ZEUS BOTNET DEFINED Samuel Egiefameh Advisor

Home , Botnet, Zeus (malware)

ZEUS BOTNET DEFINED

Samuel Egiefameh

Advisor: Dr. Willie Thompson II

Morgan State University Department of Electrical and Computer Engineering Senior Design Project II Fall, 2015

Student Signature ______Date ______

Advisor Signature ______Date ______

TABLE OF CONTENTS

1. Abstract …………………………………….…….…. 3-4

2. Introduction ……………………………………………… 4

• Motivation of Research…………………………..… 4-5

• What is Zeus…………………………………… 5-6

• Brief history of Zeus…………………………… 6-8

• How Zeus works(Diagram)……………………… 8

3. Tools ...………………………………………………...….. 8

4. Methodology………………………………..……………..… 9

• Creating a Virtual Network………………… 9-11

• Command and Control Setup………………. 11-12

• Building bot Executable……………………… 12-15

5. Results …………………………………………….. 16-17

6. Conclusion ………………………………………. 17-18

7. References ………………………………………. 19

§ 1: ABSTRACT

Over the last decade, spontaneous cyber-attacks have increasingly become a greater threat. Jim Webb, former democratic candidate for president, when asked the question,

“What is the greatest threat to our national security today?” replied with a definitive,

“Cyber warfare.” Each year cybercrime costs the global economy up to $575 billion with the U.S. taking a huge chunk of $100 billion. Billions of dollars are lost to cybercrime each year and the reputations of reputable companies have been destroyed as an outcome of it. The threat of whether a small business, large corporation, or even an ordinary person in the comfort of their home having their personal information compromised, even as far as identity theft, is almost as ordinary as a person breathing. Well, that may be a bit extreme, but the fact of the matter is that if something is not done soon about the millions of threats which are sent out each day, we will live in a world in which absolutely nothing is safe. If something is not done about cybercrime now, one could only hope what our country will be in the future.

A flexible network monitoring system is needed to see what is happening in real time and store that information for later use. The purpose of this research project is to be the mind of the hacker by carrying out the same attacks they do to their victims and to possibly reverse engineer their tactics by finding some loopholes to see how we can better protect our systems against cyber threats today. I will be performing a key logger attack. My end goal is to be able to penetrate the Morgan State University email website to steal both username and password and sending it back to the command and control. To accomplish this task, I will need to generate my own attack using a very sophisticated 4

piece of malware called “Zeus botnet” to test the vulnerability of computer systems and use cyber software to capture how these attacks are happening in the background real time. The data will then be collected and analyzed to determine how to stop these malware attacks from getting to its ultimate goal which is the physical layer of the OSI model.

§ 2: INTRODUCTION

Robert Mueller, an FBI director, once said, “there are two types of companies: those that have been hacked, and those that will be.” Now this quote is a concern for both companies and individuals. The days in which a group of men with guns and knives burst into a bank to rob the bank tellers at gunpoint are long over. Men have become wiser, smarter, and sharper, and can steal your money secretly on the web. Cyber war is the new battlefield of today. Everything that has an on and off switch will soon be connected to the internet of things. Hackers have discovered that most of the cash they’re after is not stored in steel vaults, but on the web. Market research firm Gartner says the global spending on IT is set to increase 8.2 percent from the year 2014. That is a total of $77 billion dollars. The cyber market is expected to grow to $170 billion by the year 2020.

Let’s face it, people are frightened because they see the effect of what cyber warfare has accomplished and even more fearful of the potential it can do in the future.

2.1 - MOTIVATION OF RESEARCH

Cybersecurity is an interesting topic and one of the fastest growing specializations in the job industry today. First, let me say in doing this project I was completely oblivious to the cyber terms and cyber security as a whole in general. I sparked interest because of the growing increase of cyber related attacks. I love technology. Technology is what drives 5

our country today. It is possible in the near future there will be no more paper – everything will be digital. Yet, for all this technology to be enjoyed freely without fear or remorse, our data must be protected. I believe the growing number of cyber-attacks is in direct proportion to the growing technology in out day and age. Cyber security is predicted to be the fastest growing homeland security market as North America. I’m motivated to get behind the mind of the hacker in hope to understand how attacks are carried out and to possibly find ways of preventing it.

2.2 - WHAT IS ZEUS?

Zeus also known as Zbot is one of the most notorious and widely spread information stealing Trojans on the market today. It’s a toolkit used to create information stealing malware. While Zeus can do a plethora of different functions as in back-dooring new equipment and infiltrating industrial systems, it’s main goal is to steal online banking information from vulnerable users. The toolkit performs four main actions:

1. Gathers system information.

2. Steals protected storage information, FTP

passwords and POP3 passwords.

3. Steals online credential information as specified by the configuration file.

4. Contacts the command and control server

for additional tasks to perform. 6

Zeus uses a botnet to create and distribute bots to its victims. A botnet (also known as a zombie army) is a number of internet computers that, although their owners are unaware of it, have been set up to forward transmissions (including spam or viruses) to other computers on the Internet. The bots created by this kit will infect your computer and once infected, it will run silently in the background harvesting information and sending it back to the command and control center. A bot is simply a short word for a robot. It is a robot who simply follows commands from the botmaster to tell it what he needs to do. In the figure above, you see the botmaster at the center and the little bots that surround him. The botmaster sends commands remotely to his bots across the globe to do whatever he pleases. That is how Zeus operates. The kit is doesn’t require much of a technical background to use. Once obtained, creating the malware is fairly simple. As a result, you have many self-proclaimed or self-made hackers using this package to create and distribute their own malware to victims. That is why Zeus today is so widely spread, because anyone can use it and it don’t need to be the best programmer to send out a legitimate attack. This kit ranges between $700-$3000 dollars but older versions can be obtained either freely or for a small price through underground forums.

2.3 - BRIEF HISTORY OF ZEUS

Zeus is Trojan horse that steals banking login information through key loggers and form grabbing. A key logger is software that can track or log the keys struck on your keyboard.

Meaning, that if your computer is infected with a key logger, everything you type on your 7

keyboard will be recorded and logged. This of course is extremely dangerous because hackers use it with malicious intent to retrieve bank login information, credit card numbers, usernames, passwords, and any other private information. The Trojan is also able to do web injects by injecting more HTML code into a legitimate web pages to fool the user by giving additional sensitive information not usually required by the website.

Zeus can also perform various web fakes. A web fake redirects your browser to a compromised website or a fake version of the website to once again trick the user. Zeus can perform a plethora of different functions, but for this project I will be penetrating the

MSU email website to steal login information and send it back to the command and control.

The malware is usually distributed to its victims through drive-by downloads and various phishing schemes or by simply clicking on an infected website. The Trojan was first discovered in July 2007 when it was used to steal information from the United States

Department of Transportation. It compromised accounts in notable companies such as

Amazon, Bank of America, ABC, NASA, Oracle, Businessweek, and many others. Over

2,000 companies and organizations have been infected since Zeus was first discovered and in 2012, Kaspersky Labs found five new variants infecting blackberry and Android phones. In 2010, the original author sold the source code to his major competitor,

SpyEye, who is now enhancing the software. There is currently a $3 million dollar bounty on the original creator of the Zeus Trojan, but selling the source code and making it public in which now anyone can use the botnet makes it much harder to crack down the original creator. From the year 2007-2011, Zeus was the absolute most notorious Trojan 8

on the market and still today Zeus has not taken a backseat to anyone but still continues to put fear in the hearts of those who know its power.

2.4 – HOW ZEUS WORKS (DIAGRAM)

§ 3: TOOLS

1. Zeus Toolkit

2. Two Virtual Machines (Attacker & Victim)

3. Test bed

4. XAMPP(Web server, PHP module, and MYSQL server)

5. Virtual Box (for WIN7 and WINXP)

6. Wireshark

7. Aegis Crypter

§ 4: METHODOLOGY

4.1. CREATING A VIRTUAL NETWORK

After obtaining the Zeus toolkit my next step was to create a virtual network. A virtual network is a computer network that consists of virtual network links. It does not consist of a physical (wired or wireless) connection between two computing devices but is implemented using methods of network visualization. This is needed for penetration testing and hacking. For instance, whenever you need to do something in the computer world for you to understand what is taking place, it is needed to sit down with the physical equipment and play with it. It’s just as if you were building a windows server network, you will need a lab for penetration testing and hacking. In the past, if you wanted to hack another computer for testing you would need the actual physical hard computer and they will need to be connected on a network, otherwise the attack will not work. In today’s modern world as technology has advanced, all you will need is just one powerful system called a test bed, put some type of virtualization software on that system, create numerous virtual computers and have those computers attack each other. Because I will be working with dangerous pieces of malware, a virtual network was needed between the virtual machines so that malware won’t affect another system which wasn’t connected. To do this, I bridged the connections within Virtual Box. Bridging the networks gives the two virtual machines the same DHCP and DNS with different MAC 10

addresses. To ensure they were connected, I sent out a simple ping between the two networks as you can see in the figure below:

Figure 1

Figure 2

Getting a reply from each of the IP addresses shows that both networks are bridged and are now ready for testing. However, in a bridged connection, the network is connected to the LAN, the outside world. An internal network is the exact opposite of a bridged network. In an internal network, the virtual machines can communicate with each other; yet, they are completely isolated from the outside world. An internal network is the ideal situation for this project; however, for me to be able to penetrate the Morgan State

University website, it was needed that I bridged the connections. This makes it more dangerous; however, the malware cannot infect another computer unless bridged under the same DHCP and DNS. Let me be clear, the bridged network, though connected to the outside world is not bridged to the outside world but rather bridged internally between the 11

two virtual boxes. So although it can connect to the internet it cannot do damage to those on the network. In essence, it acts as a pass through.

4.2 COMMAND & CONTROL SETUP

The Zeus command and control is one of the most important aspects for the hacker to carry out a successful attack. The server component of the Zeus kit is a collection of php scripts that allow the owner to monitor the status of their bots, issue commands to them and retrieve the information that they have collected. Without this, this server the toolkit is in essence useless. The malware can still infect its victims and retrieve confidential information, yet, the bot will have no place to send this information to without the command and control. The command and control is not provided with the Zeus toolkit so you must go through other means to be able to set one up. For this project, I used software called XAMPP. XAMPP is a free and open source cross-platform web server solution stack package developed by Apache Friends, consisting mainly of the Apache

HTTP Server, Maria DB database, and interpreters for scripts written in the PHP and Perl programming languages.

Once XAMPP was installed on my attacker virtual machine it needed to be integrated with the Zeus toolkit. The bot package provides a set of PHP scripts that will set up the required database tables and other user-specific data, based on the configuration file used to generate the bot. For this to work, you need to copy everything in the “server[php]” folder from the Zeus files to the htdocs folder in the XAMPP web host. This step is vital for the success of the command and control. Next, I needed to create a database for my command and control to have the necessary requirements. I encountered many issues along this process, some difficult some not so difficult, but this one gave me the most 12

trouble. For some reason, whenever I would try to execute the initial script provide by the botnet for my command and control it would fail to read MYSQL as root. After much research, the problem was resolved by creating a simple php script for the file to now execute. You can see the results of this in the picture below:

Figure 3

The command and control is now complete and can be used for control of the bots I will send forth to my victims.

4.3 - BUILDING BOT EXECUTABLE

The last stage of the process before infecting my victim virtual machine was to now build the bot executable. The bot executable is the actual exe file that will be used on my victim. There are three things needed to build this bot executable: A builder, configuration file, and web injects. Each hacker will use the builder to create the encrypted configuration file and the bot executable that is specific to their victim.

However, before you build your bot executable, you must configure the configuration file which is needed before you can do anything useful. The configuration file contains the 13

address to which all the stolen information will be sent including the URL which the file will be located.

The figure below displays a screenshot of a portion of the configuration file commands which needs to be updated before building your executable. The url_loader is the bot itself and can be sent to various hosts. The encryption_key is the password used by the bot owner for removing the bot from the any infected CPU as his will. The url_server is the command and control

location and the file_webinjects is

the file needed for injecting more

HTML into targeted websites to

gather more sensitive information

in which usually may not be

requested by the banks. So I

configured all the commands which I highlighted in red to my computer by changing the IP address and placing the current location for my web injection file. Now that my file configuration file is set, I can now build the bot by simply clicking the build button as you see in the figure 5.

By clicking the bot executable, the builder will then convert the text file into the binary format expected by the executable, compress and then encrypt it. Now this is what makes

Zeus all the more powerful. As mentioned earlier, this botnet has the ability to hide itself 14

within a computer without the detection of antivirus programs. To see exactly how this works, I decided to test the executable before infecting my virtual machine to see how many antivirus programs will detect Zeus in the system. I was able to find a website called VirusTotal in which this can be done. VirusTotal is a website, originally developed by Hispasec, that provides free checking of files and websites for viruses. It uses 55 different antivirus products and 61 online scan engines to check for viruses that the user's own antivirus solution may have missed, or to verify against any false positives. So after creating my executable, I uploaded the piece of malware to the website and a total of

46/55 antivirus's detected the malware.

The results show that the majority of the antivirus programs will detect Zeus within their systems. However, we must be reminded that the version of Zeus(version

2.0.8.9) I obtained is the standard version which was coded by the original creator of

Zeus. Antiviruses have updated since that time but there are many newer versions of Zeus on the underground market today which can do virtually go undetected. In spite of this, the hackers will still find various means to hide the malware on the backgroung systems regardless of what version they have. This is done using crypters. A cryper is a free software used to encrypt malware, keyloggers, or any RAT tool for they are not found and deleted by antiviruses. In essence, what this software does is allow users to encrypt the source of their program. Obtained from hackpconline.com, "Generally, antivirus work by splitting source code of application and then search for certain string within source code. If antivirus detects any certain malicious strings, it either stops scan or deletes the file as virus from system. Crypter simply assigns hidden values to each individual code within source code. Thus, the source code becomes hidden. Hence, our 15

sent crypted trojan and virus bypass antivirus detection and our purpose of hacking them is fulfilled without any AV hindrance. Not only does this crypter hide source code, it will unpack the encryption once the program is executed." There are also FUD crypters which

stands for fully undetectable. These crypters encrypt the malware so well that they are completely undetecble by any antivirus programs which makes it all the more dangerous when your computer gets infected because it will not identify the program as harmful. So if you obtain a free version online, it will encrypt the anti viruses yet some antivirus programs will still deem it harmful. FUD crypters can only be found on hacking forums but it may only remain "FUD" one or two days after its release.

To reiterate, for my project I decided to test this and I was able to obtain a free crypter online. I decided to use the same piece of malware I uploaded earlier unto

VirusTotal to encrpyt is using the crypter and then test it on the website again. After the compltetion of this, the results were outstanding. The results show a percentage decrease in the detection ratio of about 47% which is an outstanding number. Because of this crypter, the danger level of this malware increased so much more. this gives a clear understanding on some of the tactics hackers will use to hide in systems that have been compromised.

§ 5: RESULTS

In my methodology section, I explained in detail the process of how to setup the command and control, create the bot, test the malware, etc. Now it's time to infect my virual machine and retrive the username and password from the Morgan State University website. To give a quick recap on what I've already mentioned above, because the connections are bridged my malware cannot infect another other system other than the systems which are beidged to the virtual machines. I could use various phishing schemes to transfer my created malware to the virtual machine, but for the sake

of time, I simply just typed the url_loader

(which is malware) into the web browser of my victim virtual machine. Once I clicked

"run" the machine is now infected and you can see the progress of my bot in the command and control interface in which I can monitor and view the bots. In figure 9, you see the command and control statistics page which enables you to view and manage your bots. The summary page provides the global status of all the bots you used to infect your victims. OS lists the versions of windows and service pack edition of the compromised

computers. Search in database is the main

page where you can see all the reports the

bots bring in. that is where you see the

username and password stolen from the victims. After I infected my virtual machine, you can see that my total bots changed from 17

0 to 1. Everything the victim now does is under my watch. In my infected virtual machine, I proceeded to the email website of Morgan State university and entered a false username and password. Regardless if the password works or not, the botnet still logs each and every login information you have attempted on targeted websites. The results are as follows: My attack was successful. I was able to infect my virtual machine and

send all the information back to the command and control of my attack virtual machine.

Unfortunately Zeus can only record logs fromInternet Explorer and some older versions of Firefox. I tried to gather logs fromGoogle Chrome but was unsucessful.

§ 6: CONCLUSION

Network security in today is a growing concern in our society. However, when the right controls are set in stone, we can better defend our systems. This project, I was able to demonstrate the power of Zeus. I was able to display that once your computer is infected, you are now my slave and I can control and do as I wish. Zeus has frightened many 18

across the world today; however, the power of Zeus can be defeated. Zeus is not undefeatable and many are making the necessary steps to avoid being infected. There are some practical ways to defend your systems against Zeus. First, you must ensure that you keep an updated web browser. Internet Explorer is the most susceptible to Zeus attacks.

In fact, I could only retrieve logs from Internet Explorer. Zeus was unable to retrieve logs from Firefox and Google Chrome. However, there are newer versions of Zeus which are now able to retrieve logs from the more updated browsers like Google Chrome, so it is best to use caution and to keep your browser updated regularly. Next, you must make sure you have antivirus software installed. Although Zeus has the power to hide itself from many antiviruses, there are still some on the market that deem Zeus as harmful.

Keep an updated antivirus installed on your systems for better protection. Lastly, if you own your own website, it is best to switch up the view on the website often. For example, if the login information is located on the right hand side of the webpage, every now and then you can switch it to the left, or up top, or down below. The reason for this is because the HTML injection techniques that Zeus implements is only wired to an exact webpage.

This means that Zeus does not adapt or change to the desired settings on your webpage.

For the hacker to now inject code into a newly designed webpage, he would now have to write a completely different code to cater to the way your website looks. Changing the display of your webpage helps fight off Zeus HTML injection techniques. In conclusion, the cyber world today has many issues and we can win this battle but it will take one step at a time. We must work smarter to be a step ahead of how these crackers operate.

§ 7: REFERENCES

[1]N.C & E.C. Nicolas Falliere and Eric Chien, Y2009ear Published. [Online]. Available: http:// http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/ zeus_king_of_bots.pdf. [Accessed: 04- Dec- 2015].

[2] www.sophos.com, 'What is Zeus?', 2014. [Online]. Available: https://www.sophos.com/en- us/medialibrary/PDFs/technical%20papers/Sophos%20what%20is%20zeus%20tp.pdf?la =en.pdf?dl=true. [Accessed: 04- Dec- 2015].

1) [2] www.hackpconline.com, 'FAQ: What is FUD Crypter? - Hide Trojans, Password Stealers and Keyloggers From Antiviruses ', 2014. [Online]. Available: http://www.hackpconline.com/2010/04/faq-what-is-fud- crypter.html [Accessed: 04- Dec- 2015].