Zeus/Zbot Resurges with New Capabilities

Zeus/Zbot is a particularly nasty bit of malware that plagued financial institutions and individual (Windows) users’ systems from 2007 until 2010. In late 2010, US law enforcement operations and actions taken by Zeus’ creator slowed the rate of infection and efficacy of the malware. However, 2013 has seen a resurgence of Zeus/Zbot activities. In addition to increased numbers of infections, new Zeus/Zbot variants boast augmented capabilities such as self propagation. Additionally, Zeus/Zbot is taking advantage of the widespread use of social networking sites as well as smartphone operating system vulnerabilities to increase its effectiveness.A quick summary of Zeus/Zbot’s history will be helpful in contextualizing its newly developed capabilities. Zeus/Zbot was first discovered in 2007 as it exfiltrated sensitive data from the U.S. Department of Transportation. In 2009, the malware went widespread when it compromised 74,000 FTP (file transfer protocol) accounts owned by entities such as Bank of America, NASA, Monster.com, ABC, Oracle, Cisco, and Amazon. Then, in 2010 Zeus/Zbot compromised credit card systems from 15 US financial institutions. At its peak, Zeus/Zbot infected millions of systems worldwide with at least 3.6 million infections in the United States.Zeus/Zbot variants functioning between from 2007-2010 spread via phishing and Drive by Downloads (DbD) and proceeded to steal information via keystroke logging and Man in the Middle (MitM) exploitation. Once successfully inside a user system, Zeus would create a folder, %System%, in which it would save all successfully extracted information as well as its configuration file. Additionally, the Zeus/Zbot would modify Windows hosts files in such a way that prohibited infected users from visiting Antivirus and security sites to gain help in quarantining the malware. These early variants include TSPY_ZBOT.SMD and TSPY_ZBOT.XMAS.In late 2010 the FBI revealed the results of an ongoing cyber surveillance operation which identified over 100 individuals who had aided in the worldwide propagation of Zeus/Zbot and worked as “money mules” to distribute the illicitly gained funds harvested via Zeus/Zbot. Ninety of these individuals were in the United States and had allegedly been recruited from overseas, the other ten were in the UK and Ukraine. Though these ninety were finally brought to justice, the criminal syndicate still managed to garner $70 million in profits.Following the FBI takedown, the author of Zeus/Zbot, who went alternately went by Umbro and Slavik (among other monikers) announced his retirement and the public distribution of the Zeus/Zbot source code. In the rapidly developing world of criminal malware this act appeared to signal if not the end, then at least the first indications of Zeus/Zbot’s obsolescence. This, unfortunately, was not the case.The first half of 2013 has seen a significant resurgence of Zeus/Zbot. Analysts at Trend Micro monitored a steady rise of Zeus/Zbot infections which peaked in May. These new infections display an enhanced version of the malware which differs from its predecessors in a number of ways. Firstly, unlike earlier Zeus/Zbot variants which utilized one folder (%System%) to hold both stolen data from the user system as well as its own configuration file, the new variants create two folders which are randomly named and stored in the %Applications Data% folder. In this iteration of the malware, stolen data is encrypted and stored in one folder while the configuration folder is stored in the other. This can make detection and threat mitigation more difficult than with previous versions.Additionally, the new Zeus/Zbot variant connects to randomized, remote, sites to download its configuration files. This enables the malware controllers to continuously modify the objectives and targets of the malware by distributing updated configuration files. In the encrypted configuration, file the malware receives directives which identify sites from which updated copies of itself can be downloaded, lists of financial websites to monitor, and remote sites where is should send its encrypted, stolen, data.These internal, architectural modifications aren’t the only new Zeus/Zbot characteristics identified recently. The malware has also shown an increased proclivity for social engineering via social networking websites such as Facebook. The advocacy group Fans Against Kounterfeit Enterprise (FAKE) recently released a report noting significant increases in malicious links on Facebook N.F.L. fan pages which infect unlucky clickers with the new Zeus variant. These versions are allegedly hosted by the IP blocks which were once controlled by the Russian Business Network – a now defunct cyber criminal syndicate which played a large role in financial electronic crime and child pornography distribution in the late 1990s and early 2000s.Probably the most disturbing new capabilities exhibited by the resurgent Zeus/Zbot variants are those which enable self propagation and infection of internet enabled mobile devices. Researchers have recently identified a ZBOT variant, WORM_ZBOT.GJ which infects systems via a malicious .pdf file which masquerades as a sales invoice that in turn triggers an error message when opened via Adobe reader. While the user is preoccupied with this ‘error,’ the malware has run an auto update routine. It then searches the systems for any removable media drives. If any are found, the ZBOT implants a copy of itself on the removable media potentially further spreading itself to any system with which the user interfaces. There have also been recent instances of Windows-specific Zeus/Zbot malware being modified to target BlackBerry and Android OS mobile devices. Considering the scale of removable media use and the prevalence of running Android and BlackBerry mobile operating systems, this development could mean even greater rates of infection than Zeus/Zbot claimed at the height of its 2007-2010 period.Mitigation of Zeus/Zbot is not impossible, but as described above, it is increasingly difficult. This repurposing of ‘obsolete’ malware with enhanced infection vectors and self propagation capabilities is indicative of an emerging trend in which ‘old’ malware becomes new again. Essentially any outdated variants of formerly successful malware could be re-purposed by enterprising hackers and prove extremely successful in a new context. Considering the rate of progress and innovation in the information sphere, the developments which make computing better can actually create opportunities to recycle ‘retired’ threats. This being considered, basic AV programs will not always be enough to protect systems carrying information valuable to hackers.