Akamai Diversity

The Akamai Blog

Threat Advisory: High-Risk Zeus Crimeware Kit

Akamai's PLXSert team has discovered new payloads from the Zeus crimeware kit in the wild, deeming it "high risk" in an advisory released this morning.

The advisory says the Zeus framework has evolved from focusing on the harvesting of banking credentials to being used in the control of compromised hosts (zombies) for criminal activity, including distributed denial of service (DDoS) attacks and attacks customized for specific platform-as-a-service (PaaS) and software-as-a-service (SaaS) infrastructures.

"The Zeus framework is a powerhouse crimeware kit that enterprises need to know about to better defend against it," said Stuart Scholly, senior vice president and general manager of Akamai's Security Business Unit. "It's hard to detect, easy to use, and flexible - and it's being used to breach enterprises across multiple industries."

Malicious actors using the Zeus crimeware kit have been responsible for several recent high-profile cybersecurity breaches of Fortune 500 firms, the advisory says. Computers, smart phones and tablets infested with the Zeus bot (zbot) malware become agents for criminals - serving a malicious master, sharing user data, and becoming part of a botnet to attack computer systems.

From the advisory:

Using the kit, attackers harvest data, such as login usernames and passwords, as entered from a web browser on an infected device. In addition, an attacker may insert additional fields into the display of a web form on a legitimate website to trick the user into supplying more data than a site usually requires, such as a PIN number on a banking site. Attackers can even remotely request the user's machine take a screenshot of the current display at any time.

All data requested by the attacker is sent back to a command and control panel, where it can be sorted, searched, used or sold. The harvested data is likely to be used for identify theft. It could also be sold to competitors or used to publicly embarrass a firm.

Why is this so high risk? Many enterprise applications and cloud-based services are accessible from the web. Platform-as-a-service (PaaS) and software-as-a-service (SaaS) vendors are at risk of being victimized and may face the loss of confidential customer information, trade secrets, data integrity, reputation and more. Employees, customers and business partners could unintentionally download the malware onto their enterprise computers or personal devices. When they subsequently login from the web using the device, they may inadvertently hand confidential information to malicious actors. 

Meanwhile, antivirus software has proven ineffective against Zeus because of how files are hidden, content is obfuscated and firewalls are disabled.

Action items

PLXsert recommends the following defensive actions:

  • Zeus is mainly a client-based attack vector. Users are tricked into running programs that infest their devices, so organizational security policies and user education can help. Enforce security policies for system security and patches and updates. Educate users about how this type of attack is executed from email clients and web browsers.
  • Clean-up effort by the security community is fundamental. Initiatives such as ZeuS Tracker are necessary to contain and manage this threat. Takedown follow-up efforts must also be implemented to reduce the number of infected command and control centers.
  • Learn how to prevent, detect and remove Zeus infections. Symantec Security Response provides extensive information to help you do this.
  • Write Snort rules for Zeus traffic. Sourcefire VRT Labs has an excellent source for writing Snort rules based on Zeus traffic.

A free copy of the threat advisory is available for download here.