware How do.
Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.

Norman SecureTide Powerful cloud solution to stop spam and threats before it reaches your network.
Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.

Security Liaisons Information Presentation. Introduction  What’s the big deal with computer security? Don’t we have an IT security department to take.
Norman SecureSurf Protect your users when surfing the Internet.

Norman SecureSurf Protect your users when surfing the Internet.
Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Threats and ways you can protect your computer. There are a number of security risks that computer users face, some include; Trojans Conficker worms Key.

Similar presentations

Ads by Google