Playing God: Zeus DIY Botnet Kit Evolves
If you've ever found yourself standing in front of a half-destroyed wall wondering whether or not you should have just hired a contractor instead of smashing it down on your own... congratulations! You may also be capable of running a sophisticated botnet!
All joking aside, the do-it-yourself botnet kit phenomenon has been raging on for years now, just as the larger malware toolkit wave has served to help overwhelm many endpoint defenses by leading to the creations of huge numbers of attack variants, often at the hands of many relative newbs.
And botnet kits show few signs of slowing down in terms of advancing their complexity. In a recent blog post, Gunter Ollmann, vice president of research for anti-botnet specialists Damballa, highlighted recent updates to the widespread Zeus botnet kit that are keeping the threat alive and well and growing despite the fact that it's been around for a while now.
Via its many different incarnations, Zeus remains one of the most popular and varied kits around, he said, and from older versions that trade hands for next to nothing to cutting-edge high-end iterations that are offered for as much as $700 a pop, the DIY botnet creation tools themselves represent a diverse underground market.
"Along the way, many malware developers have tweaked the Zeus kit and offer specialized (and competing) major versions of the DIY suite (for sale)," Ollmann said. "As such, the Zeus kit has morphed and isn't really even a single kit any more."
In a nod to the availability and potency of the Zeus campaign, the expert noted that in many popular hacking forums Zeus kits are currently being sold that are "fully operational within a network running Windows 7" and that have the ability to sniff IPv6 network traffic to look for valuable data to intercept.
Much like popular APIs from legitimate software makers or open source projects, in many ways Zeus has "developed into an open platform for third-party tool integration" Ollmann contends, with various contributors having tweaked the botnet toolkit to carry out different types of cyber-crime, ranging from spam generation to DDoS.
As a result, in addition to continued organic development, fierce competition among vendors of the toolkit have pushed its evolution even further.
For example, a newer $700 iteration of the kit found by Ollmann features Windows 7 compatibility, support for IPv6 sniffing, and a number of efforts to improve its ease-of-use, such as creating unique names for individual certificates it can incorporate.
"The most significant addition with this release in my mind is the additional support for IPv6 - particularly as it relates to network sniffing," writes the expert. "As enterprise networks (and government networks) take up IPv6 internally, botnet operators need to ensure that they're also IPv6 compliant."
And of course, since many security teams and AV solutions are still having trouble stopping older versions of Zeus, most have not evolved in parallel to prevent newer versions from taking root.
"Just because Zeus is a common botnet malware family, it doesn't mean that you're likely to have antivirus detection coverage within typical enterprise networks," notes Ollmann. "Zeus is practically never deployed in its "raw" state - instead, botnet masters typically deploy heavily obfuscated and protected serial variants of the malware - making each victim unique."
Time to bust out the sledgehammer.
Follow eWeek Security Watch on Twitter at: eWeekSecWatch.
Matt Hines has been following the IT industry for over a decade as a reporter and blogger, and has been specifically focused on the security space since 2003, including a previous stint writing for eWeek and contributing to the Security Watch blog. Hines is currently employed as marketing communications manager at Core Security Technologies, a Boston-based maker of security testing software. The views expressed herein do not necessarily represent the views of Core Security, and neither the company, nor its products and services will be actively discussed in the blog. Please send news, research or tips to SecurityWatchBlog@gmail.com.