New Zeus Variant Identified

[Lost_in_moscow]

In recent years, cyber criminals have become increasingly fond of using a form of malware known as keylogging, in which the victim's key strokes are monitored and recorded in an effort to obtain personal information.

One of the most "successful" forms of this type of malware is the Zeus keylogger. First identified in 2007, Zeus has compromised millions of computers throughout the world, mainly through drive-by downloads and phishing schemes.

New Zeus Variant Identified

A new enhanced variant of the Zeus malware has been identified, using a peer-to-peer technology that could make it more difficult to detect and remediate. The following information describes the new variant, ways in which it can be identified and recommendations to help mitigate the risks associated with Zeus.

Please note that those agencies utilizing SC-ISAC's online monitoring system, CyberSentry, are being actively monitored for these new techniques and notices are being sent out as appropriate. This information is being distributed in order to help keep everyone as informed as possible on these new threats.

A Closer Look at the "New" Zeus

The "new" version of Zeus implements a peer-to-peer (P2P) technology that allows it to receive orders without first having to go through a central command and control server. As soon as a computer becomes infected, it will try to locate an active node by sending User Datagram Protocol (UDP) packets on high ports. If the bot hits an active node, the remote node will respond with a list of current IP addresses that are participating in the P2P network.

In addition, the remote node will tell the requesting node which binary and config version it is running. If the remote node is running a more recent version, the bot will connect to it on a Transmission Control Protocol (TCP) high port in order to download a binary update and/or the current config file. Afterwards the bot will connect to the command and control domain listed in the config file using HTTP POST.

What This Means To You

Successful exploitation of these vulnerabilities by the new Zeus variant could result in an attacker gaining the same privileges as the legitimate logged-on user. Depending on the privileges associated with the user, an attacker could then install programs; view, change, or delete data; or create new accounts with full user rights. Failed attempts could result in a denial-of-service.

Help Identify Zeus

In order to help identify Zeus, you or your information technology (IT) should watch out for the following strings in your Web proxy logs, which are being used as a drop zone for this Zeus version (using HTTP POST). Such strings include "/gameover.php", "/gameover2.php" and "/gameover3.php".

Systems Affected by Zeus

Any Windows system

Risk Levels Associated with Zeus

Government (large and medium entities): High Risk
Government (small entities): High Risk
Business (large and medium entities): High Risk
Business (small entities): High Risk
Home Users: High Risk

Recommendations

In order to help mitigate the risks associated with this threat, we recommend the following actions be taken:

Apply appropriate patches provided to affected systems immediately after appropriate testing
Implement network egress filtering
Monitor Web proxy/intrusion detection systems
Remind users not to download or open files from un-trusted websites
Remind users not to open e-mail attachments from unknown users or suspicious e-mails from trusted sources
Remind users not to click links from unknown sources, or to click links without verifying the intended destination
Run all software as a non-privileged user (one without administrative privileges) to diminish the effects of a successful attack
Permit local access for trusted individuals only. Where possible, use restricted environments and restricted shells.


Zeus v3 Peer-to-Peer Network Diagram