Select your localized edition:

Close ×

More Ways to Connect

Discover one of our 28 local entrepreneurial communities »

Be the first to know as we launch in new countries and markets around the globe.

Interested in bringing MIT Technology Review to your local market?

MIT Technology ReviewMIT Technology Review - logo


Unsupported browser: Your browser does not meet modern web standards. See how it scores »

{ action.text }

The availability of the source code for Zeus has attracted many developers, says Jackson. Online miscreants looking to control their own botnet start with Zeus, because it is simple to use, he says, while the add-ons and extensions satisfy more sophisticated users. “It’s very easy to use right out of the gate,” Jackson says. “But when you add the advanced functionality that costs thousands of dollars, then it becomes a tool for advanced operators.”

Even the basic Zeus kits include obfuscation techniques to help escape detection by antivirus software and other security measures. In one experiment, consultant Alex Heid of Information Security Services found that only about half of antivirus software detected a known Zeus payload. After employing some simple techniques for masking the code, the detection rate dropped even further, to 10 percent. “The cybercrime technologies are advancing faster than the security technologies,” Heid says.

Once Zeus has compromised a system, it gives the user no sign that it’s there, according to Jackson. “What does Zeus look like when it infects your computer? Well, stare at your computer now, and that’s what it looks like,” Jackson says. “It’s designed to do its job and do it successfully and do it silently.”

While both Damballa and NetWitness sell technologies and services for detecting compromises on corporate networks, they do not provide software for end users.

“Most enterprises that we work with have a large number of users, so they basically give up on defending their computers,” Ollmann says. “You make the best attempt with antivirus and firewalls, but they accept that some percentage of their systems are going to be infected, so they focus on detecting and rebuilding the (compromised) systems rather than defending against all threats.”

Cox adds that focusing on the communications between infected systems and a command-and-control server is usually the best way to catch infections. “Understanding what normalcy looks like on your network so you can pinpoint abnormality is what is really important in the current threat environment,” he says. “Don’t trust only your existing security controls, and get eyes on your network.”

1 comment. Share your thoughts »

Credit: Damballa

Tagged: Computing, security, software, cyber attacks, botnets, password theft

Reprints and Permissions | Send feedback to the editor

From the Archives


Introducing MIT Technology Review Insider.

Already a Magazine subscriber?

You're automatically an Insider. It's easy to activate or upgrade your account.

Activate Your Account

Become an Insider

It's the new way to subscribe. Get even more of the tech news, research, and discoveries you crave.

Sign Up

Learn More

Find out why MIT Technology Review Insider is for you and explore your options.

Show Me