Financial institutions and financial credentials are widely targeted by Malware for obvious reasons. Besides targeting financial organisation, botnet are used for all sorts of illegal activities over the Internet. For instance, for online advertisement industry alone, botnet are causing losses upto the extent of $6 million a month.
One such Malware is known as Zeus that is well known for stealing banking information by man-in-the-browser keystroke logging and form grabbing. It is also used to install the CryptoLocker ransomware. Zeus is spread mainly through drive-by downloads, spam and phishing techniques. Infected systems can also be used to engage in other malicious activities, such as sending spam or participating in distributed denial-of-service (DDoS) attacks. The latest variant of Zeus is known as Gameover Zeus, or GOZ botnet.
According to a good research analysis (PDF) of GOZ botnet, Zeus is a family of credential-stealing trojans which originally appeared in 2007. The first two variants of Zeus are based on centralized command servers. These command servers are now routinely tracked and blocked by the security community. In an apparent effort to withstand these routine countermeasures, the second version of Zeus was forked into a peer-to-peer variant in September 2011. Compared to earlier versions of Zeus, this peer-to-peer variant is fundamentally more difficult to disable.
Due to its lack of centralized C2 servers, P2P Zeus is not susceptible to traditional anti-Zeus countermeasures, and is much more resilient against takedown efforts than centralized Zeus variants. The main P2P network is divided into several virtual sub-botnets by a hardcoded sub-botnet identifier in each bot binary. While the Zeus P2P network is maintained and periodically updated as a whole, the sub-botnets are independently controlled by several botmasters.
The Zeus P2P network serves two main purposes. These are: (1) Bots exchange binary and configuration updates with each other and (2) Bots exchange lists of proxy bots, which are designated bots where stolen data can be dropped and commands can be retrieved. Additionally, bots exchange neighbor lists (peer lists) with each other to maintain a coherent network. As a backup channel, P2P Zeus also uses a Domain Name Generation Algorithm (DGA), in case contact with the regular P2P network is lost.
According to researchers, P2P Zeus has evolved into a complex bot with attack capabilities that go beyond typical banking trojans. They believe that P2P Zeus is used for activities as diverse as DDoS attacks, malware dropping, Bitcoin theft, and theft of Skype and banking credentials. Researchers have also found that till recently bot traffic was encrypted using a rolling XOR algorithm, known as “visual encryption” from centralized Zeus, which encrypts each byte by XORing it with the preceding byte. Since June 2013, Zeus uses RC4 instead of the XOR algorithm, using the recipient’s bot identifier as the key. Rogue bots used by analysts to infiltrate the network typically use continuously changing bot identifiers to avoid detection. The new RC4 encryption is a problem, because a rogue bot may not always know under which identifier it is known to other bots, thus preventing it from decrypting messages it receives. In addition, RC4 increases the load on botnet detection systems which rely on decrypting C2 traffic.
Zeus uses RSA-2048 to sign sensitive messages originating from the botmasters, such as updates and proxy announcements. In all P2P Zeus variants researchers studied, update exchanges and C2 messages feature RC4 encryption over an XOR encryption layer. For these messages, either the identifier of the receiving bot or a hardcoded value is used as the RC4 key, depending on the message type. Each Zeus bot runs a passive thread, which listens for incoming requests, as well as an active thread, which periodically generates requests to keep the bot up-to-date and well-connected.
The researchers have concluded (PDF) that P2P Zeus is a significant evolution of earlier Zeus variants. Compared to traditional centralized versions of Zeus, P2P Zeus is much more resilient against takedown attempts. Potential countermeasures against P2P Zeus are complicated by its application of RSA-2048 signatures to mission critical messages, and rogue bot insertion is complicated by the Zeus message encryption mechanism which makes the use of random bot identifiers impossible. Poisoning attempts are forced to use widely distributed IPs due to a per-bot IP filter which only allows a single IP per /20 subnet. The network’s resilience against takedown efforts is further increased by its use of a Domain Generation Algorithm backup channel, and by an automatic blacklisting mechanism. P2P Zeus demonstrates that modern P2P botnets represent a new level of botnet resilience, previously unseen in centralized botnets.
On the legal side, the creator and users of Gameover Zeus are difficult to prosecute. This is because the cyber attack scenario has shifted its nature and territorial scope from being fun and regional to become a potential tool of cyber warfare and cyber espionage. We have no globally acceptable international legal regimes for cyber attacks as on date. Thus, international legal issues of cyber attacks are yet to be resolved.
Cyberspace also put forward complex problems of authorship attribution for cyber attacks and anonymity. Cyberspace also gives rise to conflict of laws in cyberspace where multiple laws of different jurisdictions may be applicable at the same time. Thus, cyber security and international cooperation cannot be separated in these circumstances. Nevertheless international cooperation among law enforcement agencies of different Nations and entering of extradition treaty among themselves can be a good beginning. Some success has already been achieved in this regard and more international cooperation is expected very soon in the cyber law and cyber security fields.