Zeus: Botnets Multiplying At Your Service

While it’s no secret that modern crimeware kits are readily available for any individuals who wish to join the dark side, it has indeed become a rather large problem. Frameworks and recycled malicious code have long been used to spawn new attacks: some examples include RBot/Zotob, SDBot, Pushbot and of course, ZBot. Since the early millennium, these resources have accumulated and become more accessible in the digital underground, acting as a catalyst to the influx of malware and attacks that we witness today.

The black hat process can be compared to the transition of the “Web 2.0″ era: Existing framework was first built to be functional, yet was inheritly rudimentary with a narrow scope on IT professionals. This was further refined to enhance functionality and manageability, and in turn, this refined framework became more accessible and widely adopted – the scope widening considerably. Similarly, malware has followed much the same path in the form of kits (phishing, do-it-yourself botnets) and botnets/spam engines for hire – complete with documentation and even consulting services. Thanks to this, entry-level black hats (referred to as “script kiddies”) are now included in this widened scope, easily hopping on board the cybercrime train with a small investment or list of contacts in hand. August of 2009 marked our highest detected activity level yet for any given malware variant, which was in fact a ZBot binary found to be attached in a fake eCard email (see image here). Each attack lasted no more than one day, very much in a hit and run fashion. More recently, ZBot has been spotted in fraudulent IRS emails (see image here). The social engineering behind each ZBot attack will vary.

There is a large amount of maintenance put forth into these frameworks, whether it be rebranding malicious scareware binaries or releasing new versions of kits which include more functionality and evasion techniques. While this cat-and-mouse game continues, Fortinet’s Doug Macdonald provides an analysis of a modern Zeus botnet – highlighting client and server communication, on top of creation and deployment. This is a perfect example of another high-profile, blended threat (see our Waledac analysis for another). Zeus and ZBot go beyond obfuscating malicious binaries: command and control traffic sent through cyberspace is also a focus of obfuscation and encryption while Zeus continues to evolve.