The Zeus Crimeware Kit – An Insidious Threat Highlights from a Prolexic DDoS Threat Advisory
What is Zeus?
• Zeus is the most used and most effective crimeware kit ever observed by the Internet security community • First appeared in late 2007, primarily used to steal banking credentials from infected computers • Focus has recently shifted to infecting and controlling zombie computers, with the ability to inject executable payloads and bot malware into infected computers
©2014 AKAMAI | FASTER FORWARDTM
Why is Zeus So Dangerous? • Requires extremely little skill for attackers to use – setting it up and generating a payload is accomplished with a simple GUI • Can be combined with other attack tools that are used as Zeus payloads • Has a very high level of control over infected computers • Can exfiltrate large quantities of information, up to and including screenshots and passwords
©2014 AKAMAI | FASTER FORWARDTM
Why is Zeus so Dangerous (continued) • Zeus payloads are extremely stealthy – infected hosts may never realize they’ve been zombified • Uses a number of powerful techniques to evade detection • Hidden files • Obfuscated content • Disables firewalls directly • Distributed, random communication • Antivirus detection rate is estimated at only 39 percent
©2014 AKAMAI | FASTER FORWARDTM
Zeus Commands: What Zeus Can Do
©2014 AKAMAI | FASTER FORWARDTM
Cloud Services at Risk • Lately, the Zeus framework has targeted Software-as-aService (SaaS) and Platform-as-a-Service (PaaS) infrastructures • SaaS/PaaS instances allow attackers to exploit the extensive bandwidth and processing power of cloud vendors • PLXSert has observed well-known cloud-services vendor IPs among the sources of many DDoS attacks
©2014 AKAMAI | FASTER FORWARDTM
The Webinjects Configuration • Webinjects is an insidious Zeus capability used to attack specific cloud services • Zeus can inject custom code into websites and apps as the browser displays them • Tricks users into providing personal information or sensitive credentials ©2014 AKAMAI | FASTER FORWARDTM
What You Can Do to Mitigate This Threat • Zeus is mainly a client-based vector, spread by tricking users into running programs that infest their computer. • Organizational security policies and user education are crucial • Learn how to prevent, detect, and remove Zeus infections • Write Snort rules for Zeus traffic • Further details on detection and mitigation are available in the full threat advisory
©2014 AKAMAI | FASTER FORWARDTM
Threat Advisory: Zeus Crimeware Framework • Download the threat advisory, Zeus Crimeware Kit • The threat advisory includes mitigation details for enterprises, such as: • Origins and variations • How the kit works • Indicators of infestation • The process of infection • Remote command execution • A lab simulation showing its power and threat • Recommended mitigation
©2014 AKAMAI | FASTER FORWARDTM
About Prolexic (now part of Akamai)
• We have successfully stopped DDoS attacks for more than a decade • Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers
©2014 AKAMAI | FASTER FORWARDTM