Tuesday, 13 October 2009

Inside a Zeus Crimeware Developer's To-Do List

Every then and now I get asked a similar question in regard to crimeware kits - which is the latest version of a particular crimeware/web malware exploitation kit?

The short answer is - I don't know. And I don't know not because I'm a victim of an outdated situational awareness, but due to the fact that nowadays third-party developers are so actively tweaking it that coming up with a version number would be inaccurate from my perspective. Therefore, whenever I provide such a version number, I try to emphasize and provide practical examples of how the current decentralization of coding from the core authors to third-party developers and, of course, scammers brand jacking the Zeus brand, is making the answer a little bit more complex than it may seem at the first place.

For instance, cybercriminals themselves have been capitalizing on this situation during the last two quarters, by speculating with the version numbers and offering backdoored copies of non-existent Zeus releases, in a attempt to hijack their Zeus botnets at a later stage -- a practice that phishers have been taking advantage of for a while. Anyway, once I'm able to sort of cluster a particular third-party developer's persistence in tweaking the Zeus crimeware kit, an interesting picture emerges. For instance, a team member from a third-party developer of backend systems for botnets that came up with the built-in MP3 player in a Zeus release, is also directly involved in developing the backend system and GUI for the Chimera botnet which the British Broadcasting Corporation purchased last month.

Let's discuss the way the version number system in the Zeus crimeware, before we take a peek at a recent CHANGELOG, and a future TO-DO list from one of the third-party developers. Zeus version a.b.c.d means that change in A stands for a complete change in the bot, B stands for major changes that make previous bot versions incompatible, C stands for modifications and performance boosting, and D is a prophylactic change in order to avoid antivirus solutions from detecting it.

The Q&A applied in Zeus can be easily seen by taking a peek at some of the changes that took place in December, 2008 :

"Change 10.12.2008
- Documentation will no longer be available in a CHM format, instead in a plain-text format
- The bot is a now able to receive commands not only by using the send command function, but also during requests for files and logs changes
- Local data requests to the server and the configuration file can be encrypted with RC4 key depending on your choice
- In order to decrease the load on the server, a fully updated bot-to-server and server-to-bot communication protocol is introduced

Change 20.12.2008
- Small error fixed when sending reports
- The size of the report cannot exceed 550 characters
- Error fixed in the bot due to low timeout for sending POST requests resulting in dropping requests for log files bigger than 1 MB

Change 2.03.2009
- Changed the default cryptor routines
- Updated process of building the bot
- Optimized compressed of the binary
- Rewritten the process of assembling the configuration file
- Changed the MyMSQL tables
- Fixed fonts in the panel due to bogus displaying of characters
- Updated Geolocation database"

The following "To-Do" list, pretty similar to another one which I discussed last year (A Botnet Master's To-Do List). What's to come in the Zeus crimeware kit, at least courtesy of a sampled third-party developer? The following features have been in the works for several months now:

"- Compatibility with Windows Vista and Windows 7
- Improved WinAPI hooking
- Random generation of configuration files to avoid generic detection"
- Console-based builder
- Version supporing x86 processors
- Full IPv6 support
- Detailed statistics on antivirus software and firewalls installed on the infected machines"

The Zeus crimeware is not going away from the radar anytime soon, and the main reason for that is not the fact that its exclusive features outperform the ones in the Limbo crimeware and the Adrenalin crimeware, but due to the fact that Zeus has a much bigger fan base, and well established third-party community around it.

Image courtesy of Abuse.ch's Zeus Tracker -- the one that got DDoS-ed in February due to its apparent usefulness.

Related posts:
Crimeware in the Middle - Limbo
Crimeware in the Middle - Adrenalin
Crimeware in the Middle - Zeus
76Service - Cybercrime as a Service Going Mainstream
Zeus Crimeware as a Service Going Mainstream
Modified Zeus Crimeware Kit Gets a Performance Boost
Modified Zeus Crimeware Kit Comes With Built-in MP3 Player
Zeus Crimeware Kit Gets a Carding Layout
The Zeus Crimeware Kit Vulnerable to Remotely Exploitable Flaw

emails

a

The Register - Security

IQ test

The Register - Security: Anti-Virus

HackWire - Hacker News