Tip

Zeus botnet analysis: Past, present and future threats

The Zeus botnet has become one of the most dangerous botnets in history because of the targeted crimes that have been committed using the malware it propagates and the ease with which attackers commit the crimes. In this tip, we'll review what makes Zeus such a unique problem for enterprises and how best to defend against it.

    Requires Free Membership to View

Even though Zeus botnet analysis efforts show that its attacks continue to become more sophisticated ..., there are ways to prevent the Zeus botnet from doing financial damage to your organization.

The Zeus botnet is really a criminal toolkit for developing custom, hard-to-detect Trojans. Because of the many different capabilities that can be included in the Trojan and how quickly its executables change, it has been remarkably successful in helping cybercriminals infect local systems, build command-and-control infrastructure and host phishing attack websites. There are even reports of enterprising criminals selling Zeus in a Software-as-a-Service (SaaS) model, making life even easier for criminals.

Zeus has been delivering its payloads in a couple different ways, and the exploits used depend on the version of Zeus and the options chosen by the attacker. Zeus has been bundled with various exploit kits and even has been bundled with rouge antivirus software. Since Zeus is a Trojan, it doesn't self-replicate, so it is usually installed by piggy-baking on other malware. Initially, Internet Explorer exploits were used to install the malware on systems, but recent advances have included using the PDF launch feature to infect the local system.

Zeus initially was used to target Web credentials for financial institutions, but can be configured to look for credentials for stock brokerages, 401ks and the like, as well as other types of websites, including shopping and social networking sites. In brief, the Trojan steals these credentials and typically transmits the data back to controllers via the botnet network. Criminals then log in to the compromised accounts and transfer money via ACH transactions out of the accounts to money mules. Businesses and business accounts are also vulnerable to this same attack, and are in fact more attractive because of the larger amounts of currency that may be available in such accounts. Worse yet, ACH transactions do not have the same legal protections as credit card transactions in the event of a fraudulent transaction, which only further complicates cleaning up the financial problems from a Zeus infection.

Even though Zeus botnet analysis efforts show that its attacks continue to become more sophisticated and difficult to detect, there are ways to prevent the Zeus botnet from doing financial damage to your organization. To completely prevent damage, consider limiting the functionality of the high-risk client computers in the organization, namely the systems issued to those who are authorized to access sensitive financial accounts and account data. Another strategy is to use a dedicated computer for financial transactions. This machine would live on an isolated virtual LAN (vLAN), or a physical network firewalled and isolated from the rest of the network, so that even if another client on the network gets infected, the dedicated computer would likely remain secure. I recommend configuring this computer – ideally a Linux- or Mac OS X-based machine – so the only function it can perform is run a Web browser to get to your banking or specified financial website to prevent this computer from getting infected through other means. This locked-down computer could even be a virtual desktop on a secure virtual infrastructure that you remotely connect to when conducting transactions.

Since this strategy may not be possible in all enterprises, other best practices to protect clients from Zeus include restricting browser Web browser functions, including some or all of the following: running a whitelisting application with only the browser allowed; banning browser plug-ins; disabling JavaScript or ActiveX controls; and if necessary only allowing the required websites to run JavaScript or specified active controls. Some financial institutions install additional security software on some high-risk users' computers that provides additional Web browser security. Also follow the basic best practices mentioned in my prior columns for protecting clients from malware, most notably be sure to run the most up-to-date version of Web browsers and other applications.

For more information

Read more about assessing the threat of a botnet in this video.

Get info on how to use BotHunter for botnet detection.

Learn best practices for dealing with small botnets.

Unfortunately, the most practical and cost-effective strategy may simply be to respond as quickly as possible when a Zeus-related attack occurs and seek to limit the damage as much as possible. A key technology to help with that effort is a network-based antimalware device or other network blocks. Some network based antimalware devices specifically target botnet command-and-control communications protocols, which could block Zeus Trojans from communicating with the botnet. The network blocks are where the IPs of known bad websites are null routed or otherwise blocked at a firewall. You could use the data from the Zeus tracker website where the known command-and-control servers IPs are published for these blocks, but this might require significant management effort. You could even decide to not use online banking or financial transactions for your organization, but this may be too extreme.

The scope of the Zeus botnet threat has been increasing as criminals expand and improve the functionality of the Zeus criminal toolkit. Don't fall prey to the outdated belief that Zeus only targets the banking industry; a much wider variety of websites and organizations are now at risk. Given the sophistication and profitability of Zeus, it seems unlikely that it will go away anyway time soon, but the strategies mentioned above, combined with recent advances in transaction-based strong authentication may help limit the effectiveness of Zeus.

About the author:
Nick Lewis (CISSP, GCWN) is an information security analyst for a large Public Midwest University responsible for the risk management program and also supports its technical PCI compliance program. Nick received his Master of Science in Information Assurance from Norwich University in 2005 and Telecommunications from Michigan State University in 2002. Prior to joining his current organization in 2009, Nick worked at Children's Hospital Boston, the primary pediatric teaching hospital of Harvard Medical School, as well as for Internet2 and Michigan State University. He also answers your information security threat questions.

This was first published in June 2010

There are Comments. Add yours.

 
TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.