ZEUS BOTNET DEFINED

Samuel Egiefameh

Advisor: Dr. Willie Thompson II

Morgan State University

Department of Electrical and Computer Engineering
Senior Design Project II
Fall, 2015

Student Signature ______________________________ Date ___________________

Advisor Signature _____________________________ Date ___________________

 2

TABLE OF CONTENTS

1. Abstract …………………………………….…….…. 3-4

2. Introduction ……………………………………………… 4

• Motivation of Research…………………………..… 4-5

• What is Zeus…………………………………… 5-6

• Brief history of Zeus…………………………… 6-8

• How Zeus works(Diagram)……………………… 8

3. Tools ...………………………………………………...….. 8

4. Methodology………………………………..……………..… 9

• Creating a Virtual Network………………… 9-11

• Command and Control Setup………………. 11-12

• Building bot Executable……………………… 12-15

5. Results …………………………………………….. 16-17

6. Conclusion ………………………………………. 17-18

7. References ………………………………………. 19
 3

§ 1: ABSTRACT

Over the last decade, spontaneous cyber-attacks have increasingly become a greater

threat. Jim Webb, former democratic candidate for president, when asked the question,

“What is the greatest threat to our national security today?” replied with a definitive,

“Cyber warfare.” Each year cybercrime costs the global economy up to $575 billion with

the U.S. taking a huge chunk of $100 billion. Billions of dollars are lost to cybercrime

each year and the reputations of reputable companies have been destroyed as an outcome

of it. The threat of whether a small business, large corporation, or even an ordinary

person in the comfort of their home having their personal information compromised, even

as far as identity theft, is almost as ordinary as a person breathing. Well, that may be a bit

extreme, but the fact of the matter is that if something is not done soon about the millions

of threats which are sent out each day, we will live in a world in which absolutely nothing

is safe. If something is not done about cybercrime now, one could only hope what our

country will be in the future.

A flexible network monitoring system is needed to see what is happening in real time

and store that information for later use. The purpose of this research project is to be the

mind of the hacker by carrying out the same attacks they do to their victims and to

possibly reverse engineer their tactics by finding some loopholes to see how we can

better protect our systems against cyber threats today. I will be performing a key logger

attack. My end goal is to be able to penetrate the Morgan State University email website

to steal both username and password and sending it back to the command and control. To

accomplish this task, I will need to generate my own attack using a very sophisticated
 4

piece of malware called “Zeus botnet” to test the vulnerability of computer systems and

use cyber software to capture how these attacks are happening in the background real

time. The data will then be collected and analyzed to determine how to stop these

malware attacks from getting to its ultimate goal which is the physical layer of the OSI

model.

§ 2: INTRODUCTION

Robert Mueller, an FBI director, once said, “there are two types of companies: those

that have been hacked, and those that will be.” Now this quote is a concern for both

companies and individuals. The days in which a group of men with guns and knives burst

into a bank to rob the bank tellers at gunpoint are long over. Men have become wiser,

smarter, and sharper, and can steal your money secretly on the web. Cyber war is the new

battlefield of today. Everything that has an on and off switch will soon be connected to

the internet of things. Hackers have discovered that most of the cash they’re after is not

stored in steel vaults, but on the web. Market research firm Gartner says the global

spending on IT is set to increase 8.2 percent from the year 2014. That is a total of $77

billion dollars. The cyber market is expected to grow to $170 billion by the year 2020.

Let’s face it, people are frightened because they see the effect of what cyber warfare has

accomplished and even more fearful of the potential it can do in the future.

2.1 - MOTIVATION OF RESEARCH

Cybersecurity is an interesting topic and one of the fastest growing specializations in

the job industry today. First, let me say in doing this project I was completely oblivious to

the cyber terms and cyber security as a whole in general. I sparked interest because of the

growing increase of cyber related attacks. I love technology. Technology is what drives
 5

our country today. It is possible in the near future there will be no more paper – everything

will be digital. Yet, for all this technology to be enjoyed freely without fear or remorse,

our data must be protected. I believe the growing number of cyber-attacks is in direct

proportion to the growing technology in out day and age. Cyber security is predicted to be

the fastest growing homeland security market as North America. I’m motivated to get

behind the mind of the hacker in hope to understand how attacks are carried out and to

possibly find ways of preventing it.

2.2 - WHAT IS ZEUS?

Zeus also known as Zbot is one of the most notorious and widely spread information

stealing Trojans on the market today. It’s a toolkit used to create information stealing

malware. While Zeus can do a plethora of different functions as in back-dooring new

equipment and infiltrating industrial systems, it’s main

goal is to steal online banking information from

vulnerable users. The toolkit performs four main

actions:

1. Gathers system information.

2. Steals protected storage information, FTP

passwords and POP3 passwords.

3. Steals online credential information as specified by the configuration file.

4. Contacts the command and control server

for additional tasks to perform.

 6

Zeus uses a botnet to create and distribute bots to its victims. A botnet (also known as

a zombie army) is a number of internet computers that, although their owners are unaware

of it, have been set up to forward transmissions (including spam or viruses) to other

computers on the Internet. The bots created by this kit will infect your computer and once

infected, it will run silently in the background harvesting information and sending it back

to the command and control center. A bot is simply a short word for a robot. It is a robot

who simply follows commands from the botmaster to tell it what he needs to do. In the

figure above, you see the botmaster at the center and the little bots that surround him. The

botmaster sends commands remotely to his bots across the globe to do whatever he

pleases. That is how Zeus operates. The kit is doesn’t require much of a technical

background to use. Once obtained, creating the malware is fairly simple. As a result, you

have many self-proclaimed or self-made hackers using this package to create and

distribute their own malware to victims. That is why Zeus today is so widely spread,

because anyone can use it and it don’t need to be the best programmer to send out a

legitimate attack. This kit ranges between $700-$3000 dollars but older versions can be

obtained either freely or for a small price through underground forums.

2.3 - BRIEF HISTORY OF ZEUS

Zeus is Trojan horse that steals banking

login information through key loggers and form

grabbing. A key logger is software that can track

or log the keys struck on your keyboard.

Meaning, that if your computer is infected with a

key logger, everything you type on your

 7

keyboard will be recorded and logged. This of course is extremely dangerous because

hackers use it with malicious intent to retrieve bank login information, credit card

numbers, usernames, passwords, and any other private information. The Trojan is also

able to do web injects by injecting more HTML code into a legitimate web pages to fool

the user by giving additional sensitive information not usually required by the website.

Zeus can also perform various web fakes. A web fake redirects your browser to a

compromised website or a fake version of the website to once again trick the user. Zeus

can perform a plethora of different functions, but for this project I will be penetrating the

MSU email website to steal login information and send it back to the command and

control.

The malware is usually distributed to its victims through drive-by downloads and

various phishing schemes or by simply clicking on an infected website. The Trojan was

first discovered in July 2007 when it was used to steal information from the United States

Department of Transportation. It compromised accounts in notable companies such as

Amazon, Bank of America, ABC, NASA, Oracle, Businessweek, and many others. Over

2,000 companies and organizations have been infected since Zeus was first discovered

and in 2012, Kaspersky Labs found five new variants infecting blackberry and Android

phones. In 2010, the original author sold the source code to his major competitor,

SpyEye, who is now enhancing the software. There is currently a $3 million dollar

bounty on the original creator of the Zeus Trojan, but selling the source code and making

it public in which now anyone can use the botnet makes it much harder to crack down the

original creator. From the year 2007-2011, Zeus was the absolute most notorious Trojan
 8

on the market and still today Zeus has not taken a backseat to anyone but still continues

to put fear in the hearts of those who know its power.

2.4 – HOW ZEUS WORKS (DIAGRAM)

§ 3: TOOLS

1. Zeus Toolkit

2. Two Virtual Machines (Attacker & Victim)

3. Test bed

4. XAMPP(Web server, PHP module, and MYSQL server)

5. Virtual Box (for WIN7 and WINXP)

6. Wireshark

7. Aegis Crypter
 9

§ 4: METHODOLOGY

4.1. CREATING A VIRTUAL NETWORK

After obtaining the Zeus toolkit my next step was to create a virtual network. A virtual

network is a computer network that consists of virtual network links. It does not consist

of a physical (wired or wireless) connection between two computing devices but is

implemented using methods of network visualization. This is needed for penetration

testing and hacking. For instance, whenever you need to do something in the computer

world for you to understand what is taking place, it is needed to sit down with the

physical equipment and play with it. It’s just as if you were building a windows server

network, you will need a lab for penetration testing and hacking. In the past, if you

wanted to hack another computer for testing you would need the actual physical hard

computer and they will need to be connected on a network, otherwise the attack will not

work. In today’s modern world as technology has advanced, all you will need is just one

powerful system called a test bed, put some type of virtualization software on that

system, create numerous virtual

computers and have those computers

attack each other. Because I will be

working with dangerous pieces of

malware, a virtual network was

needed between the virtual machines so that malware won’t affect another system which

wasn’t connected. To do this, I bridged the connections within Virtual Box. Bridging the

networks gives the two virtual machines the same DHCP and DNS with different MAC
 10

addresses. To ensure they were connected, I sent out a simple ping between the two

networks as you can see in the figure below:

Figure 1

Figure 2

Getting a reply from each of the IP addresses shows that both networks are bridged and

are now ready for testing. However, in a bridged connection, the network is connected to

the LAN, the outside world. An internal network is the exact opposite of a bridged

network. In an internal network, the virtual machines can communicate with each other;

yet, they are completely isolated from the outside world. An internal network is the ideal

situation for this project; however, for me to be able to penetrate the Morgan State

University website, it was needed that I bridged the connections. This makes it more

dangerous; however, the malware cannot infect another computer unless bridged under

the same DHCP and DNS. Let me be clear, the bridged network, though connected to the

outside world is not bridged to the outside world but rather bridged internally between the
 11

two virtual boxes. So although it can connect to the internet it cannot do damage to those

on the network. In essence, it acts as a pass through.

4.2 COMMAND & CONTROL SETUP

The Zeus command and control is one of the most important aspects for the hacker to

carry out a successful attack. The server component of the Zeus kit is a collection of php

scripts that allow the owner to monitor the status of their bots, issue commands to them

and retrieve the information that they have collected. Without this, this server the toolkit

is in essence useless. The malware can still infect its victims and retrieve confidential

information, yet, the bot will have no place to send this information to without the

command and control. The command and control is not provided with the Zeus toolkit so

you must go through other means to be able to set one up. For this project, I used

software called XAMPP. XAMPP is a free and open source cross-platform web server

solution stack package developed by Apache Friends, consisting mainly of the Apache

HTTP Server, Maria DB database, and interpreters for scripts written in the PHP and Perl

programming languages.

Once XAMPP was installed on my attacker virtual machine it needed to be integrated

with the Zeus toolkit. The bot package provides a set of PHP scripts that will set up the

required database tables and other user-specific data, based on the configuration file used

to generate the bot. For this to work, you need to copy everything in the “server[php]”

folder from the Zeus files to the htdocs folder in the XAMPP web host. This step is vital

for the success of the command and control. Next, I needed to create a database for my

command and control to have the necessary requirements. I encountered many issues

along this process, some difficult some not so difficult, but this one gave me the most
 12

trouble. For some reason, whenever I would try to execute the initial script provide by the

botnet for my command and control it would fail to read MYSQL as root. After much

research, the problem was resolved by creating a simple php script for the file to now

execute. You can see the results of this in the picture below:

Figure 3

The command and control is now complete and can be used for control of the bots I will

send forth to my victims.

4.3 - BUILDING BOT EXECUTABLE

The last stage of the process before infecting my victim virtual machine was to now build

the bot executable. The bot executable is the actual exe file that will be used on my

victim. There are three things needed to build this bot executable: A builder,

configuration file, and web injects. Each hacker will use the builder to create the

encrypted configuration file and the bot executable that is specific to their victim.

However, before you build your bot executable, you must configure the configuration file

which is needed before you can do anything useful. The configuration file contains the
 13

address to which all the stolen information will be sent including the URL which the file

will be located.

The figure below displays a screenshot of a portion of the configuration file commands

which needs to be updated

before building your

executable. The url_loader is

the bot itself and can be sent

to various hosts. The encryption_key is the password used by the bot owner for removing

the bot from the any infected CPU as his will. The url_server is the command and control

location and the file_webinjects is

the file needed for injecting more

HTML into targeted websites to

gather more sensitive information

in which usually may not be

requested by the banks. So I

configured all the commands

which I highlighted in red to my computer by changing the IP address and placing the

current location for my web injection file. Now that my file configuration file is set, I can

now build the bot by simply clicking the build button as you see in the figure 5.

By clicking the bot executable, the builder will then convert the text file into the binary

format expected by the executable, compress and then encrypt it. Now this is what makes

Zeus all the more powerful. As mentioned earlier, this botnet has the ability to hide itself
 14

within a computer without the detection of antivirus programs. To see exactly how this

works, I decided to test the executable before infecting my virtual machine to see how

many antivirus programs will detect Zeus in the system. I was able to find a website

called VirusTotal in which this can be done. VirusTotal is a website, originally developed

by Hispasec, that provides free checking of files and websites for viruses. It uses 55

different antivirus products and 61 online scan engines to check for viruses that the user's

own antivirus solution may have missed, or to verify against any false positives. So after

creating my executable, I uploaded the piece of malware to the website and a total of

46/55 antivirus's detected the malware.

The results show that the majority of the antivirus programs will detect Zeus

within their systems. However, we must be reminded that the version of Zeus(version

2.0.8.9) I obtained is the standard version which was coded by the original creator of

Zeus. Antiviruses have updated since that time but there are many newer versions of Zeus

on the underground market today which can do virtually go undetected. In spite of this,

the hackers will still find various means to hide the malware on the backgroung systems

regardless of what version they have. This is done using crypters. A cryper is a free

software used to encrypt malware, keyloggers, or any RAT tool for they are not found

and deleted by antiviruses. In essence, what this software does is allow users to encrypt

the source of their program. Obtained from hackpconline.com, "Generally, antivirus

work by splitting source code of application and then search for certain string within

source code. If antivirus detects any certain malicious strings, it either stops scan or

deletes the file as virus from system. Crypter simply assigns hidden values to each

individual code within source code. Thus, the source code becomes hidden. Hence, our
 15

sent crypted trojan and virus bypass antivirus detection and our purpose of hacking them

is fulfilled without any AV hindrance. Not only does this crypter hide source code, it will

unpack the encryption once the program is executed." There are also FUD crypters which

stands for fully undetectable. These crypters encrypt the malware so well that they are

completely undetecble by any antivirus programs which makes it all the more dangerous

when your computer gets infected because it will not identify the program as harmful. So

if you obtain a free version online, it will encrypt the anti viruses yet some antivirus

programs will still deem it harmful. FUD crypters can only be found on hacking forums

but it may only remain "FUD" one or two days after its release.

To reiterate, for my project I decided to test this and I was able to obtain a free

crypter online. I decided to use the same piece of malware I uploaded earlier unto

VirusTotal to encrpyt is using the crypter and then test it on the website again. After the

compltetion of this, the results were

outstanding. The results show a

percentage decrease in the detection ratio

of about 47% which is an outstanding

number. Because of this crypter, the

danger level of this malware increased so

much more. this gives a clear understanding on some of the tactics hackers will use to

hide in systems that have been compromised.

 16

§ 5: RESULTS
In my methodology section, I explained in detail the process of how to setup the

command and control, create the bot, test the malware, etc. Now it's time to infect my

virual machine and retrive the username and password from the Morgan State University

website. To give a quick recap on what I've already mentioned above, because the

connections are bridged my malware cannot infect another other system other than the

systems which are beidged to the virtual machines. I could use various phishing schemes

to transfer my created malware to the virtual

machine, but for the sake

of time, I simply just typed the url_loader

(which is malware) into the web browser of

my victim virtual machine. Once I clicked

"run" the machine is now infected and you

can see the progress of my bot in the

command and control interface in which I can monitor and view the bots. In figure 9, you

see the command and control statistics page which enables you to view and manage your

bots. The summary page provides the global status of all the bots you used to infect your

victims. OS lists the versions of windows and service pack edition of the compromised

computers. Search in database is the main

page where you can see all the reports the

bots bring in. that is where you see the

username and password stolen from the

victims. After I infected my virtual machine, you can see that my total bots changed from
 17

0 to 1. Everything the victim now does is under my watch. In my infected virtual

machine, I proceeded to the email website of Morgan State university and entered a false

username and password. Regardless if the password works or not, the botnet still logs

each and every login information you have attempted on targeted websites. The results

are as follows: My attack was successful. I was able to infect my virtual machine and

send all the information back to the command and control of my attack virtual machine.

Unfortunately Zeus can only record logs fromInternet Explorer and some older versions

of Firefox. I tried to gather logs fromGoogle Chrome but was unsucessful.

§ 6: CONCLUSION

Network security in today is a growing concern in our society. However, when the right

controls are set in stone, we can better defend our systems. This project, I was able to

demonstrate the power of Zeus. I was able to display that once your computer is infected,

you are now my slave and I can control and do as I wish. Zeus has frightened many
 18

across the world today; however, the power of Zeus can be defeated. Zeus is not

undefeatable and many are making the necessary steps to avoid being infected. There are

some practical ways to defend your systems against Zeus. First, you must ensure that you

keep an updated web browser. Internet Explorer is the most susceptible to Zeus attacks.

In fact, I could only retrieve logs from Internet Explorer. Zeus was unable to retrieve logs

from Firefox and Google Chrome. However, there are newer versions of Zeus which are

now able to retrieve logs from the more updated browsers like Google Chrome, so it is

best to use caution and to keep your browser updated regularly. Next, you must make

sure you have antivirus software installed. Although Zeus has the power to hide itself

from many antiviruses, there are still some on the market that deem Zeus as harmful.

Keep an updated antivirus installed on your systems for better protection. Lastly, if you

own your own website, it is best to switch up the view on the website often. For example,

if the login information is located on the right hand side of the webpage, every now and

then you can switch it to the left, or up top, or down below. The reason for this is because

the HTML injection techniques that Zeus implements is only wired to an exact webpage.

This means that Zeus does not adapt or change to the desired settings on your webpage.

For the hacker to now inject code into a newly designed webpage, he would now have to

write a completely different code to cater to the way your website looks. Changing the

display of your webpage helps fight off Zeus HTML injection techniques. In conclusion,

the cyber world today has many issues and we can win this battle but it will take one step

at a time. We must work smarter to be a step ahead of how these crackers operate.
 19

§ 7: REFERENCES

[1]N.C & E.C. Nicolas Falliere and Eric Chien, Y2009ear Published. [Online].
Available: http://
http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/
zeus_king_of_bots.pdf. [Accessed: 04- Dec- 2015].

[2] www.sophos.com, 'What is Zeus?', 2014. [Online]. Available:

https://www.sophos.com/en-
us/medialibrary/PDFs/technical%20papers/Sophos%20what%20is%20zeus%20tp.pdf?la
=en.pdf?dl=true. [Accessed: 04- Dec- 2015].

1) [2] www.hackpconline.com, 'FAQ: What is FUD Crypter? - Hide Trojans,

Password Stealers and Keyloggers From Antiviruses
', 2014. [Online]. Available: http://www.hackpconline.com/2010/04/faq-what-is-fud-
crypter.html [Accessed: 04- Dec- 2015].