Zeus (malware)

Last updated

Zeus is a Trojan horse malware package that runs on versions of Microsoft Windows. It is often used to steal banking information by man-in-the-browser keystroke logging and form grabbing. [1] Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, [2] it became more widespread in March 2009. In June 2009 security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and BusinessWeek . [3] Similarly to Koobface, Zeus has also been used to trick victims of technical support scams into giving the scam artists money through pop-up messages that claim the user has a virus, when in reality they might have no viruses at all. The scammers may use programs such as Command prompt or Event viewer to make the user believe that their computer is infected. [4]

Contents

Detection

Zeus is very difficult to detect even with up-to-date antivirus and other security software as it hides itself using stealth techniques. [5] It is considered that this is the primary reason why the Zeus malware has become the largest botnet on the Internet: Damballa estimated that the malware infected 3.6 million PCs in the U.S. in 2009. [6] Security experts are advising that businesses continue to offer training to users to teach them to not to click on hostile or suspicious links in emails or Web sites, and to keep antivirus protection up to date. Antivirus software does not claim to reliably prevent infection; for example Symantec's Browser Protection says that it can prevent "some infection attempts". [7]

FBI crackdown

FBI: The Zeus Fraud Scheme FBI Fraud Scheme Zeus Trojan.jpg
FBI: The Zeus Fraud Scheme

In October 2010 the US FBI announced that hackers in Eastern Europe had managed to infect computers around the world using Zeus. [8] The virus was distributed in an e-mail, and when targeted individuals at businesses and municipalities opened the e-mail, the trojan software installed itself on the victimized computer, secretly capturing passwords, account numbers, and other data used to log into online banking accounts.

The hackers then used this information to take over the victims’ bank accounts and make unauthorized transfers of thousands of dollars at a time, often routing the funds to other accounts controlled by a network of money mules, paid a commission. Many of the U.S. money mules were recruited from overseas. They created bank accounts using fake documents and false names. Once the money was in the accounts, the mules would either wire it back to their bosses in Eastern Europe, or withdraw it in cash and smuggle it out of the country. [9]

More than 100 people were arrested on charges of conspiracy to commit bank fraud and money laundering, over 90 in the US, and the others in the UK and Ukraine. [10] Members of the ring had stolen $70 million.

In 2013 Hamza Bendelladj, known as Bx1 online, was arrested in Thailand [11] and deported to Atlanta, Georgia, USA. Early reports said that he was the mastermind behind ZeuS. He was accused of operating SpyEye (a bot functionally similar to ZeuS) botnets, and suspected of also operating ZeuS botnets. He was charged with several counts of wire fraud and computer fraud and abuse. [12] Court papers allege that from 2009 to 2011 Bendelladj and others "developed, marketed, and sold various versions of the SpyEye virus and component parts on the Internet and allowed cybercriminals to customize their purchases to include tailor-made methods of obtaining victims’ personal and financial information". It was also alleged that Bendelladj advertised SpyEye on Internet forums devoted to cyber- and other crimes and operated Command and Control servers. [13] The charges in Georgia relate only to SpyEye, as a SpyEye botnet control server was based in Atlanta.

Possible retirement of creator

In late 2010, a number of Internet security vendors including McAfee and Internet Identity claimed that the creator of Zeus had said that he was retiring and had given the source code and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan. However, those same experts warned the retirement was a ruse and expect the developer to return with new tricks. [14] [15]

See also

Related Research Articles

<span class="mw-page-title-main">Timeline of computer viruses and worms</span> Computer malware timeline

This timeline of computer viruses and worms presents a chronological timeline of noteworthy computer viruses, computer worms, Trojan horses, similar malware, related research and events.

Linux malware includes viruses, Trojans, worms and other types of malware that affect the Linux family of operating systems. Linux, Unix and other Unix-like computer operating systems are generally regarded as very well-protected against, but not immune to, computer viruses.

<span class="mw-page-title-main">Botnet</span> Collection of compromised internet-connected devices controlled by a third party

A botnet is a group of Internet-connected devices, each of which runs one or more bots. Botnets can be used to perform Distributed Denial-of-Service (DDoS) attacks, steal data, send spam, and allow the attacker to access the device and its connection. The owner can control the botnet using command and control (C&C) software. The word "botnet" is a portmanteau of the words "robot" and "network". The term is usually used with a negative or malicious connotation.

Rogue security software is a form of malicious software and internet fraud that misleads users into believing there is a virus on their computer and aims to convince them to pay for a fake malware removal tool that actually installs malware on their computer. It is a form of scareware that manipulates users through fear, and a form of ransomware. Rogue security software has been a serious security threat in desktop computing since 2008. An early example that gained infamy was SpySheriff and its clones, such as Nava Shield.

Srizbi BotNet is considered one of the world's largest botnets, and responsible for sending out more than half of all the spam being sent by all the major botnets combined. The botnets consist of computers infected by the Srizbi trojan, which sent spam on command. Srizbi suffered a massive setback in November 2008 when hosting provider Janka Cartel was taken down; global spam volumes reduced up to 93% as a result of this action.

Man-in-the-browser, a form of Internet threat related to man-in-the-middle (MITM), is a proxy Trojan horse that infects a web browser by taking advantage of vulnerabilities in browser security to modify web pages, modify transaction content or insert additional transactions, all in a covert fashion invisible to both the user and host web application. A MitB attack will be successful irrespective of whether security mechanisms such as SSL/PKI and/or two- or three-factor authentication solutions are in place. A MitB attack may be countered by using out-of-band transaction verification, although SMS verification can be defeated by man-in-the-mobile (MitMo) malware infection on the mobile phone. Trojans may be detected and removed by antivirus software;, but a 2011 report concluded that additional measures on top of antivirus software were needed.

Form grabbing is a form of malware that works by retrieving authorization and log-in credentials from a web data form before it is passed over the Internet to a secure server. This allows the malware to avoid HTTPS encryption. This method is more effective than keylogger software because it will acquire the user’s credentials even if they are input using virtual keyboard, auto-fill, or copy and paste. It can then sort the information based on its variable names, such as email, account name, and password. Additionally, the form grabber will log the URL and title of the website the data was gathered from.

Alureon is a trojan and rootkit created to steal data by intercepting a system's network traffic and searching for banking usernames and passwords, credit card data, PayPal information, social security numbers, and other sensitive user data. Following a series of customer complaints, Microsoft determined that Alureon caused a wave of BSoDs on some 32-bit Microsoft Windows systems. The update, MS10-015, triggered these crashes by breaking assumptions made by the malware author(s).

Avalanche was a criminal syndicate involved in phishing attacks, online bank fraud, and ransomware. The name also refers to the network of owned, rented, and compromised systems used to carry out that activity. Avalanche only infected computers running the Microsoft Windows operating system.

<span class="mw-page-title-main">Seculert</span> Israeli cloud-based cyber security technology

Seculert was a cloud-based cyber security technology company based in Petah Tikva, Israel. The company's technology was designed to detect breaches and advanced persistent threats (APTs), attacking networks. Seculert's business was based on malware research and the ability to uncover malware that has gone undetected by other traditional measures.

<span class="mw-page-title-main">Microsoft Digital Crimes Unit</span>

The Microsoft Digital Crimes Unit (DCU) is a Microsoft sponsored team of international legal and internet security experts employing the latest tools and technologies to stop or interfere with cybercrime and cyber threats. The Microsoft Digital Crimes Unit was assembled in 2008. In 2013, a Cybercrime center for the DCU was opened in Redmond, Washington. There are about 100 members of the DCU stationed just in Redmond, Washington at the original Cybercrime Center. Members of the DCU include lawyers, data scientists, investigators, forensic analysts, and engineers. The DCU has international offices located in major cities such as: Beijing, Berlin, Bogota, Delhi, Dublin, Hong Kong, Sydney, and Washington, D.C. The DCU's main focuses are child protection, copyright infringement and malware crimes. The DCU must work closely with law enforcement to ensure the perpetrators are punished to the full extent of the law. The DCU has taken down many major botnets such as the Citadel, Rustock, and Zeus. Around the world malware has cost users about $113 billion and the DCU's jobs is to shut them down in accordance with the law.

Operation Tovar was an international collaborative operation carried out by law enforcement agencies from multiple countries against the Gameover ZeuS botnet, which was believed by the investigators to have been used in bank fraud and the distribution of the CryptoLocker ransomware.

<span class="mw-page-title-main">Gameover ZeuS</span> Peer-to-peer botnet

GameOver ZeuS (GOZ), also known as peer-to-peer (P2P) ZeuS, ZeuS3, and GoZeus, is a Trojan horse developed by Russian cybercriminal Evgeniy Bogachev. Created in 2011 as a successor to Jabber Zeus, another project of Bogachev's, the malware is notorious for its usage in bank fraud resulting in damages of approximately $100 million and being the main vehicle through which the CryptoLocker ransomware attack was conducted, resulting in millions of dollars of losses. At the peak of its activity in 2012 and 2013, between 500,000 and 1 million computers were infected with GameOver ZeuS.

Tiny Banker Trojan, also called Tinba, is a malware program that targets financial institution websites. It is a modified form of an older form of viruses known as Banker Trojans, yet it is much smaller in size and more powerful. It works by establishing man-in-the-browser attacks and network sniffing. Since its discovery, it has been found to have infected more than two dozen major banking institutions in the United States, including TD Bank, Chase, HSBC, Wells Fargo, PNC, and Bank of America. It is designed to steal users' sensitive data, such as account login information and banking codes.

Dridex, also known as Bugat and Cridex, is a form of malware that specializes in stealing bank credentials via a system that utilizes macros from Microsoft Word.

SpyEye is a malware program that attacks users running Google Chrome, Safari, Opera, Firefox and Internet Explorer on Microsoft Windows operating systems. This malware uses keystroke logging and form grabbing to steal user credentials for malicious use. SpyEye allows hackers to steal money from online bank accounts and initiate transactions even while valid users are logged into their bank account

ZeuS Panda, Panda Banker, or Panda is a variant of the original Zeus under the banking Trojan category. Its discovery was in 2016 in Brazil around the time of the Olympic Games. The majority of the code is derived from the original Zeus trojan, and maintains the coding to carry out man-in-the-browser, keystroke logging, and form grabbing attacks. ZeuS Panda launches attack campaigns with a variety of exploit kits and loaders by way of drive-by downloads and phishing emails, and also hooking internet search results to infected pages. Stealth capabilities make not only detecting but analyzing the malware difficult.

Hamza Bendelladj, born in 1988 in Tizi Ouzou, is an Algerian cyber-criminal and carder who goes by the code name BX1 and has been nicknamed as the "Smiling Hacker". Bendelladj is a polyglot, speaking 5 languages often used for profit in view of his linguistic knowledge, in order to extract money almost everywhere in the world. This led to a search for him that lasted 5 years. He was on the top 10 list of the most wanted hackers by Interpol and the FBI for allegedly embezzling tens of millions of dollars from more than two hundred American and European financial institutions via a computer virus, the "SpyEYE Botnet", which infected more than 60 million computers worldwide, mostly from the United States, and was developed with his Russian accomplice Aleksandr Andreivich Panin, a.k.a. "Gribodemon", to steal banking information stored on infected computers.

<span class="mw-page-title-main">Maksim Yakubets</span> Ukrainian national and a computer expert (born 1987)

Maksim Viktorovich Yakubets is a Russian computer expert and alleged computer hacker. He is alleged to have been a member of the Evil Corp, Jabber Zeus Crew, as well as the alleged leader of the Bugat malware conspiracy. Russian media openly describe Yakubets as a "hacker who stole $100 million", friend of Dmitry Peskov and discussed his lavish lifestyle, including luxury wedding with a daughter of FSB officer Eduard Bendersky and Lamborghini with "ВОР" registration plate. Yakubets's impunity in Russia is perceived as clue of his close ties with FSB, but also criticized by domestic information security experts such as Ilya Sachkov.

Jabber Zeus was a cybercriminal syndicate and associated Trojan horse created and run by hackers and money launderers based in Russia, the United Kingdom, and Ukraine. It was the second main iteration of the Zeus malware and racketeering enterprise, succeeding Zeus and preceding Gameover Zeus.

References

  1. Abrams, Lawrence. "CryptoLocker Ransomware Information Guide and FAQ". Bleeping Computer . Retrieved 25 October 2013.
  2. Jim Finkle (17 July 2007). "Hackers steal U.S. government, corporate data from PCs". Reuters. Retrieved 17 November 2009.
  3. Steve Ragan (29 June 2009). "ZBot data dump discovered with over 74,000 FTP credentials". The Tech Herald. Archived from the original on 25 November 2009. Retrieved 17 November 2009.
  4. "How to Recognize a Fake Virus Warning" . Retrieved 28 July 2016.
  5. "ZeuS Banking Trojan Report". Dell SecuWorks. 10 March 2010. Retrieved 2 March 2016.
  6. "The Hunt for the Financial Industry's Most-Wanted Hacker". Bloomberg. Bloomberg Business. 18 June 2015. Retrieved 2 March 2016.
  7. "Trojan.Zbot". Symantec. Archived from the original on 30 January 2010. Retrieved 19 February 2010.
  8. "Cyber Banking Fraud". The Federal Bureau of Investigation. Retrieved 2 March 2016.
  9. FBI (1 October 2010). "CYBER BANKING FRAUD Global Partnerships Lead to Major Arrests". Archived from the original on 3 October 2010. Retrieved 2 October 2010.
  10. BBC (1 October 2010). "More than 100 arrests, as FBI uncovers cyber crime ring". BBC News. Retrieved 2 October 2010.
  11. Al Jazeera (21 September 2015). "Hamza Bendelladj: Is the Algerian hacker a hero?". AJE News. Retrieved 21 March 2016.
  12. Zetter, Kim. "Alleged 'SpyEye' Botmaster Ends Up in America, Handcuffs, Kim Zetter, Wired, 3 May 2013". Wired. Wired.com. Retrieved 30 January 2014.
  13. "Alleged "SpyEye" mastermind extradited to US, Lisa Vaas, 7 May 2013, Sophos nakedsecurity". Nakedsecurity.sophos.com. 7 May 2013. Retrieved 30 January 2014.
  14. Diane Bartz (29 October 2010). "Top hacker "retires"; experts brace for his return". Reuters. Retrieved 16 December 2010.
  15. Internet Identity (6 December 2010). "Growth in Social Networking, Mobile and Infrastructure Attacks Threaten Corporate Security in 2011". Yahoo! Finance. Retrieved 16 December 2010.
This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.