(Botnets and Malware) The Zbot attack Group 7: Andrew Mishoe David Colvin Hubert Liu George Chen John Marshall Buck Scharfnorth
What Happened? Type of Attack Botnet - refers to group of compromised computers able to be controlled by master Targeted malware attack (Zeus Trojan) Zeus crimeware toolkit Ability to evade anti-virus software Banking/Financial institutes, small companies attacked Toolkit Capability Customized malware creation Website Phishing Command and Control capability Web Injection Scripts (monitoring tools) Kill OS Script (delays victim from realizing attack) Screenshots, Logging Keystrokes, Running Proxy Server, Hosting Phishing Websites, Spamming Campaign
What Happened? Installs on machine and disables security software Embeds configuration file from toolkit Retrieves data and uploads to remote URL
What was the impact? Spread - First became widespread in March 2009 - In May 2009, a botnet operator spontaneously decided to render inoperable 100000 PC's - Named America's most pervasive computer Botnet virus by Network World magazine in July 2009 - In October 2009, Facebook phishing e-mails were measured being sent out at over 500 per second. - In November 2009, 9 million e-mails were sent out over a two day period targetting Verizon customers. - Infiltrated Amazon's Cloud Computing network in December 2009.
What was the impact? Spread (cont.) - 3.6 Million Infections, measured July 2009 - Accounted for 44% of all financial malware infections in September - Still very active today
Why did this attack succeed? Social Engineering (Human Ignorance) Infiltrated computers through phishing emails Facebook Microsoft Updates Conflickr Removal CDC Vacinations UPS Delta Airlines System Administrator emails Used authentic looking domain names updata-1.com, admin-data.com, 1-db.com, 1ssl-network.com, upd-central.com central-updates.com, admin-systems.com, db-1.net, cert1.net, admin-db.net Easy deployment, used by a vast number of criminal organizations
Malware Tacticts Infects Computer in multiple ways Phishing Malicious scripts in webpages Rootkit Hides files and folders from view Injects code into system processes Hard to detect by security software Disable security Closes firewall and other security applications Fast-Flux DNS
What happened in the aftermath? ZBot Server in Cayman Islands shutdown in June 2009 Stored FTP login information for over 68,000 websites Major companies including Amazon Bank of America BBC Cisco McAfee monster.com Symantec Two suspects questioned by Manchester officials in November
Attacks continue... Amazon disconnected the infected channel in its EC2 Cloud shortly after the discovery in December Newer variants more difficult to detect Virustotal.com reports only 6 out of 41 anti-virus programs detected the virus as of September 2009 Over 200 new ZBot servers have come online already this year, and there are over 1,000 currently active servers New phishing e-mail starting to appear just this past week, probably from Russia
What was done to make systems less vulnerable to this kind of threat? Common Educate users about spam and Trojans Listen to system warnings Frequent anti-virus updates Keep windows and other software up to date Home Users Keep up to date on the threats that exist Don't open email from unknown senders Don't open files or click on links unless you are sure Don't open firewall ports unless you know about the application
What was done to make systems less vulnerable to this kind of threat? Corporate users Use signatures to verify the authenticity of senders Keep users out of the administrator accounts Do risky/sensitive work on virtual machines Tighter Firewall Protection and traffic filters Web filtering to help guard against malicious controller domains Internal Distribution of updates Threat detection devices embedded in the network
What chapter in the book will be helpful in understanding this event? Chapter 3 - Program Security Viruses and Other Malicious Code (3.3) Targeted Malicious Code (3.4) Chapter 7 - Security in Networks Threats in Networks (7.2)
Questions?
Sources http://community.ca.com/blogs/securityadvisor/archive/2009/12/10/zbot-reports-a-quot-possible-fraudulent-visa-cardtransaction-quot.aspx http://blog.trendmicro.com/zbot-targets-facebook-again/ http://www.symantec.com/connect/blogs/zeus-king-underground-crimeware-toolkits http://community.trendmicro.com/t5/web-threat-spotlight/facebook-phishing-page-leads-to-exploits-and-zbot/ba-p/2237 http://www.securecomputing.net.au/news/149039,malicious-server-used-to-propagate-zbot-shut-down.aspx http://www.securecomputing.net.au/news/148759,ftp-login-credentials-at-major-corporations-breached.aspx http://news.bbc.co.uk/2/hi/uk_news/england/manchester/8366504.stm http://www.spamfighter.com/news-12877-new-study-finds-computer-virus-zeus-bot-in-internet-postcards.htm http://www.darkreading.com/security/antivirus/showarticle.jhtml?articleid=220000718 http://blog.fortinet.com/august-2009-threatscape-zbot-detected-in-record-levels-fresh-vulnerabilities-consistently-attacked/ http://www.scmagazineus.com/new-verizon-wireless-themed-zeus-campaign-hits/article/157848/