The Zeus Crimeware Kit – An Insidious Threat
Highlights from a Prolexic DDoS Threat Advisory
©2014 AKAMAI | FASTER FORWARDTM
What is Zeus?
• Zeus is the most used and most effective crimeware kit ever observed by the Internet security community
• First appeared in late 2007, primarily used to steal banking credentials from infected computers
• Focus has recently shifted to infecting and controlling zombie computers, with the ability to inject executable payloads and bot malware into infected computers
©2014 AKAMAI | FASTER FORWARDTM
Why is Zeus So Dangerous?
• Requires extremely little skill for attackers to use – setting it up and generating a payload is accomplished with a simple GUI
• Can be combined with other attack tools that are used as Zeus payloads
• Has a very high level of control over infected computers • Can exfiltrate large quantities of information, up to and
including screenshots and passwords
©2014 AKAMAI | FASTER FORWARDTM
Why is Zeus so Dangerous (continued)
• Zeus payloads are extremely stealthy – infected hosts may never realize they’ve been zombified
• Uses a number of powerful techniques to evade detection • Hidden files • Obfuscated content • Disables firewalls directly • Distributed, random communication
• Antivirus detection rate is estimated at only 39 percent
©2014 AKAMAI | FASTER FORWARDTM
Zeus Commands: What Zeus Can Do
©2014 AKAMAI | FASTER FORWARDTM
Cloud Services at Risk
• Lately, the Zeus framework has targeted Software-as-a-Service (SaaS) and Platform-as-a-Service (PaaS) infrastructures
• SaaS/PaaS instances allow attackers to exploit the extensive bandwidth and processing power of cloud vendors
• PLXSert has observed well-known cloud-services vendor IPs among the sources of many DDoS attacks
©2014 AKAMAI | FASTER FORWARDTM
The Webinjects Configuration
• Webinjects is an insidious Zeus capability used to attack specific cloud services
• Zeus can inject custom code into websites and apps as the browser displays them
• Tricks users into providing personal information or sensitive credentials
©2014 AKAMAI | FASTER FORWARDTM
What You Can Do to Mitigate This Threat
• Zeus is mainly a client-based vector, spread by tricking users into running programs that infest their computer.
• Organizational security policies and user education are crucial
• Learn how to prevent, detect, and remove Zeus infections • Write Snort rules for Zeus traffic • Further details on detection and mitigation are available in
the full threat advisory
©2014 AKAMAI | FASTER FORWARDTM
Threat Advisory: Zeus Crimeware Framework
• Download the threat advisory, Zeus Crimeware Kit • The threat advisory includes mitigation details for
enterprises, such as: • Origins and variations • How the kit works • Indicators of infestation • The process of infection • Remote command execution • A lab simulation showing its power and threat • Recommended mitigation
©2014 AKAMAI | FASTER FORWARDTM
About Prolexic (now part of Akamai)
• We have successfully stopped DDoS attacks for more than a decade
• Our global DDoS mitigation network and 24/7 security operations center (SOC) can stop even the largest attacks that exceed the capabilities of other DDoS mitigation service providers