Zeus: An Inside Look at a Banking Trojan

After I taught the breakout session, "How Technology Changed Fraud Investigations," at the 22nd Annual ACFE Fraud Conference and Exhibition in June, I received a number of questions about how banking Trojans work. The timing was perfect: In May, various underground forums leaked to the public the source code for the Zeus banking Trojan. Zeus, a highly configurable crimeware, is one of the most pervasive threats in the cyberlandscape. Its "public" release does not necessarily mean it is no longer a threat: More people will have access to it, and it can now serve as inspiration for future banking Trojans. This comes at about the same time as Zeus' author announced his retirement and turned the source code over to a competitor.  

A BIT ABOUT ZEUS  

First spotted in the wild in 2007, Zeus, which originated in Europe, is a crimeware designed primarily to steal users' online banking credentials. The fraudsters then either resell these credentials to other cybercrime groups or use them to steal money from users' bank accounts. A recent FBI crackdown showed that an organized group using Zeus managed to steal U.S. $70 million before being caught. It has been reported that a recent version of Zeus with all the features sells for $15,000 on underground servers. And like commercial software, Zeus comes with documentation plus basic and paid support. It is easier than ever for criminal groups to enter the cybermarket.  

THE INFECTION  

Zeus infects computers via downloaded, tainted email attachments, web links in malicious emails appearing to be patches from legitimate sources; drive-by downloads, which exploit browser vulnerabilities to force the download; or by replacing legitimate downloads on a compromised site. After the Trojan is downloaded, it uses various subversive techniques to avoid detection.  

INSIDE ZEUS  

The source code structure of Zeus, entirely written in the C++ programming language, is quite complex. However, this complexity affords it functionality. It allows for cybercriminals to integrate additional modules, such as one that allows hackers to bypass the two-factor authentication used by some financial institutions.

The Zeus botnet relies on a highly configurable settings file, which dictates where and how often to send data back to the cybercriminal's server. This file is encrypted on the server, and the Trojan regularly calls home to obtain new copies of the configuration file to get its new "orders."

INFORMATION SUPERHIGHWAY ROBBERY  

Zeus steals credentials by intercepting network traffic from web browsers and collecting user credentials and other personally identifiable information even if browser sessions are secured and encrypted. Zeus then sends the information back to the cybercriminals' servers by hooking into application programming interfaces used by today's most popular browsers to read and write received data. Zeus also can steal credentials from various file transfer systems that are sometimes used for payroll and batch bank transactions.  

Zeus can manipulate incoming web forms to fool online banking users into surrendering information. For example, it can solicit additional responses to challenge questions ("What's your mother's maiden name? What high school did you graduate from?). Cybercriminals can then use the answers with collected credentials to make fraudulent online transactions.
Also, cybercriminals, using Zeus' features, can clean out bank accounts and manipulate the content of a web page. This feature allows the cybercriminal to cloak the transfer of funds, making it unnoticeable until individuals view their statements.

THE COMMAND AND CONTROL BACKEND  

Zeus-infected computers communicate with a command and control infrastructure to which it sends collected data but from which it also obtains additional instructions. This infrastructure is written almost entirely in PHP, a general-purpose scripting language for web-page development, and so it runs off most web servers capable of running a PHP interpreter. The server is the central point of control of a botnet, so it collects data from the compromised systems running Zeus.  

The server also provides functionalities to search and sort the data. As such, the cybercriminals controlling Zeus-infected computers can search for data originating from specific countries to coordinate efforts to transfer money out of harvested accounts.  

LOOKING FORWARD  

With cash hauls like those previously mentioned, we should expect to see additional high-end Trojans, even more powerful than Zeus, designed specifically to steal valuable information, such as online banking credentials.

Jean-François Legault is a senior manager with Deloitte's Forensic & Dispute Services practice in Montreal, Canada. 


The Association of Certified Fraud Examiners assumes sole copyright of any article published on www.fraud-magazine.com or www.ACFE.com. ACFE follows a policy of exclusive publication. Permission of the publisher is required before an article can be copied or reproduced. Requests for reprinting an article in any form must be emailed to FraudMagazine@ACFE.com.