zeus' not dead yet
DESCRIPTION
ITSecX 2014 Slides Marion MarschalekTRANSCRIPT
![Page 1: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/1.jpg)
RISE OF THE
BANKING TROJANS
Subtitle Redacted
![Page 2: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/2.jpg)
Z...
Whatever
Alternative Talk Title
![Page 3: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/3.jpg)
ZEUS
IS NOT
DEAD
YET
Actual Talk Title
\m/-.-\m/
http://www.sodahead.com/
![Page 4: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/4.jpg)
Marion Marschalek
@pinkflawd
http://hqwallbase.com/28103-lego-stormtroopers-wallpaper-2560x1600
![Page 5: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/5.jpg)
What is ZEUS?
Old.
Banking Trojan.
Data Stealer.
Open Source :)
![Page 6: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/6.jpg)
![Page 7: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/7.jpg)
2007
2010
2011
![Page 8: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/8.jpg)
Source: http://securityblog.s21sec.com
![Page 9: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/9.jpg)
![Page 10: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/10.jpg)
ZEUS old but gold
Zeus
Citadel
SpyEye
ZitMo
ZeusVM/KINS
Zberp
http://forum.fr.grepolis.com/
![Page 11: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/11.jpg)
ZEUS mode of operation
1. Drop executable in users %APP% folder
2. Create and execute a batch file to delete dropper
3. Maintain registry key for persistence
4. Inject payload to system processes
5. Download customized configuration
![Page 12: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/12.jpg)
Registry Key
Infector
Decrypt & load DLL
Inject DLL
ZEUS mode of operation
![Page 13: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/13.jpg)
Hell is infected with some dark bastard of zeus hail satan!!
![Page 14: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/14.jpg)
E(DDIE)VASIONTECHNIQUES
![Page 15: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/15.jpg)
E(DDIE)VASION techniques
Weapons of match destruction!
![Page 16: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/16.jpg)
E(DDIE)VASION techniques
Weapons of MATCHdestruction!
![Page 17: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/17.jpg)
ZEUS
E(DDIE)
VASION
%APP%\Uwirpa 10.12.2013 23:50
%APP%\Woyxhi 10.12.2013 23:50
%APP%\Hibyo 19.12.2013 00:10
%APP%\Nezah 19.12.2013 00:10
%APP%\Afqag 19.12.2013 23:29
%APP%\Zasi 19.12.2013 23:29
%APP%\Eqzauf 20.12.2013 22:23
%APP%\Ubapo 20.12.2013 22:23
%APP%\Ydgowa 20.12.2013 22:23
%APP%\Olosu 20.12.2013 23:03
%APP%\Taal 20.12.2013 23:03
%APP%\Taosep 20.12.2013 23:03
%APP%\Wokyco 16.01.2014 13:22
%APP%\Semi 17.01.2014 16:34
%APP%\Uheh 17.01.2014 16:34
![Page 18: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/18.jpg)
E(DDIE)VASIONon the system level
OpenProcess
Check AccessToken
WriteProcessMemory
CreateRemoteThread
Boom.
![Page 19: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/19.jpg)
Domain
Generation
Algorithms
http://blog.malwaremustdie.org/
E(DDIE)VASIONon the perimeter
![Page 20: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/20.jpg)
E(DDIE)VASIONon the binary level
![Page 21: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/21.jpg)
E(DDIE)VASIONon the binary level
![Page 22: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/22.jpg)
Eddie In The Browser
USER BANK.COMBROWSER
inject web
content
grabuserinput
+
![Page 23: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/23.jpg)
• Update URL & Config Backup URL
• Upload URL
• Injection Information
• URL Masks:• For identifying websites to log
• For identifying websites to screenshot
• URL Mappings for Redirection
• IP/URL Mappings to insert to host file to override DNS lookups
CONFIGURATION
![Page 24: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/24.jpg)
SUMMING IT UP
DROPPERkilf.exe
C&C SERVER
control communication and updates
DELETE SCRIPTKUQ9491.bat
ZBOTvogiap.exeCONFIGURATION
ehri.ofu
drop Zbotfiles
delete dropper
PROCESSexplorer.exe
inject code
![Page 25: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/25.jpg)
ZitMo Zeus in the Mobile
Zeus Infection
Installation of ZitMo
Social Engineering
Spying of Online-Banking credentials
Capture mTAN
Do Transaction
![Page 26: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/26.jpg)
ZeusVM / KINS
Born December 2011
Sold as a kit since 2013
Heavily based on Zeus source code
http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/
![Page 27: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/27.jpg)
Zeus VIRTUAL MACHINE
1. Grab next opcode
2. Call opcode handler
![Page 28: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/28.jpg)
INVISIBLE PERSISTENCE
thread for managing autorun key
...
![Page 29: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/29.jpg)
CONFIGURATIONhiding in plain sight
![Page 30: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/30.jpg)
CONFIGURATIONhiding in plain sight
![Page 31: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/31.jpg)
http://blog.malwarebytes.org
https://blog.malwarebytes.org
CONFIGURATIONhiding in plain sight
![Page 32: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/32.jpg)
Carberp
There is no honour among thieves:
“Leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory”
1.9GB Sourceshttp://krebsonsecurity.com/
![Page 33: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/33.jpg)
ZBERP
+ =2
![Page 34: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/34.jpg)
ZBERP?
![Page 35: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/35.jpg)
ZBERP?
![Page 36: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/36.jpg)
ZBERP?
![Page 37: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/37.jpg)
ZBERP ..?Infection Routine
Anti-Disassembly
Invisible Persistence
Graphical Configuration
Virtual Machine Execution
Encrypted C&C communication
Suspend-Thread Code Injection
Hooking Technique
ZEUSKINS
CARBERP
![Page 38: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/38.jpg)
BRAVE
NEW
WORLD
NOW WHAT ABOUT
DETECTIONS?
![Page 39: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/39.jpg)
HUNTING ZEUS1. Drive-by infections
2. Anomalies in network traffic
3. Threat intelligence feeds to follow C&Cs
4. File system & registry key changes
5. Watch your data
![Page 40: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/40.jpg)
malware Kill chain
Awareness | Behavior | Correlation | Intelligence | Encryption
LURE
EXPLOIT
INFECTCALL
HOMESTEAL
DATA
![Page 41: Zeus' Not Dead Yet](https://reader034.vdocuments.us/reader034/viewer/2022052304/558b885bd8b42aff1a8b470b/html5/thumbnails/41.jpg)
RESOURCES
• Eddie Sources:• http://www.guitarworld.com/photo-gallery-many-faces-iron-maidens-eddie
• http://maiden-world.com/articles/history-of-eddie.html
• http://ultimateclassicrock.com/iron-maiden-eddie-album-covers-retrospective/
• http://www.cyactive.com/zberp-baby-super-trojan/
• https://blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/
• http://www.fortiguard.com/legacy/analysis/zeusanalysis.html
• http://www.symantec.com/connect/blogs/brief-look-zeuszbot-20
• http://www.reuters.com/article/2007/07/17/us-internet-attack-idUSN1638118020070717