ZeuS Botnet Still Mutating, Still on the Move
New capabilities are strengthening the ZeuS botnet, which criminals use to steal financial credentials and execute unauthorized transactions in online banking, automated clearing house (ACH) networks and payroll systems. The latest version of this cybercrime toolkit, which starts at about $3,000, offers a $10,000 module that can let attackers completely take control of a compromised PC.
Zeus v.1.3.4.x (code changes are always underway by the author and owner, who is believed to be one individual in Eastern Europe) has integrated a powerful remote-control function into the botnet so that the attacker can now "take complete control of the person's PC," says Don Jackson, director of threat intelligence at SecureWorks, which released an in-depth report on ZeuS last week. (See "Is Your PC Bot-Infested? Here's How to Tell.")
This new ZeuS feature, which was picked up from an older public-domain project from AT&T Bell Labs known as "Virtual Network Computing," gives ZeuS the kind of remote-control capability that might be found in a legitimate product like GoToMyPC, Jackson says. SecureWorks calls this a "total presence proxy," and it's so useful to criminals, just this one VNC module for ZeuS costs $10,000.
The Windows-based ZeuS Trojan software, which takes up about 50,000 bytes on a compromised Windows-based computer, is designed to plunder accounts in North American and United Kingdom banking systems via the victim's computer. The criminal might be located a continent away, directing unauthorized transfers of funds to accounts through elaborate command-and-control systems.
ZeuS, around since at least 2007, "was originally a spyware Trojan and it had good marketing" and became popular as botnets of all sorts proliferated, Jackson says.
A group called UpLevel was originally in a partnership working on the ZeuS source code. But today researchers suspect there's only one author of ZeuS, and this individual is now exerting tight control over the current ZeuS 1.3 (and later) versions by instituting a hardware-based copyright-protection mechanism.
SecureWorks researcher Kevin Stevens says the ZeuS hardware-based copyright mechanism is based on a hardware token method, similar to WinLicense, that takes into account a lot of hardware details about a computer before allowing the ZeuS Builder toolkit code to be unlocked by an individual.
Older versions of ZeuS are available for free, but the price for the current ZeuS and its modules, out since the end of last year, is not cheap. In the online criminal underground, fraudsters often pay for crimeware through Western Union or Web Money, according to SecureWorks.
According to a report published by SecureWorks this week, the basic ZeuS Builder kit runs $3,000 to $4,000, with another $1,500 for the "Backconnect" module to connect back to an infected machine to make financial transactions from it. This means banks that try to track money transfers will always trace it back to the computer of the account holder. To hack Windows 7 or Vista computers, criminals will have to ante up an extra $2,000 or be limited to Windows XP systems.
A "Firefox form grabber," costing another $2,000, lets a criminal grab data out of fields that are submitted using the Firefox Web browser, such as usernames and passwords for banks. A "Jabber (IM) chat notifier," costing another $500, will let the attacker get stolen data immediately in order to access the victim's account after the victim logs in using a token provided by the bank to randomly generate numbers. And the VNC module, which allows the attacker to get around any smartcard that's required for large-dollar transactions, is $10,000.
The latest version is also designed to blow through the most current defenses in place regarding two-factor and other authentication in banking systems, and is especially oriented toward facilitating high-dollar transactions of $100,000 or more, Jackson notes.
"Zeus automatically detects top-tier, gold-level targets" associated with online banking services, Jackson says. A signal is given to the botnet controller, and a highly automated transfer can be made into accounts the attacker desires.
There are many stories starting to appear of companies complaining about unauthorized ACH transfers, or fake employees fraudulently added to automated payroll systems, when high-dollar amounts are transferred into accounts where banks either can't or won't retrieve these sums.
Jackson says the latest version of ZeuS gets around most of the advanced online authentication mechanisms used by banks today, with perhaps the exception of a transaction approval process based on at least two people, often randomly selected from a pool of people trained for this purpose, who manually authorize a transfer. "It's an arms race," he says.
The upcoming version of ZeuS, v.1.4, is still in beta but promises yet more deadly features. Its "Web Injects for Firefox" capability, for instance, would let the attacker present a screen on the fly in the Firefox browser in order to elicit more sensitive information during the banking transaction by pretending the bank needs the information. The ZeuS Trojan is also getting polymorphic encryption to re-encrypt itself to appear unique each time, thus making it even more difficult for anti-virus software to detect it.
Read more about wide area network in Network World's Wide Area Network section.