By Lucas Zaichkowsky, Enterprise Defense Architect at AccessData
The U.S. Department of Justice (DOJ) announced a multi-national takedown operation for a high profile ZeuS botnet known as GameOver ZeuS (GOZ), named after analysis of initial malware samples. The takedown operation was dubbed “Operation Tovar” according to a post by independent journalist Brian Krebs. The DOJ further stated the GameOver ZeuS botnet is in control of an estimated 500,000 to 1 million Windows computers worldwide and leveraged these infected computers to conduct more than $100 million dollars in wire fraud.
In addition to Operation Tovar, the DOJ added they have disrupted the use of ransomware called CryptoLocker, known for encrypting documents on infected systems to make them unreadable. The attackers confronted their victims and proceeded to extort money in exchange for file recovery. The DOJ estimates there were 234,000 infections and more than $27 million in payments the first two months of operation.
The operators of GameOver ZeuS attracted close attention from authorities due to the extensive wire fraud activity. According to another Brian Krebs post, the GameOver Zeus attackers conducted DDoS attacks to distract banks while committing wire fraud and stealing hundreds of thousands of dollars.
What is not well known is that these attacks were widespread for a long time and caused a big scare in the financial services industry. According to several inside sources I have spoken with, a significant number of banks were hit by these attacks. Thanks to the continual flow of information shared among peer groups, such as Information Sharing & Analysis Centers (ISACs), participating organizations knew what signs to look for to avoid losses from these types of attacks.
The major difficulty in unraveling the GameOver ZeuS botnet infrastructure is mapping it out. Structured peer-to-peer (P2P) architecture allowed attackers to control their botnet army by accessing any infected system. Making matters even tougher, ZeuS botnet operators made it difficult to locate all infected systems using antivirus and next-gen antimalware products. They distributed generic droppers via email by attaching a zip file containing an executable, disguised as a document, or providing a link to web sites hosting popular exploit kits such as Blackhole. Exploit kits identify unpatched software for each visitor, then exploit those specific unpatched vulnerabilities.
However, the initial dropper would not be classified as ZeuS. It would contain a list of hard coded addresses for the ZeuS download. After the dropper downloads and executes ZeuS, a new variant is created on the fly for each infection and the original downloaded ZeuS exe is deleted. This makes it difficult for antivirus vendors to identify all compromised systems since each infection is a unique variant requiring more signatures.
According to a blog post by Dell SecureWorks, a successful take down of GameOver ZeuS required collaboration to simultaneously hijack DNS domains while blocking infected systems at ISPs and the sharing of information with other security organizations.
Botnets such as ZeuS are extremely common and simple to operate with no investment. ZeuS source code is already freely available on the Internet for anyone to modify and create their own variants that are undetectable by antivirus software. Once developed, attackers launch phishing campaigns with attached files or exploit kits to prevent email attachments from getting blocked.
A little over a month ago, I received an email containing a dropper attributed to GameOver ZeuS. Manual analysis uncovered that the dropper planted and executed a second stage dropper that would in turn download a package over the internet. It contained a special purpose password stealing version of ZeuS used to harvest saved passwords from popular software such as web browsers and it also loaded up Cryptolocker (aka Crilock). More information can be found on Microsoft’s Malware Encyclopedia. The most important detail about password stealing and CryptoLocker were not evident in reports generated by automated malware analysis engines from the first submitted dropper.
See the comments section in this VirusTotal report for the dropper where I provide manual analysis results (User: LucasErratus). Then compare it against automated analysis results from Malwr and Sophos. You can see in this VirusTotal report that the package, with the password stealing ZeuS, was only detected on 6 of 52 antivirus engines a full several days after it was submitted to the antivirus vendors.
Fast forward to today and I am afraid the detection results are not much better. Most antivirus vendors reject the submission I sent in because it is a bundle, not actual binaries that can be executed standalone. Even more noteworthy, automated analysis results only acknowledged one of two domains and not the second stage dropper which was programmed with the ZeuS package. Knowing both domains and all the other intermediary files is key to uncovering more infected systems and blocking future infections from that attack campaign.
To illustrate a more recent example, see the manual analysis I did on a fresh dropper unrelated to GameOver ZeuS that arrived in my home email June 1. View the comments section of this VirusTotal report and compare it to this automated Malwr report. The automated report identified one domain the dropper downloads ZeuS from. Manual analysis uncovered all ten and a narrative sequence of events. Again, this example highlights the important need to investigate all threats thoroughly.
Why is all of this important? Missing hosts with backdoors planted and compromised credentials is the primary reason hacking intrusions are not discovered until after the major damage is done. For example, in the recent eBay intrusion, attackers used compromised employee credentials to login and make their way to steal a database, affecting 145 million users. Undoubtedly, the hackers are cracking passwords from that dump and will use them to break into other organizations. It is also common for these attackers to sell access on the black market to those willing to pay a high premium. As seen in past database dumps, the success rate at cracking passwords is abysmally high. By using wordlists with real world passwords and high rate GPU cracking, it is easy to crack all but the most complex passwords using cheap consumer hardware.
In closing, the significance of GameOver ZeuS and recent high profile attacks reinforces the necessity to have the right tools and processes necessary to: identify and understand threats, successfully remediate the incident, block future related threats, and identify ones that still manage to slip through to the endpoints. Documenting findings as Indicators of Compromise (IOCs) and then applying them at the endpoint level, in network traffic, and by searching logfiles is how mature security teams accomplish these goals.
For organizations and users concerned by these types of threats, here are steps they can take to protect their environments and minimize the risks:
- Block email attachments containing executable files or zip files with executables such as exe and scr.
- Use vulnerability mitigation software to make up for unpatched software to avoid getting hit by exploit kits. The Microsoft Enhanced Mitigation Experience Toolkit (EMET) has a proven track record of deflecting software vulnerability exploitation including rare 0days vulnerabilities being exploited before software patches are available. Also, EMET can be managed in corporate environments using group policies making it a no-brainer business decision.
- Install antivirus software. Although not perfect, antivirus software can still catch a large percentage of malware and reduce noise. Detected incidents could even lead you to uncover damage or other malware that would have gone undiscovered otherwise.
- For organizations with IT security staff or dedicated IR teams, I recommend acquiring consolidated platforms such as AccessData’s ResolutionOne™ Platform, designed to automate most of the capabilities required to analyze and understand incidents, and uncover what narrowly focused point products are not telling them. Applying these capabilities in a piecemeal fashion creates a hodgepodge of tools that require many manual steps to build the final big picture. This indirectly increases the technical skill requirements needed to investigate incidents and contributes to the growing demand for advanced security experts. For more on this discussion, see the recent blog post by AccessData CEO, Tim Leehealey.