The availability of the source code for Zeus has attracted many developers, says Jackson. Online miscreants looking to control their own botnet start with Zeus, because it is simple to use, he says, while the add-ons and extensions satisfy more sophisticated users. “It’s very easy to use right out of the gate,” Jackson says. “But when you add the advanced functionality that costs thousands of dollars, then it becomes a tool for advanced operators.”
Even the basic Zeus kits include obfuscation techniques to help escape detection by antivirus software and other security measures. In one experiment, consultant Alex Heid of Information Security Services found that only about half of antivirus software detected a known Zeus payload. After employing some simple techniques for masking the code, the detection rate dropped even further, to 10 percent. “The cybercrime technologies are advancing faster than the security technologies,” Heid says.
Once Zeus has compromised a system, it gives the user no sign that it’s there, according to Jackson. “What does Zeus look like when it infects your computer? Well, stare at your computer now, and that’s what it looks like,” Jackson says. “It’s designed to do its job and do it successfully and do it silently.”
While both Damballa and NetWitness sell technologies and services for detecting compromises on corporate networks, they do not provide software for end users.
“Most enterprises that we work with have a large number of users, so they basically give up on defending their computers,” Ollmann says. “You make the best attempt with antivirus and firewalls, but they accept that some percentage of their systems are going to be infected, so they focus on detecting and rebuilding the (compromised) systems rather than defending against all threats.”
Cox adds that focusing on the communications between infected systems and a command-and-control server is usually the best way to catch infections. “Understanding what normalcy looks like on your network so you can pinpoint abnormality is what is really important in the current threat environment,” he says. “Don’t trust only your existing security controls, and get eyes on your network.”