Zeus malware is hard to eradicate, the criminal ecosystem continues to innovate it

Prolexic security and engineering response team has issued a study on the possible uses of Zeus malware, remarking that its success is the versatility.

Zeus malware never dies, it seems the title of a film, but the reality goes over the fiction, despite the recent success of law enforcement agencies in the takeover of Gameover Zeus and the recent proposal of  a written-from-scratch trojan being sold in the underground known as Pandemiya.

Zeus malware is a versatile agent that was used for banking fraud and botnet recruiting in the past, a recent report on the Zeus trojan’s evolution by Prolexic shows that the popular malware being used to controlling botnets and launching distributed denial of service attacks.

“Over the years, the Zeus framework has evolved from focusing on the harvesting of banking credentials to being used in the control of hosts (zombies) for many types of crime, including customized attacks to target specific platform-as-a-service (PaaS) and software-as-a-service (SaaS) infrastructures of Fortune 500 enterprises.” 

“The Zeus framework allows operators to place executables on the zombie systems they control. PLXSert has observed traffic in DDoS attack campaigns where the Zeus framework and the Dirt Jumper DDoS toolkit appear to be combined, specifically Zeus appears to be used to build the botnet and drop DDoS malware payloads such as Dirt Jumper onto them.” states a study from Prolexic security and engineering response team (PLXsert).

Cybercriminals are using Zeus malware to drop a malicious payload based on DDoS malicious code, recently shut down GameOver Zeus is an example of this type of use.

“The powerful Zeus kit was available in the DDoS underground marketplace for a price that is said to have reached US$10,000. Recently, the use of the kit has expanded beyond the banking industry to other verticals and new features have been added. The Zeus toolkit now allows for the transfer of payloads and executables to infected machines, effectively expanding the use of its compromised hosts for other malicious purposes.”

Authors of malware are building their own version of Zeus, which deploy multiple payloads and exploit different attack vectors. These variants are able to targets cloud-based platform-as-a-service (PaaS) and software-as-a-service (SaaS) infrastructures, early 2014 I wrote about a Zeus malware variant that implements a web-crawling feature to hit Software-as-a-service applications to obtain access to proprietary data or code. Many of the custom varieties seek login information for cloud services, PLXSert claims it has observed well-known cloud services vendors among the sources of many DDoS campaigns.

“Attackers use the webinjects configuration to customize attacks for specific cloud-based applications,” “This feature is commercialized in the underground – malicious actors sell customized Zeus webinjects for these purposes. In the past, webinjects were customized specifically for banking sites. Webinjects are now being adapted to target specific web applications.” states the report.

Webinjects are used to modify HTML webpages with maliciously customized fields displayed to the victims to trick them into providing personal information and any other kind of sensitive information.

The capabilities of malware specialists and their effort to improve Zeus core functionalities are impressive, for example, many instances are able to detect the presence of other Zeus variant on the victim’s machine and disinfect them, other authors are more focused on the development of obfuscated payloads to make more difficult to detect and block the malicious agent.

New variants of Zeus malware have been designed to be very user-friendly and requests a little effort to arrange also large-scale malicious campaigns, in many cases criminal organization propose the malware-as-a-service.

The C&C panel includes all the necessary files functions to manage a botnet, the Zeus toolkit requires very little skill to operate, ” the Zeus operator simply runs the /install/index.php page and provides some basic information – a username, passwords for the panel and the MySQL database, and the encryption key to be used for bot communication with the control panel.”

The Zeus panel also comes with a number of remote commands that can be executed on victims’ machines and a range from operating system administrative tasks and remote file execution to controlling the behavior of web browsers.

“Criminal demand will drive malicious actors to develop payloads and features, seeking distribution and monetization in the crime ecosystem. The popularity of Zeus crimeware will continue due to its ease of use, easy setup and versatility.”

As confirmed by experts at Prolexic, in the next future cyber criminal ecosystem will provide further enhancements of the Zeus malware toolkit, including new crimeware kits … Zeus is not dead!

Pierluigi Paganini

(Security Affairs –  DDoS, Zeus)