The disruption of Cryptolocker and GameoverZeus
by Lucas Zaichkowsky - Enterprise Defense Architect at AccessData - Tuesday, 3 June 2014.
Part of the difficulty in unraveling ZeuS botnet infrastructure is mapping it out. Attackers usually plant a generic dropper within an emailed file, disguised to look like a document or via web sites by using popular exploit kits such as Blackhole that can identify vulnerable software on each visitor and deliver the right exploit.

That initial dropper wouldn't be classified as ZeuS. Instead, it has a list of hard coded addresses to download ZeuS from. After it downloads and executes, a new variant is created on the fly for each infection, then the original dropped ZeuS is deleted. This makes it difficult for antivirus vendors to identify all compromised systems since each infected system has its own unique copy.

A little over a month ago, I analyzed a Gameover sample. Manual analysis uncovered that while installing ZeuS, the dropper quickly ran a special purpose password stealer, designed to grab saved passwords from popular software such as web browsers, then deleted it. That very important detail wasnít evident in reports generated by automated malware analysis engines.

I shared my analysis in the comments section in this VirusTotal report. Additionally, you can see in this report that as of four weeks ago when the dropped ZeuS sample was last submitted, only 6 of 52 antivirus engines detected it. I submitted all samples to the Antivirus vendors and the detection rate is probably much better now.

ZueS/Zbot botnets are extremely common and simple to operate with minimal investment. Criminals pay for a custom variation of the ZeuS builder which is guaranteed to create new variants undetectable by antivirus software. They then go on their phishing campaigns, which costs them nothing or they pay for an exploit kit so that they donít have to worry about email attachments getting blocked.

Most security software that detects botnet droppers only has information on one or two servers hosting the botnet executable. It takes manual analysis to uncover all the indicators produced by any given ZeuS campaign. You can see the manual analysis I did on a fresh sample unrelated to Gameover that arrived in my home email on June 1st. See the comments section of this VirusTotal entry for my manual analysis results, then compare to this automated threat report. The automated report identified one domain that the dropper downloads ZeuS from. Manual analysis uncovered all ten and a narrative sequence of events.

People and organizations worried about botnet infections could avoid a lot of hassle by following these recommendations:

1. Block email attachments containing executable files or zip files with executable files like exe and scr.

2. Use vulnerability mitigation software to make up for unpatched software to avoid getting hit by exploit kits. The Microsoft Enhanced Mitigation Experience Toolkit (EMET) has a proven track record of protecting from attacks including rare 0days before software patches are even available. Also, EMET can be managed in corporate environments using group policies.

3. Install antivirus software. Although not perfect, antivirus software can still catch a large percentage of malware and reduce noise.

Spotlight

Operation Pawn Storm: Varied targets and attack vectors, next-level spear-phishing tactics

Posted on 23 October 2014.  |  Targets of the spear phishing emails included staff at the Ministry of Defense in France, in the Vatican Embassy in Iraq, military officials from a number of countries, and more.


Weekly newsletter

Reading our newsletter every Monday will keep you up-to-date with security news.
  



Daily digest

Receive a daily digest of the latest security news.
  

DON'T
MISS

Fri, Oct 24th
    COPYRIGHT 1998-2014 BY HELP NET SECURITY.   // READ OUR PRIVACY POLICY // ABOUT US // ADVERTISE //