In 2005, a Russian hacker group known as UpLevel developed Zeus, a point-and-click program for creating and controlling a network of compromised computer systems, also known as a botnet. Five years of development later, the latest version of this software, which can be downloaded for free and requires very little technical skill to operate, is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information.
Last week, the security firm NetWitness, based in Herndon, VA, released a report highlighting the kind of havoc the software can wreak. It documents a Zeus botnet that controlled nearly 75,000 computers in more than 2,400 organizations, including the drug producer Merck, the network equipment maker Juniper Networks, and the Hollywood studio Paramount Pictures. Over four weeks, the software was used to steal more than 68,000 log-in credentials, including thousands of Facebook log-ins and Yahoo e-mail log-ins.
“They had compromised systems inside both companies and government agencies,” says Alex Cox, a principal analyst at NetWitness.
A survey conducted by another security firm–Atlanta-based Damballa–found Zeus-controlled programs to be the second most common inside corporate networks in 2009. Damballa tracked more than 200 Zeus-based botnets in enterprise networks. The largest single botnet controlled using the Zeus platform consisted of 600,000 compromised computers.
The Zeus software is less important for its conquests than for its high regard among cybercriminals. “Zeus is incredibly popular with people that want to tinker and start their own small business, if you will,” says Gunter Ollman, vice president of research for Damballa.
A group of four or five developers started working on Zeus in 2005. The following year they released the first version of the program, a basic Trojan designed to hide on an infected system and steal information. In 2007, the group came out with a more modular version, which allowed other underground developers to create plug-ins to add to its functionality.
The latest Zeus platform allows users to build custom malicious software to infect target systems, manage a far-flung network of compromised machines, and use the resulting botnet for illegal gain. The construction kit contains a program for building the bot software and Web scripts for creating and hosting a central command-and-control server.
Independent developers have created compatible “exploit packs” capable of infecting victims’ systems using vulnerabilities in the operating system or browser. Other developers focus on creating plug-in software to help would-be cybercriminals make money from a Zeus botnet. Some add-ons focus on phishing attacks–delivering the images and Web pages needed to create fraudulent banking sites, for example. Other add-ons give bot operators the tools to create spam campaigns. “There is a whole cottage industry around creating add-ons for Zeus,” says Don Jackson, a security researcher with the Counter Threat Unit at SecureWorks, a company based in Atlanta.