The Zeus botnet has become one of the most dangerous botnets in history because of the targeted crimes that have been committed using the malware it propagates and the ease with which attackers commit the crimes. In this tip, we'll review what makes Zeus such a unique problem for enterprises and how best to defend against it.
Zeus has been delivering its payloads in a couple different ways, and the exploits used depend on the version of Zeus and the options chosen by the attacker. Zeus has been bundled with various exploit kits and even has been bundled with rouge antivirus software. Since Zeus is a Trojan, it doesn't self-replicate, so it is usually installed by piggy-baking on other malware. Initially, Internet Explorer exploits were used to install the malware on systems, but recent advances have included using the PDF launch feature to infect the local system.
Zeus initially was used to target Web credentials for financial institutions, but can be configured to look for credentials for stock brokerages, 401ks and the like, as well as other types of websites, including shopping and social networking sites. In brief, the Trojan steals these credentials and typically transmits the data back to controllers via the botnet network. Criminals then log in to the compromised accounts and transfer money via ACH transactions out of the accounts to money mules. Businesses and business accounts are also vulnerable to this same attack, and are in fact more attractive because of the larger amounts of currency that may be available in such accounts. Worse yet, ACH transactions do not have the same legal protections as credit card transactions in the event of a fraudulent transaction, which only further complicates cleaning up the financial problems from a Zeus infection.
Even though Zeus botnet analysis efforts show that its attacks continue to become more sophisticated and difficult to detect, there are ways to prevent the Zeus botnet from doing financial damage to your organization. To completely prevent damage, consider limiting the functionality of the high-risk client computers in the organization, namely the systems issued to those who are authorized to access sensitive financial accounts and account data. Another strategy is to use a dedicated computer for financial transactions. This machine would live on an isolated virtual LAN (vLAN), or a physical network firewalled and isolated from the rest of the network, so that even if another client on the network gets infected, the dedicated computer would likely remain secure. I recommend configuring this computer – ideally a Linux- or Mac OS X-based machine – so the only function it can perform is run a Web browser to get to your banking or specified financial website to prevent this computer from getting infected through other means. This locked-down computer could even be a virtual desktop on a secure virtual infrastructure that you remotely connect to when conducting transactions.
The scope of the Zeus botnet threat has been increasing as criminals expand and improve the functionality of the Zeus criminal toolkit. Don't fall prey to the outdated belief that Zeus only targets the banking industry; a much wider variety of websites and organizations are now at risk. Given the sophistication and profitability of Zeus, it seems unlikely that it will go away anyway time soon, but the strategies mentioned above, combined with recent advances in transaction-based strong authentication may help limit the effectiveness of Zeus.
About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.
This was first published in June 2010