Fighting the Zeus Botnet in Your Enterprise

Zeus is among the most popular crimeware tool kits out there and was placed in the spotlight last week due to NetWitness' discovery of the Kneber botnet. In a discussion with eWEEK, security pros walk through some of the ways Zeus infiltrates organizations and discuss the importance of defense-in-depth as well as having sound policies governing the remediation and investigation process if infected by malware.

When NetWitness uncovered the now-notorious Kneber botnet, the culprit of attack had a familiar name-Zeus.

The Zeus Trojan, also known as Zbot, is one of the popular pieces of malware on the market, selling for a few hundred dollars to several thousand. In the case of Kneber, the Trojan made its way from hacker forums to enterprise networks, eventually becoming the building block of aroughly 75,000-strong botnet, leaving administrators with the task of figuring out how the malware penetrated their networks and what to do.

Typically, Zeus targets banking credentials. In addition, it sometimes injects HTML into pages rendered by the browser so as to create bogus log-in pages for online banking sites to get its hands on personal information. In the case of Kneber, the botnet was observed stealing 68,000 user credentials for everything from Facebook to Web-based e-mail, as well as 2,000 SSL certificate files and other data. Zeus' purveyors, it seems, stay busy-in a report in August, Symantec said it had uncovered more than 70,000 unique variants of the Zeus binary during the past year.

"Zeus, while old and detected by many signatures, is popular because it's good at what it does-steal credentials to financial Websites-it's configurable, easy to use, the authors keep updating it, and old versions are usually available for free," said Elias Levy, senior director of Symantec Security Response. "While many security products detect its many variants, its popularity [among] attackers ensures large numbers of people are infected by it."

Zeus is known to spread via drive-by downloads and other methods, such as a recent attack detailed here by Websense. Blocking the Trojan with signatures and traditional heuristics can be difficult, as attackers have access to a large number of packers that help them disguise malicious code, noted Toralv Dirro, security strategist at McAfee Labs.

"They just pack their Trojan, check it against current AV [antivirus], pack it again, until they know none of the products detect it with signatures when they release it," he said.

"To dodge system security software, there are two steps," Dirro continued. "The first is to evade detection when you start sending out a Trojan, which is done with the help of packers. The second is to prevent AV software from updating, sometimes fully disabling it. Usage of rootkit technologies to remain invisible for the user and common system tools are used in addition."

For users, making sure antivirus protections are up-to-date offers an obvious layer of protection. Still, a sample study of 10,000 consumer PCs in September 2009 by researchers at Trusteer uncovered 55 percent (PDF) of the computers with Zeus had up-to-date antivirus, while the remainder either had no antivirus or it was out-of-date.

As for other measures, Dirro suggested enterprises limit user rights so that malware can do less damage in the event it compromises a system, and Levy advised businesses to educate their users about social engineering and make sure the most current security patches are deployed.

Even with these protections in place, however, few would argue that any practical security approach is truly full-proof. For that reason, in the event of a compromise, it is important that organizations know what steps to take as they investigate and remediate machines.

"Evidentiary collection is a vital component of any malware remediation campaign, not just for establishing culpability but also for managing potential claims or issues for insurance carriers and building defenses against future attack," said Erik Laykin, co-leader of Duff & Phelps' Global Electronic Discovery and Investigations Practice. "A proper internal investigation should be commenced under the direction of counsel, which may include a mapping of the various systems and devices on the network and interviews of victims or other parties of interest that maintained access or controlled key systems which have been affected."

"Residual and supporting utility data should be identified and preserved early in the process, including backup tapes, e-mail communications between the parties of interest and log files of various systems which may have recorded activity, such as Web server logs, router logs and IDS logs, surveillance camera recordings, and access point logs," Laykin continued. "Often these logs are quickly overwritten due to their size, thus they should be focused on early."

The best advice for a system known to be infected with a Trojan is to replace it with another machine/disk or reimage it because it is impossible to know what modifications to a system a cyber-criminal may have made through the Trojan or what else may have been installed, Dirro said.

"In corporate environments, there usually is a process for imaging machines that is faster and thus cheaper than an attempt to clean the machine," he said. "This may not be practical if it is concerning a large number of machines that have been hit. In that case, test removal on single systems and, if there are problems, work with your AV vendor to get a solution before attempting to clean hundreds of machines."