Versatility of Zeus Framework Encourages Criminal Innovation

Ever since the Zeus source code leaked in late 2010, criminals have been creating highly customized, difficult-to-detect versions of it that target very specific services.

A new report on the Zeus trojan’s evolution shows that the malware was moved from harvesting online banking credentials to controlling botnets and launching distributed denial of service attacks attributes the evolution to the highly customized and incredibly versatile framework Zeus is today.

According to research conducted by the Prolexic security and engineering response team (PLXsert), Zeus remains among the most potent banking trojans on the market. However, ever since its source code very famously leaked in late 2010, criminals have tailored the trojan to meet their own specific needs. Part of that has meant Zeus-controlled botnets and DDoS attacks in which Zeus delivers a payload consisting of some DDoS malware. The distributed architecture of the recently shut down GameOver Zeus variant is among the examples of this type of customization.

Increasingly though, criminals are building custom modules, which deploy multiple payloads and attack vectors.

 Increasingly though, criminals are building custom modules, which deploy multiple payloads and attack vectors,designed to target particular cloud-based platform-as-a-service (PaaS) and software-as-a-service (SaaS) infrastructures. Many of these modules even have the capacity to detect the presence of other Zeus variants on infected systems and disinfect those systems accordingly.

No matter what purpose the malicious toolkit serves, it requires very little skill to operate, giving vast pools of criminals the ability to launch powerful attacks. As variations of Zeus continue emerge with obfuscated payloads, the threat becomes more and more difficult to detect and block. According to the report, some organizations tracking the threat estimate the antivirus detection rate for Zeus is only 39 percent.

Many of the custom varieties of Zeus are still credential-stealers. Instead of stealing banking credentials, many of them seek login information for cloud services, which exist outside the security posture of many organizations, but still offer bandwidth and processing power to help launch further attacks as well as offer cover.

PLXSert claims it has observed well-known cloud services vendors among the sources of many DDoS campaigns.

“Attackers use the webinjects configuration to customize attacks for specific cloud-based applications,” PLXsert notes. “This feature is commercialized in the underground – malicious actors sell customized Zeus webinjects for these purposes. In the past, webinjects were customized specifically for banking sites. Webinjects are now being adapted to target specific web applications.”

As these custom kits steal login credentials from and monitor web usage of corporate clients, attackers will inevitably find ways of compromising those organizations in turn.

In a lab environment, PLXsert was able to deploy custom webinjects to subtly modify HTML webpages with maliciously customized fields displayed to users in order to trick those users into providing personal information and sensitive credentials.

When or if a user provides such information in this lab environment or in real-world scenarios, the Zeus framework transfers and indexes valuable information that can be accessed by attackers later. Search capabilities in the newer Zeus tools give attackers the ability to identify users who accessed the websites and applications of specific corporations or cloud services providers. Attackers, the report explains, may then create their own webinjects and scripts to attack those sites.

PLXsert says it expects further adaptations and enhancements of the Zeus malware toolkit, including hybrid payloads with other crimeware kits targeting multiple platforms, including Windows, Mac, Linux, Android, and iOS.

Suggested articles