Despite high-profile busts in the UK, US and Ukraine of cybercriminals using Zeus malware to steal from online accounts, Zeus will evolve and remain an effective theft tool for a long time, security experts say.
"There's a community building it and supporting it," says Eric Skinner, CTO of Entrust. "There's no one person to take down. If one person stops updating, somebody else will pick up the task. It's not like when you shut down a software company and the product ceases to be developed."
That about sums up the main strength of Zeus, which experts agree is the major malware framework available today. It's available, it's affordable, it works and its toolkit makes modifying it simple. And the core people who do the major development work have managed to elude capture, hiding behind layers of shifting command and control servers, ISPs, domain registrars and international borders.
"Even if we work with law enforcement, we're still not getting them," says Pedro Bueno, malware research scientist at McAfee Labs. "It takes several hops to get to them. We are real close to them but are never able to get to the final destination where they are."
The Zeus banking Trojan steals usernames and passwords from Windows machines so criminals can use them to illegally transfer money out of victims' accounts. A relatively small group of eastern Europeans are considered to be the main developers responsible for creating new releases of the platform, which has been around since 2007.
For example, researchers recently discovered that a Zeus add-on helps defeat attempts by banks to thwart access by thieves who have used Zeus to steal usernames and passwords of online banking customers. After users login, the banks send SMS messages to their cell phones containing one-time codes that the customers enter.
This two-factor authentication makes it more difficult for criminals to break into accounts, but the developers of Zeus found a way. A mobile Zeus Trojan grabs the one-time code and sends it to a ZeuS command and control server where criminals can use it to break into accounts, says Derek Manky, project manager for cyber-security and threat research at Fortinet. "That's an enhancement," he says.
Another recent development ties instances of the software to particular machines, so purchasers of ZeuS can't copy it endlessly or resell it. So far, there is no known way to break this licensing safeguard, Bueno says.
Developers also sell a ZeuS toolkit that lets purchasers customise it to their uses and modify its look so it can keep ahead of antivirus vendors trying to identify signatures that can be used to block it, Skinner says. They can also tailor the Trojan to the requirements of breaking the security of specific banks, he says.
Plus it's easy to use, Manky says. "It's easy for anybody to pick this up without any sort of qualifications," he says. "There's no need to be very technically adept." As Skinner notes, users of ZeuS can buy technical support for it. "It's pretty professional," he says.
The people behind ZeuS are good at hiding, says Manky. The use multiple ISPs, multiple command and control servers, multiple domains and base this infrastructure in multiple countries, all of which makes it difficult to trace their whereabouts. Compounding the problem, they frequently shift their infrastructure to new providers and new locations to start over, he says.
All of this portends a long life for ZeuS, says Skinner, but there are things that can be done to curb the success of criminals who use it:
- Better educated users can help. Phishing, driveby downloads, email scams and malicious PDF files have all been used to spread the Trojan, says Bueno. More alert users avoiding behaviors that make them susceptible could help, he says.
- Prosecute high profile cases with severe sentences. This will discourage those who might be tempted to create or join a ring, he says.
- More takedowns of servers storing stolen information by putting the squeeze on ISPs hosting the servers. This makes it more difficult for criminals to set up their infrastructure, he says.
- Better cooperation between researchers and banks that discover ZeuS rings and law enforcement agencies. Better cooperation between international law enforcement agencies is also needed so they can act quickly on intelligence about suspicious behaviour.
- Go after criminal middlemen who aren't the ringleaders but who contract to do the technical work of setting up the network needed to carry out the criminal enterprises. Again, this makes it more difficult for the criminals to do business, he says.
- Banks could take measures to blunt the effectiveness of the frauds. For example, they could contact customers via email or text message to confirm they have actually authorised suspicious transfers.
- Develop detection systems that can spot ZeuS activity based on events not on malware signatures, Bueno says.
These measures could help, but the flexibility of ZeuS make it certain its attacks will keep coming. "There will be another one," Skinner says.