The Zeus Crimeware Kit – An Insidious Threat

Highlights from a Prolexic DDoS Threat Advisory

©2014 AKAMAI | FASTER FORWARDTM

What is Zeus?

•  Zeus is the most used and most effective crimeware kit ever observed by the Internet security community

•  First appeared in late 2007, primarily used to steal banking credentials from infected computers

•  Focus has recently shifted to infecting and controlling zombie computers, with the ability to inject executable payloads and bot malware into infected computers

©2014 AKAMAI | FASTER FORWARDTM

Why is Zeus So Dangerous?

•  Requires extremely little skill for attackers to use – setting it up and generating a payload is accomplished with a simple GUI

•  Can be combined with other attack tools that are used as Zeus payloads

•  Has a very high level of control over infected computers •  Can exfiltrate large quantities of information, up to and

including screenshots and passwords

©2014 AKAMAI | FASTER FORWARDTM

Why is Zeus so Dangerous (continued)

•  Zeus payloads are extremely stealthy – infected hosts may never realize they’ve been zombified

•  Uses a number of powerful techniques to evade detection • Hidden files • Obfuscated content • Disables firewalls directly • Distributed, random communication

•  Antivirus detection rate is estimated at only 39 percent

©2014 AKAMAI | FASTER FORWARDTM

Zeus Commands: What Zeus Can Do

©2014 AKAMAI | FASTER FORWARDTM

Cloud Services at Risk

•  Lately, the Zeus framework has targeted Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) infrastructures

•  SaaS/PaaS instances allow attackers to exploit the extensive bandwidth and processing power of cloud vendors

•  PLXSert has observed well-known cloud-services vendor IPs among the sources of many DDoS attacks

©2014 AKAMAI | FASTER FORWARDTM

The Webinjects Configuration

•  Webinjects is an insidious Zeus capability used to attack specific cloud services

•  Zeus can inject custom code into websites and apps as the browser displays them

•  Tricks users into providing personal information or sensitive credentials

©2014 AKAMAI | FASTER FORWARDTM

What You Can Do to Mitigate This Threat

•  Zeus is mainly a client-based vector, spread by tricking users into running programs that infest their computer.

• Organizational security policies and user education are crucial

•  Learn how to prevent, detect, and remove Zeus infections •  Write Snort rules for Zeus traffic •  Further details on detection and mitigation are available in

the full threat advisory

©2014 AKAMAI | FASTER FORWARDTM

Threat Advisory: Zeus Crimeware Framework

•  Download the threat advisory, Zeus Crimeware Kit •  The threat advisory includes mitigation details for

enterprises, such as: • Origins and variations • How the kit works • Indicators of infestation • The process of infection • Remote command execution • A lab simulation showing its power and threat • Recommended mitigation

©2014 AKAMAI | FASTER FORWARDTM

About Prolexic (now part of Akamai)

•  We have successfully stopped DDoS attacks for more than a decade

•  Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers