Malevolent ZeusRobert Lemos
It does not take Alex Heid long to break into the website’s database.
With a run-of-the-mill browser and knowledge of a backdoor in the online portal, Heid makes quick work of the software's security and grabs the targeted data: A database of usernames and passwords for a variety of sites and services, from banks to email to Facebook.
Yet Heid is one of the good guys. The website is one of the many set up by a program known as Zeus -- sort of a do-it-yourself cybercrime platform that has become extremely popular for its ease of use and advanced functionality. Zeus allows digital thieves and fraudsters to create code to infect computer systems. It has software to control the legions of compromised computers, and it comes with templates to create and manage campaigns of online crime.
It's so easy to use, in fact, that many scam artists with few technical skills are turning to Zeus as a quick way to set up their own cybercriminal networks.
"It's very powerful software," says Heid, principal consultant with Information Security Services. "It is very easy to use and deploy, which is why it is so useful for beginners to get into cybercrime."
The popularity of the program has caused crime fueled by Zeus to skyrocket. Thousands of Zeus data caches litter the Internet, each containing gigabytes of information stolen from the computers of unwary consumers and businesses. More than 1,300 networks of compromised computers, also known as botnets, are currently monitored by a site known as Zeus Tracker.
The database cracked by Heid during a recent conference in Washington, D.C., for example, caches more than 14 gigabytes of data from about 20,000 hacked systems. When Heid and his team find the information, they turn it over to investigators at a large bank, who use it to protect their account holders. In another case, security firm NetWitness recently unveiled its own research into a Zeus botnet that encompassed more than 75,000 systems in nearly 2,500 companies. Another security firm, Damballa, tracks more than 200 Zeus botnets, the largest of which steals data from more than 600,000 infected computers.
Trojans and Zeus: A Greek Tragedy
Nearly point-and-click in its simplicity, the Zeus software allows fraudsters to first and foremost create an automated weapon, or trojan, to infect a user's system.
While criminals typically use Zeus to grab the digital keys to a victim's bank account, the trojan can be customized to look for specific information or take specific actions on a user’s system. Want to only grab the username and password used on Citibank's website? Zeus can do that. Want to create a log of all email messages? Zeus can do that. Want to modify a Web page to ask a user for more information -- such as the secret question protecting their account? Zeus can do that too.
With the latest code used by cybercriminals, users have no way to tell whether their systems have been compromised. Computers infected with Zeus, and many other advanced botnet programs, show no sign that a malicious outsider is in control, says Don Jackson, a threat researcher with the SecureWorks.
"What does Zeus look like when it infects your computer? Well, stare at your computer now, and that's what it looks like," he says. "It's designed to do its job and do it successfully and do it silently."
In many cases, antivirus programs are generally not proof against Zeus. Less than half of antivirus scanners -- the software engines that recognize patterns in malicious code -- can detect the run-of-the-mill trojans created by the older Zeus construction kits that security researchers have been able to analyze. Newer versions of Zeus have even better success, says Gunter Ollman, vice president of research for security firm Damballa.
"The kits are getting much better," he says. "Some of the newer versions create very good malware that have 0 percent detection rates."
Consultant Heid has found that simple modifications to Zeus trojans can also foil antivirus systems. Heid tested the malicious code produced by a recent version of the Zeus builder and found that less than half of antivirus programs detected the software. When he modified the program using simple techniques, the detection rate dropped to less than 10 percent.
Followers of Zeus
Zeus is not just a way of creating custom trojans, however. It's a platform for cybercrime.
While Zeus is one of many programs used to compromise and control victims' PCs, it has become popular because it can easily be used to create advanced networks of computers controlled for illicit gain. The Zeus kit comes with code to turn regular Web server software into a hub to manage the criminal's far-reaching network of bots. The server can list the compromised PCs that are currently connected to the Internet as well as statistics on the operating systems and browsers used by infected systems.
Moreover, the creators of Zeus allow other developers to add modules to the software to extend its functionality. Plug-in features called “exploit packs” can be used to create custom Zeus trojans that can infect targeted systems by exploiting software bugs in the browser, PDF viewer or other program. Other extensions allow the online fraudsters to create a custom spam campaign, sending out millions of messages from compromised systems hawking, for example, fake pharmaceuticals.
"There is a whole cottage industry around creating add-ons for Zeus," says SecureWorks' Jackson.
Zeus underscores that the same forces allowing online entrepreneurs to be successful are allowing underground criminal cabals to have similar success. Online technology has become so simple to use that regular people can create professional-looking websites and blogs with little effort. Those same forces have allowed even technology novices to join the legions of the cybercriminal underground.
A Plague on Small Business
While Zeus is a problem for many consumers, small businesses are being hit extremely hard by the malicious software.
In February, a small marketing firm based in Merrick, N.Y., had $164,000 transferred from its bank account, after a computer used for banking transactions was compromised by Zeus. Because small business accounts are not insured the same way that consumer bank accounts are, the firm's bank -- TD Bank -- has refused to refund the money, according to a recent report.
The loss is only the latest in a string of attacks on small businesses that has allowed criminals to siphon off millions of dollars. In a similar case, a California construction company had $447,000 sent from its account to overseas cybercriminals in a flurry of 27 transactions in a matter of minutes. In November, the FBI warned that cybercriminals had used similar techniques to steal more than $100 million from small businesses.
"They are attacking those companies that have real money but not real security," said Rod Rasmussen, president of Web security firm InternetIdentity.
Security firm Damballa has found that 5 to 7 percent of computers in business networks show signs of being under active control by operators of botnets, like Zeus. Among consumers, the proportion is higher: Nearly 15 percent of all systems show signs of active control, says the firm.
For the average consumer, Zeus can be a nightmare of mythical proportions.
Because of its ability to evade detection by antivirus programs, Zeus can be a danger even to well-protected computers. Typically, less than half of antivirus software can detect the Zeus trojan, according to information posted on Zeus Tracker.
"The cybercrime technologies are advancing faster than the security technologies because it is easier to attack than to defend," says consultant Heid.
However, today's security programs go beyond recognizing just patterns of malicious code. Many programs also include detection based on the behavior of programs. Consumers should make sure that they are using a program that involves more than just an antivirus scanner, says Elias Levy, a program director for security response at Symantec.
"Don't just get the antivirus version of the product," says Levy. "Get the different layers that will protect you against more threats. Your security suite is not statically scanning for malware, but it is also doing protection at the browser level."
In addition, consumers should make sure that their operating system and software have all the latest patches. Attacks by Zeus and other trojans occasionally use previously unknown vulnerabilities in software to infect systems, but most of the time the bugs exploited by the attacks are old. Patching can prevent those attacks.
In addition, businesses and consumers should both consider creating a dedicated computer for banking purposes. By installing a fresh version of Windows -- or the free Linux operating system -- on a computer and using it only for banking, the user is protected against the worst impact of a Zeus attack.
And these days, preparing for the worst online is a smart strategy, says Levy."The reality is that you are never going to be safe 100 percent of the time, so plan for disaster recovery," he adds.
Copyright (c) 2010 Studio One Networks. All rights reserved.