Tag: Man-in-the-Browser Attack

The Reign of Zeus

Posted by Anup Ghosh on May 03, 2010

Zeus is a game changer virus for the financial services industry, and perhaps its most pernicious computer-related threat. It specifically targets banking information by users and will defeat strong multi-factor authentication (MFA) methods used by banks including hardware tokens with one-time random passwords. A recent breakthrough in spreading Zeus via PDF files threatens to further the spread of Zeus. More on this below.

Zeus Overview

Zeus is a sophisticated banking Trojan toolkit, one of a number of different types of crimeware, that will allow botmasters to create unique Zeus Trojan Bot variants that steal user data from infected computers, among other things. SecureWorks CTU reports that Zeus:

  • Steals data submitted in HTTP forms
  • Steals account credentials stored in the Windows Protected Storage
  • Steals client-side X.509 public key infrastructure (PKI) certificates
  • Steals FTP and POP account credentials
  • Steals/deletes HTTP and Flash cookies
  • Modifies the HTML pages of target websites for information stealing purposes
  • Redirects victims from target web pages to attacker controlled ones
  • Takes screenshots and scrapes HTML from target sites
  • Searches for and uploads files from the infected computer
  • Modifies the local hosts file (%systemroot%\system32\drivers\etc\hosts)
  • Downloads and executes arbitrary programs
  • Deletes crucial registry keys, rendering the computer unable to boot into Windows

    • Man-in-the-Browser Attack

    Perhaps most alarming for banks that have deployed multi-factor authentication (MFA) for its business banking clients is that Zeus enables “man-in-the-browser” attacks that will transfer funds from your bank account to a bank account under control of the Zeus botmaster. This undermines the strongest security banks have deployed on any scale to its clients — the hardware token with random number generation (RNG) for one-time passwords. Once the user logs into his or her bank account, Zeus employs a real-time chat notifier (based on the Jabber client) to notifer the bot master the user has authenticated to the bank. Typically at the time of a wire transfer the user is required to enter a one-time password using their hardware token (for example an RSA token). Once the one-time RNG password is entered, the botmaster then schedules the transfer to an account under his control by sending substitute information for the beneficiary bank account for the transfer. The funds are transferred to the botmaster’s account with the user’s unwitting permission.

    Zeus will also capture users’ Digital Certificates, such as PKCS #12 certificates, that some banks will issue to authenticate users to the bank. This is yet another previously thought strong assurance mechanism rendered a mere speedbump for Zeus.

    The figures below produced by Secure Works shows a log of a Zeus victim’s login credentials and banking transaction detail. The information captured includes the bot ID, Zeus software version number, botnet, victim IP, operating system type and URL for bank.

    Zeus Banking Login Information Captured by Zeus (produced by Secure Works http://www.secureworks.com/research/threats/zeus)

    Banking Transaction Captured by Zeus (Produced by Secure Works http://www.secureworks.com/research/threats/zeus)

    Re-directing Users to Rogue Bank Sites

    Another popular method for stealing banking credentials is to re-direct users to a website under the botmaster’s control simply by re-writing the  user’s DNS table to point to a rogue DNS server. When the user visits a banking domain (e.g., Bank of America), the rogue DNS server will return an IP address that points to the attacker’s Web site that is a replica of the actual BoA site, but controlled by the botmaster. Since your DNS table is relatively unique and there is no “correct” answer for all users, changes to this table are not detected by standard end-point security software.

    The figure below produced by the Zeus Tracker site shows a decrypted configuration file placed on a victim’s machine that allows the Zeus botmaster to target the victim when they log on to particular social networking or banking sites and either capture or re-direct the victim accordingly.

    Zeus Configuration File (produced by Zeus Tracker https://zeustracker.abuse.ch/faq.php)

    Exfiltrating Data using Zeus

    In some cases, Zeus will introduce fields on bank login sites for users to plug in answers to their personal questions that banks will often ask you to authenticate you in addition to passwords. This information is stored in an online database in addition to your login credentials. Zeus will capture Personally Identifying Information (PII) that it grabs from Internet Explorer and Firefox form fields and exfiltrate the data to a dropzone server via HTTP while encrypting the information using an RC4 cipher.  Most organizations today do not examine out-bound HTTP traffic for malicious exfiltration, and most cannot do anything about encrypted HTTP sessions. So Zeus is free to exfiltrate its information and receive command and control over HTTP without being observed or interfered with by local IDS/IPS systems.

    Killing the OS

    Some Zeus variants include a “kos” command (for “kill the operating system”) that when directed from the Zeus BotMaster will incapacitate the victim’s operating system (see code that employs this). When a Zeus bot receives this command, it will incapacitate the victim’s operating system by deleting key system registry branches that in turn create the vaunted Blue Screen of Death (BSOD).

    Exploiting PDFs

    Zeus is spread through any number of mechanisms, including driveby-downloads from the web browser, email phishing, and more recently through PDF exploitation. In 2009, Symantec alone detected 90,000 unique variants of Zeus. The attacks are often targeted, beginning with online reconnaissance of a target organization by searching online social network sites such as Facebook or LinkedIn. Information gathered from these pages are then used to craft specific emails to victims that in turn click on links (such as Friending requests from a colleague). This technique is called spear phishing and is highly effective. The links will re-direct users to a website that exploits a vulnerability in their browser to install the Trojan. In many cases, a zero-day exploit isn’t needed. Web sites and emails can “social engineer” users into installing rogue security software, plug-ins or updates to plug-ins. Likewise getting users to open infected PDFs is not that difficult. Many users feel safe opening PDFs compared to MS Office documents.

    However, PDFs, as a class, have been the most significant source of infections over the last year. For example, the Hydraq/Aurora Trojan that exploited a patched vulnerability in Adobe Reader, Flash, and also Microsoft Internet Explorer was used to convert these software programs into a telnet server, which in turn allowed botmasters to download Trojans of choice.

    The table below from Symantec’s Global Internet Security Threat Report Volume XV shows PDF Suspicious File Downloads were the #1 Web-based attack vector in 2009 according to Symantec data.

    Top Web-Based Attacks (from Symantec Global Internet Security Threat Report Volume XV http://eval.symantec.com/mktginfo/enterprise/white_papers/b-whitepaper_exec_summary_internet_security_threat_report_xv_04-2010.en-us.pdf)

    Exploiting A Design Feature in PDF

    Most PDF attacks exploit vulnerabilities in Adobe Reader or other PDF Viewer applications. More recently, however, m86 Security reported a design feature/flaw in Adobe Reader is now being exploited to install Zeus on victim machines.

    The PDF 1.7 Specification includes a Launch method that enables PDF documents to execute Windows shell commands. The way the attack works is a user receives an email with a PDF attachment. The user opens the PDF document and JavaScript runs within their PDF Reader that causes a dialog box to be opened asking the user to Specify a File to extract to. The m86 Security report shows the following screen capture:

    Royal Mail PDF Exploit (from m86 Security http://www.m86security.com/labs/traceitem.asp?article=1301)

    The PDF file that is being extracted is actually a Zeus Trojan executable. Once the JavaScript method completes, the Launch action is run, which in turn runs a Windows shell command to search for the file that was extracted and then execute the file. At this point the Zeus Trojan is installed and your machine is now p0wnd by Zeus.

    Summary

    Zeus is an example of the sophisticated crimeware now available to crime syndicates that are focused on illicit financial gains by capturing banking credentials. The toolkit is available for sale in underground markets and the Zeus author has even implemented sophisticated hardware licensing schemes to prevent piracy. Although Zeus is used to target banking information, it is a general-purpose Trojan that can be used to gather other information such as valuable IP and corporate or government secrets. While Zeus has traditionally been spread by phishing and Web drive-by attacks, more recent PDF exploits provide another avenue for wide dissemination and exploitation.