Zeus is among the most popular crimeware tool kits out there and was placed in the spotlight last week due to NetWitness' discovery of the Kneber botnet. In a discussion with eWEEK, security pros walk through some of the ways Zeus infiltrates organizations and discuss the importance of defense-in-depth as well as having sound policies governing the remediation and investigation process if infected by malware.
When NetWitness uncovered
the now-notorious Kneber botnet, the culprit of attack had a familiar name-Zeus.
, also known as Zbot, is one of the popular pieces of malware on
the market, selling for a few hundred dollars to several thousand. In
the case of Kneber
, the Trojan made its way from hacker forums to
enterprise networks, eventually becoming the building block of a
roughly 75,000-strong botnet
, leaving administrators with the task of
figuring out how the malware penetrated their networks and what to do.
targets banking credentials
. In addition, it sometimes injects HTML into
pages rendered by the browser so as to create bogus log-in pages for online
banking sites to get its hands on personal information. In the case of Kneber,
the botnet was observed stealing 68,000 user credentials for everything from
Facebook to Web-based e-mail, as well as 2,000
certificate files and other data.
Zeus' purveyors, it seems, stay busy-in a report in August, Symantec said it
had uncovered more
than 70,000 unique variants
of the Zeus binary during the past year.
"Zeus, while old and
detected by many signatures, is popular because it's good at what it does-steal
credentials to financial Websites-it's configurable, easy to use, the authors
keep updating it, and old versions are usually available for free," said Elias
Levy, senior director of Symantec Security Response. "While many security
products detect its many variants, its popularity
ensures large numbers of people are infected by it."
Zeus is known to spread
via drive-by downloads and other methods, such as a recent attack detailed here
with signatures and traditional heuristics can be difficult, as
attackers have access to a large number of packers that help them disguise
malicious code, noted Toralv Dirro, security strategist at McAfee Labs.
"They just pack their
Trojan, check it against current AV [antivirus], pack it again, until they know
none of the products detect it with signatures when they release it," he said.
"To dodge system security
software, there are two steps," Dirro continued. "The first is to evade
detection when you start sending out a Trojan, which is done with the help of
packers. The second is to prevent AV software from updating, sometimes fully
disabling it. Usage of rootkit technologies to remain invisible for the user
and common system tools are used in addition."
For users, making sure
antivirus protections are up-to-date offers an obvious layer of protection.
Still, a sample study of 10,000 consumer PCs in September 2009
by researchers at Trusteer uncovered 55
(PDF) of the computers with Zeus had up-to-date antivirus,
while the remainder either had no antivirus or it was out-of-date.
As for other
measures, Dirro suggested enterprises limit user rights so that malware
can do less damage in the event it compromises a system, and Levy advised
businesses to educate their users about social engineering and make sure the
most current security patches are deployed.
Even with these
protections in place, however, few would argue that any practical security
approach is truly full-proof. For that reason, in the event of a compromise, it
is important that organizations know what steps to take as they investigate and
"Evidentiary collection is
a vital component of any malware remediation campaign, not just for
establishing culpability but also for managing potential claims or issues for insurance
carriers and building defenses against future attack," said Erik Laykin,
co-leader of Duff & Phelps' Global Electronic Discovery and Investigations
Practice. "A proper internal investigation should be commenced under the
direction of counsel, which may include a mapping of the various systems and
devices on the network and interviews of victims or other parties of interest
that maintained access or controlled key systems which have been affected."
"Residual and supporting
utility data should be identified and preserved early in the process, including
backup tapes, e-mail communications between the parties of interest and log
files of various systems which may have recorded activity, such as Web server
logs, router logs and IDS logs, surveillance camera recordings, and access
point logs," Laykin continued. "Often these logs are quickly overwritten due to
their size, thus they should be focused on early."
The best advice for a
system known to be infected with a Trojan is to replace it with another
machine/disk or reimage it because it is impossible to know what modifications
to a system a cyber-criminal may have made through the Trojan or what else may
have been installed, Dirro said.
"In corporate environments,
there usually is a process for imaging machines that is faster and thus cheaper
than an attempt to clean the machine," he said. "This may not be practical if
it is concerning a large number of machines that have been hit. In that case,
test removal on single systems and, if there are problems, work with your AV
vendor to get a solution before attempting to clean hundreds of machines."