In 2005, a Russian hacker group known as UpLevel developed Zeus, a point-and-click program for creating and controlling a network of compromised computer systems, also known as a botnet. Five years of development later, the latest version of this software, which can be downloaded for free and requires very little technical skill to operate, is one of the most popular botnet platforms for spammers, fraudsters, and people who deal in stolen personal information.
Last week, the security firm NetWitness, based in Herndon, VA, released a report highlighting the kind of havoc the software can wreak. It documents a Zeus botnet that controlled nearly 75,000 computers in more than 2,400 organizations, including the drug producer Merck, the network equipment maker Juniper Networks, and the Hollywood studio Paramount Pictures. Over four weeks, the software was used to steal more than 68,000 log-in credentials, including thousands of Facebook log-ins and Yahoo e-mail log-ins.
“They had compromised systems inside both companies and government agencies,” says Alex Cox, a principal analyst at NetWitness.
A survey conducted by another security firm–Atlanta-based Damballa–found Zeus-controlled programs to be the second most common inside corporate networks in 2009. Damballa tracked more than 200 Zeus-based botnets in enterprise networks. The largest single botnet controlled using the Zeus platform consisted of 600,000 compromised computers.
The Zeus software is less important for its conquests than for its high regard among cybercriminals. “Zeus is incredibly popular with people that want to tinker and start their own small business, if you will,” says Gunter Ollman, vice president of research for Damballa.
A group of four or five developers started working on Zeus in 2005. The following year they released the first version of the program, a basic Trojan designed to hide on an infected system and steal information. In 2007, the group came out with a more modular version, which allowed other underground developers to create plug-ins to add to its functionality.
The latest Zeus platform allows users to build custom malicious software to infect target systems, manage a far-flung network of compromised machines, and use the resulting botnet for illegal gain. The construction kit contains a program for building the bot software and Web scripts for creating and hosting a central command-and-control server.
Independent developers have created compatible “exploit packs” capable of infecting victims’ systems using vulnerabilities in the operating system or browser. Other developers focus on creating plug-in software to help would-be cybercriminals make money from a Zeus botnet. Some add-ons focus on phishing attacks–delivering the images and Web pages needed to create fraudulent banking sites, for example. Other add-ons give bot operators the tools to create spam campaigns. “There is a whole cottage industry around creating add-ons for Zeus,” says Don Jackson, a security researcher with the Counter Threat Unit at SecureWorks, a company based in Atlanta.
The availability of the source code for Zeus has attracted many developers, says Jackson. Online miscreants looking to control their own botnet start with Zeus, because it is simple to use, he says, while the add-ons and extensions satisfy more sophisticated users. “It’s very easy to use right out of the gate,” Jackson says. “But when you add the advanced functionality that costs thousands of dollars, then it becomes a tool for advanced operators.”
Even the basic Zeus kits include obfuscation techniques to help escape detection by antivirus software and other security measures. In one experiment, consultant Alex Heid of Information Security Services found that only about half of antivirus software detected a known Zeus payload. After employing some simple techniques for masking the code, the detection rate dropped even further, to 10 percent. “The cybercrime technologies are advancing faster than the security technologies,” Heid says.
Once Zeus has compromised a system, it gives the user no sign that it’s there, according to Jackson. “What does Zeus look like when it infects your computer? Well, stare at your computer now, and that’s what it looks like,” Jackson says. “It’s designed to do its job and do it successfully and do it silently.”
While both Damballa and NetWitness sell technologies and services for detecting compromises on corporate networks, they do not provide software for end users.
“Most enterprises that we work with have a large number of users, so they basically give up on defending their computers,” Ollmann says. “You make the best attempt with antivirus and firewalls, but they accept that some percentage of their systems are going to be infected, so they focus on detecting and rebuilding the (compromised) systems rather than defending against all threats.”
Cox adds that focusing on the communications between infected systems and a command-and-control server is usually the best way to catch infections. “Understanding what normalcy looks like on your network so you can pinpoint abnormality is what is really important in the current threat environment,” he says. “Don’t trust only your existing security controls, and get eyes on your network.”