For the past three years, the ZeuS trojan has been the king of financial malware. It is the weapon of choice for criminals that target financial institutions and their online customers. This crimeware platform is available in several different incarnations, and is continuously being improved to help it stay one step ahead of detection.
At Trusteer, our research team estimates that between 0.5% and 1% of all personal computers in the Western world are currently infected with ZeuS. At over a billion PCs, this is about 10 million infected machines. ZeuS is designed to evade detection by many anti-virus programs and fraud prevention systems by taking control of web browser sessions and stealing information that is presented and exchanged during communication with a bank’s servers.
Why is ZeuS So Elusive?
ZeuS infection rates are still rising because criminals continue to develop increasingly sophisticated scams that trick users into installing the trojan. These tactics are varied.
Infection can take the form of a ‘drive-by’ download when visiting a seemingly innocuous website or clicking on a link in a malicious email. Some recent schemes used to fool users have included invitations to download a security patch from what appears to be a trusted source – such as a company IT department or a respected software provider. The success rates of these campaigns has driven criminal groups to develop similar themes that are even more creative and believable, and exploit social networks like Facebook, Twitter and LinkedIn.
The next stumbling block is that the ZeuS malware is exceptionally sophisticated. When the ZeuS installer/dropper runs on the user’s machine it creates a file registry entry with a random name that is extremely difficult to detect and block, and therefore protect against. The permanent ZeuS file it then creates is unique to each machine. This capability makes ZeuS nearly impossible to detect – and it escapes ordinary anti-virus and firewall mechanisms.
The detection problem is further compounded by the fact that ZeuS infects system processes in order to hide itself. When an infected machine is scanned, the ZeuS process does not appear to be running. Hidden from view, the trojan can inject itself into any newly opened browser session and can go about conducting its ‘business’ undetected.
What Is ZeuS’ ‘Business’ Exactly?
From within the browser, ZeuS monitors all outgoing browser requests and collects credentials and personal information entered into any forms – such as login details for online banking. It is also capable of modifying incoming web pages and uses this capability against the PC’s user.
For example, ZeuS can add extra input fields to the web page being displayed to encourage the user to enter additional information, such as verification or normal account ‘challenge’ questions. These credentials are then sent back to the malware controller who uses them to conduct fraudulent transactions.
We have also seen instances of ZeuS manipulating information displayed on the web pages presented to users. For example, ZeuS can modify a user’s bank account balance to hide the fact that funds have been stolen from the account. This prevents the user from discovering that fraud has taken place on their account until they receive a statement. This delay in the discovery and reporting of fraudulent activity allows criminals to fleece the same account several times using smaller sums that are not detected by the bank’s fraud detection systems.
Five Ways to Thwart ZeuS
These methods can help banks and other online businesses work with their customers to stop ZeuS from gaining access to account information and stealing funds:
- Know the Enemy: Understand the threat landscape. From a position of knowledge, you can identify and monitor its activities and perhaps even defeat attacks in real time, alerting law enforcement agencies immediately – the sooner this is done, the easier it is to find the culprits.
- Target the Weakest Link: ZeuS uses the web browser to launch its attack, so this vector must be closed. There are software and services available to lock down the browser, prevent unauthorized access to web pages and protect the sensitive information that flows through it.
- Warn Customers/Users: Establish a communications mechanism to notify customers about new campaigns criminals are running. Knowledge is power, and it can help users avoid falling for phishing scams that will install ZeuS on their PCs.
- Help Customers Defend their Machines: ZeuS operates outside the security perimeter and protocols of financial institutions, but the hygiene of customers’ PCs is critical for reducing risk. Provide regular advice and reminders to customers to keep their PCs clean, patched and protected.
- Identify ZeuS Infected PCs: Identifying and tracking infected user machines (until they can be disinfected) can provide a wealth of intelligence that can be used to protect against new attacks. Technology is available that can discover the type of malware present on a machine, how it is configured, what it does to change the bank’s web pages when retrieved by the browser, and even capture a sample for examination in the lab. This information not only helps with disinfection, but also helps to establish defense mechanisms that would prevent subsequent attempts by ZeuS to change web pages presented on other customers’ machines.
Zeus is a very sophisticated and adaptable online fraud platform that has been helped along by criminals who have developed cunning techniques to trick users into installing the trojan. However, through end-user education, research into ZeuS’ inner workings, and information sharing between security vendors, banks, and law enforcement, we are making progress against this worldwide phenomenon. How well we learn the lessons from ZeuS will determine our ability to fight off and limit the damage caused by the next crop of financial malware already on our doorstep, including Bugat, SpyEye, and Carberp.
Amit Klein is a noted malware researcher and CTO of secure browsing service provider Trusteer. He is an expert on internet and endpoint security, and a frequent speaker at industry events.