article

Titans' revenge: Detecting Zeus via its own flaws

Authors:

Marco Riccardi,

Roberto Di Pietro,

Marta Palanques,

Jorge Aguilí VilaAuthors Info & Claims

Computer Networks: The International Journal of Computer and Telecommunications Networking, Volume 57, Issue 2

Pages 422 - 435

https://doi.org/10.1016/j.comnet.2012.06.023

Published: 01 February 2013 Publication History

Abstract

Malware is one of the main threats to the Internet security in general, and to commercial transactions in particular. However, given the high level of sophistication reached by malware (e.g. usage of encrypted payload and obfuscation techniques), malware detection tools and techniques still call for effective and efficient solutions. In this paper, we address a specific, dreadful, and widely diffused financial malware: Zeus. The contributions of this paper are manifold: first, we propose a technique to break the encrypted malware communications, extracting the keystream used to encrypt such communications; second, we provide a generalization of the proposed keystream extraction technique. Further, we propose Cronus, an IDS that specifically targets Zeus malware. The implementation of Cronus has been experimentally tested on a production network, and its high quality performance and effectiveness are discussed. Finally, we highlight some principles underlying malware-and Zeus in particular-that could pave the way for further investigation in this field.

References

[1]

Norton, Cybercrime Report 2011, Tech. Rep., Symantec, 2011. <http://us.norton.com/content/en/us/home_homeoffice/media/pdf/cybercrime_report/Norton_USA-Human%20Impact-A4_Aug4-2.pdf> (cited 19.12.11).

Google Scholar

[2]

Damballa, Top-10 Botnet Outbreaks in 2009. <http://blog.damballa.com/?p=569> (cited 19.12.11).

Google Scholar

[3]

Trusteer, Banking Malware Zeus Successfully Bypasses Anti-virus Detection. <http://www.trusteer.com/company/press/trusteer-warns-zeus-trojan-bypasses-date-anti-virus-systems-77-percent-time> (cited 31.10.11).

Google Scholar

[4]

S. Golanov. <http://www.securelist.com/en/analysis/204792180/TDL4_Top_Bot> (cited 19.12.11).

Google Scholar

[5]

E. Florio, K. Kasslin, Your computer is now stoned (¿ Again!), Virus Buletin.

Google Scholar

[6]

M. Sharif, A. Lanzi, J. Giffin, W. Lee, Impeding malware analysis using conditional code obfuscation, in: Network and Distributed System Security (NDSS), Citeseer, 2008.

Google Scholar

[7]

Chandrasekaran, M., Chinchani, R. and Upadhyaya, S., PHONEY: mimicking user response to detect phishing attacks. In: Proceedings of the 2006 International Symposium on World of Wireless, Mobile and Multimedia Networks, IEEE Computer Society. pp. 668-672.

Digital Library

Google Scholar

[8]

S. Gajek, A.-R. Sadeghi, A Forensic Framework for Tracing Phishers, in: Fischer-Hübner, Simone and Duquenoy, Penny and Zuccato, Albin and Martucci, Leonardo, (Eds.), The Future of Identity in the Information Society, in: IFIP International Federation for Information Processing, Horst Görtz Institute for IT-Security Germany, Springer Boston, 2008, 262, pp. 23-35.

Google Scholar

[9]

L. Spitzner, Honeytokens: The Other Honeypot, Security Focus 21.

Google Scholar

[10]

P. Bacher, T. Holz, M. Kotter, G. Wicherski, Know Your Enemy: Tracking Botnets, The Honeynet Project.

Google Scholar

[11]

Cremonini, M. and Riccardi, M., The Dorothy project: an open botnet analysis framework for automatic tracking and activity visualization. In: Proceedings of the 5th European Conference on Computer Network Defense (EC2ND), IEEE. pp. 52-54.

Digital Library

Google Scholar

[12]

Riccardi, M., Oro, D., Luna, J., Cremonini, M. and Vilanova, M., A framework for financial botnet analysis. In: eCrime Researchers Summit (eCrime) 2010, IEEE. pp. 1-7.

Google Scholar

[13]

J. Caballero, N.M. Johnson, S. Mccamant, D. Song, Binary code extraction and interface identification for security applications, in: ISOC NDSS'10, 2010.

Google Scholar

[14]

Leder, F., Martini, P. and Wichmann, A., Finding and extracting crypto routines from malware. In: IEEE 28th International Performance Computing and Communications Conference (IPCCC), IEEE. pp. 394-401.

Google Scholar

[15]

Leder, F. and Martini, P., Ngbpa next generation botnet protocol analysis. Emerging Challenges for Security, Privacy and Trust. 307-317.

Google Scholar

[16]

Kim, Y. and Youm, H., A new bot disinfection method based on DNS sinkhole. Journal of KIISC. v18. 107-114.

Google Scholar

[17]

Ji, S., Im, C., Kim, M. and Jeong, H., Botnet detection and response architecture for offering secure internet services. In: International Conference on Security Technology, 2008. SECTECH'08, IEEE. pp. 101-104.

Digital Library

Google Scholar

[18]

Preventing botnet damage technique and its effect using bot DNS sinkhole. Journal of KISS (C): Computing Practices. v15 i1. 47-55.

Google Scholar

[19]

G. Gu, P. Porras, V. Yegneswaran, M. Fong, W. Lee, Bothunter: detecting malware infection through IDS-driven dialog correlation, in: Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium, USENIX Association, 2007, p. 12.

Crossref

Google Scholar

[20]

Jiang, X., Wang, X. and Xu, D., Stealthy malware detection through VMM-based out-of-the-box semantic view reconstruction. In: Proceedings of the 14th ACM Conference on Computer and Communications Security, ACM. pp. 128-138.

Crossref

Google Scholar

[21]

Ormerod, T., Wang, L., Debbabi, M., Youssef, A., Binsalleeh, H., Boukhtouta, A. and Sinha, P., Defaming botnet toolkits: a bottom-up approach to mitigating the threat. In: 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies, IEEE. pp. 195-200.

Digital Library

Google Scholar

[22]

Ford, R. and Gordon, S., Cent, five cent, ten cent, dollar: hitting botnets where it really hurts. In: Proceedings of the 2006 Workshop on New Security Paradigms, ACM. pp. 3-10.

Crossref

Google Scholar

[23]

Binsalleeh, H., Ormerod, T., Boukhtouta, A., Sinha, P., Youssef, A., Debbabi, M. and Wang, L., On the analysis of the zeus botnet crimeware toolkit. In: Eighth Annual International Conference on Privacy Security and Trust (PST), IEEE. pp. 31-38.

Google Scholar

[24]

M. Riccardi, R. Di Pietro, J.A. Vila, Taming Zeus by leveraging its own crypto internals, in: eCrime Researchers Summit (eCrime), November 2011, (2011), pp.1-9, http://dx.doi.org/10.1109/eCrime.2011.6151981.

Crossref

Google Scholar

[25]

S.S. Corporation, M. Ligh, {prg} Malware Case Study, Tech. Rep., Secure Science Corporation, 2006.

Google Scholar

[26]

Howard, R., Cyber Fraud: Tactics, Techniques and Procedures. 2009. first ed. Auerbach Publications, Boston, MA, USA.

Crossref

Google Scholar

[27]

B. Krebs, Zeus Source Code for Sale. Got 100,000 Dollars? 2011. <http://krebsonsecurity.com/2011/02/zeus-source-code-for-sale-got-100000/> (cited 19.12.11).

Google Scholar

[28]

J. Manuel, Another Modified Zeus Variant Seen in the Wild. <http://blog.trendmicro.com/another-modified-zeus-variant-seen-in-the-wild/?awid=7917255160271489866-1985> (cited 19.12.11).

Google Scholar

[29]

G. Inc., Google Translate Service, 2011. <http://translate.google.com/> (cited 19.12.11).

Google Scholar

[30]

Abuse.ch, The Swiss Security Blog. <https://zeustracker.abuse.ch/statistic.php> (cited 19.12.11).

Google Scholar

[31]

MuDynamics, Annuncing Pcapr-local. <http://blog.mudynamics.com/2011/04/18/announcing-pcaprlocal/> (cited 19.12.11).

Google Scholar

[32]

iOpus, Imacros Plugin, 2011. <http://www.iopus.com/imacros/> (cited 19.12.11).

Google Scholar

[33]

Kahn, D., The Codebreakers: The Story of Secret Writing. 1996. Scribner Book Company.

Google Scholar

Cited By

View all

Pietro RLombardi FVillani A(2016)CUDA LeaksACM Transactions on Embedded Computing Systems10.1145/280115315:1(1-25)Online publication date: 13-Jan-2016
https://dl.acm.org/doi/10.1145/2801153
Hannah KGianvecchio S(2015)ZeusliteJournal of Computing Sciences in Colleges10.5555/2675327.267534530:3(109-116)Online publication date: 1-Jan-2015
https://dl.acm.org/doi/10.5555/2675327.2675345
Gañán CCetin Ovan Eeten MBao FMiller SZhou JAhn G(2015)An Empirical Analysis of ZeuS C&C LifetimeProceedings of the 10th ACM Symposium on Information, Computer and Communications Security10.1145/2714576.2714579(97-108)Online publication date: 14-Apr-2015
https://dl.acm.org/doi/10.1145/2714576.2714579

Titans' revenge: Detecting Zeus via its own flaws
1. Networks
  1. Network services
2. Social and professional topics
  1. Computing / technology policy

Recommendations

Honeypot detection in advanced botnet attacks

Botnets have become one of the major attacks in the internet today due to their illicit profitable financial gain. Meanwhile, honeypots have been successfully deployed in many computer security defence systems. Since honeypots set up by security ...
Analysis of a Botnet Takeover

Botnets, networks of malware-infected machines (bots) that are controlled by an adversary, are the root cause of a large number of security problems on the Internet. A particularly sophisticated and insidious type of bot is Torpig, a malware program ...
Dempster-Shafer Evidence Combining for Anti-Honeypot Technologies

Honeypots are network surveillance architectures designed to resemble easy-to-compromise computer systems. They are deployed to trap hackers in order to help security professionals capture, control, and analyze malicious Internet attacks and other ...

Reviews

Reviewer: Nathan Carlson

Malware has become an underground industry, rapidly evolving in response to attempts by computer security experts and organizations to keep it in check. One of the most notorious examples of this pattern is Zeus malware, and specifically the Zeus crimeware toolkit, which allows individuals to create tailored Trojans that are used to establish botnets for stealing financial information. These networks have been linked to large financial losses, especially when stolen banking credentials are used to transfer large sums of money into offshore accounts [1]. The authors of this paper describe their novel approach to detecting Zeus: break its encrypted communications traffic. They have implemented this method in their own intrusion detection system (IDS), pithily named Cronus. Given the rapidly evolving nature of malware in general, it may seem that a paper submitted in late 2011, and published in late 2012, might be outdated in late 2013. In fact, Zeus has recently resurfaced and is once more in the spotlight [2], so this research remains highly relevant for anyone interested in computer security and computer forensics. The level of technical detail in the paper will be of immense use to readers dealing directly with Zeus derivatives, as well as anyone seeking a more detailed understanding of methods that can be applied to intrusion detection problems. Online Computing Reviews Service

Access critical reviews of Computing literature here

Become a reviewer for Computing Reviews.

Comments

Please enable JavaScript to view thecomments powered by Disqus.

Information & Contributors

Information

Published In

cover image Computer Networks: The International Journal of Computer and Telecommunications Networking

Computer Networks: The International Journal of Computer and Telecommunications Networking Volume 57, Issue 2

February, 2013

224 pages

ISSN:1389-1286

Issue’s Table of Contents

Publisher

Elsevier North-Holland, Inc.

United States

Publication History

Published: 01 February 2013

Author Tags

Qualifiers

Article

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

3
Total Citations
View Citations
0
Total Downloads

Downloads (Last 12 months)0
Downloads (Last 6 weeks)0

Reflects downloads up to 12 Nov 2024

Other Metrics

View Author Metrics

Citations

Cited By

View all

Pietro RLombardi FVillani A(2016)CUDA LeaksACM Transactions on Embedded Computing Systems10.1145/280115315:1(1-25)Online publication date: 13-Jan-2016
https://dl.acm.org/doi/10.1145/2801153
Hannah KGianvecchio S(2015)ZeusliteJournal of Computing Sciences in Colleges10.5555/2675327.267534530:3(109-116)Online publication date: 1-Jan-2015
https://dl.acm.org/doi/10.5555/2675327.2675345
Gañán CCetin Ovan Eeten MBao FMiller SZhou JAhn G(2015)An Empirical Analysis of ZeuS C&C LifetimeProceedings of the 10th ACM Symposium on Information, Computer and Communications Security10.1145/2714576.2714579(97-108)Online publication date: 14-Apr-2015
https://dl.acm.org/doi/10.1145/2714576.2714579

View Options

View options

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Abstract

References

Cited By

Recommendations

Honeypot detection in advanced botnet attacks

Analysis of a Botnet Takeover

Dempster-Shafer Evidence Combining for Anti-Honeypot Technologies

Reviews

Access critical reviews of Computing literature here

Comments

Information

Published In

Publisher

Publication History

Author Tags

Qualifiers

Contributors

Other Metrics

Bibliometrics

Article Metrics

Other Metrics

Citations

Cited By

View options

Get Access

Login options

Full Access

Figures

Other

Share

Share this Publication link

Share on social media

Affiliations