Security

Conquering Zeus

Leave a comment

There has been much speculation about the hidden meaning and possible historical references in the Stuxnet code. I find this interesting not only on its own but also in relationship to other malware in the news.

Zeus, unlike Stuxnet, actually has done a fair amount of real harm. However, no one seems to be going around pointing out that, at least as far as mythology goes, you may never be able to get rid of it

Cretans believed that Zeus died and was resurrected annually

That was obviously before computers. In modern terms Zeus would be killed and then resurrect almost instantly, depending on CPU and memory.

I guess, to be accurate, the references in Stuxnet are in the code itself whereas Zeus is just one of many names (Zbot, PRG, Wsnpoem, Gorhax, Kneber) given to a Trojan horse. Trojan horse malware named after a Greek god seems most appropriate, but I have not yet seen who or how the name Zeus was chosen. In any case, Microsoft has announced that they will now search for some versions of Zeus in their Malicious Software Removal Tool (MSRT).

The Zeus bot is dynamic and could be adjusted easily to bypass the MSRT, so what this really means is older and less expensive copies will fail. The cost of a Zeus attack has just gone up. Not a perfect solution, of course, but definitely a helpful step. This lowers the barrier and cost of defense for attacks that were already far too easy.

Microsoft, speaking of historical references, in 2007 was not very optimistic about the demise of Storm after they added it to MSRT. Storm was actually named after flooding in Europe that was used to convince victims to download the Trojan horse installer.

In a blog post with the catchy operation title “Storm drain” Microsoft predicted the Storm botnet would not go away.

Unfortunately, that data does not show a continued decrease since the first day. We know that immediately following the release of MSRT, the criminals behind the deployment of the “Storm” botnet immediately released a newer version to update their software. […] Despite so many machines having been cleaned recently by MSRT, the “Storm” botnet will slowly regain its strength.

It did decline significantly, and Microsoft then took credit, but just a few months ago experts warned of a new variant and rebirth of the threat.

…the Storm botnet was one of the biggest botnets, sending out vast amounts of spam. As the market leader in spam-distributing botnets, it got a lot of attention from the security industry and the general public, ultimately leading to its demise. Since early 2009 the botnet was believed to be silent, even possibly defunct.

The new malware has been distributed widely over the last several days and the new botnet is already sending out spam. In an analysis done by Mark Schloesser, Tillmann Werner, and Felix Leder, German researchers who did a lot of work in analyzing the original Storm, they found that around two-thirds of the “new” functions are a copy and paste from the last Storm code base. What is missing is the original peer-to-peer (P2P) functionality, possibly in response to a tool these researchers developed that could bring down Storm. Cutting away the P2P functionality focuses the new Storm variants to HTTP communication with their command server.

Still 2/3 the same code base? Another key difference should be that it can now avoid MSRT despite using a vast majority of the old code, unless of course MSRT was not really the reason it went away. Funny how that is not mentioned; instead McAfee talks about a “tool” developed by researchers outside of Microsoft and based on network protocol analysis instead of detection and removal by the OS that brought Storm down. Controls outside the OS thus might have made the real difference. Important to keep in mind, given the new Zeus-aware MSRT update.

My best guess is that Stuxnet is not as sophisticated as some might argue but instead is rehashed from prior attacks. The failure of anti-malware is turning into the real issue, just like we hear about with the Zeus and Storm evolutions, rather than true zero-day risks. The solution, in other words, takes far more than just evil code detection. System behavior and network behavior — the sort of thing usually relegated to “expensive” trusted platforms with limited flexibility — is going to come more into vogue for fighting bots. The good news for IT management is that virtualization technology and the cloud model significantly brings down the cost of running trusted platforms.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.