01:39 PM

Tech Insight: How To Defend Against Zeus

Blacklisting bad actors can help protect organizations from this pervasive and chameleon-like malware attack

Recent arrests and warrants in several countries have beheaded a few Zeus bot-wielding groups, but the ease of use and effectiveness of the Zeus crimeware kit means the arrests will have the effect of chopping the head off a hydra -- new groups will be popping up quickly to replace the ones taken down.

Zeus isn't the first crimeware kit, but it's the reigning champ thanks to its popularity among criminal groups for being incredibly powerful yet easy to use. A recent entry at the McAfee Labs Blog highlights some of the advanced features in one particular version of Zeus, including screenshots of the ZeuS Builder applications criminals can use to craft their custom Zeus bot.

While it is easy for criminal groups to create new Zeus variants to evade antivirus detection, there are some common defenses enterprises can deploy to help defend their networks and sensitive data. Likewise, there are several freely available resources that should be leveraged to help combat this advanced malware threat since relying on commodity security products for protection isn't enough.

It's impossible to ignore the fact that defense in-depth works and is a good foundation for effectively combating Zeus and similar malware. Some of the highlights defense in-depth include are a comprehensive anti-malware solution installed on all workstations, a Web and e-mail proxy providing content filtering and anti-malware detection, least privilege access for all users (i.e., no casual Web surfing or computer use as an administrator), intrusion detection or prevention systems (IDS/IPS), and firewalls where appropriate within the network and at the Internet gateway.

The problem with relying simply on commodity security solutions is that malware is changing so rapidly that security companies cannot keep their products up-to-date. There are some exceptions, such as offerings from Damballa and FireEye, but they are cutting-edge solutions breaking the commodity mold and not usually found in SMB environments.

IT needs to adapt to meet the current threat head-on and become more involved in actively combating the threat instead of relying on their antivirus solutions or firewalls to do it for them. Prevention is certainly preferred over the reactionary approach that follows detection. But both are incredibly important to be successful in combating Zeus and similar modern malware.

Because so many organizations, both large and small, rely on the false sense of security provided by antivirus on their desktops and e-mail gateways, they discount the need to stay abreast of the threats, thinking their current solutions will protect them. Instead, they would do well to leverage several free resources and inexpensive resources available to supplement their existing solutions.

Not every organization can afford to deploy a Web and e-mail filtering appliance and might be reluctant to outsource security functions to the cloud. One approach that works well is to restrict DNS lookups from internal clients only to company-managed DNS servers and implement DNS blacklists.

The first part of this approach prevents malware from changing infected clients' DNS settings to that of a malicious DNS server that the attackers control. The second part can use well-managed blacklists that track malicious domains and are updated regularly to address current threats. Two lists I've seen work well is the ZeuS Tracker and DNS-BH Malware Domain Blocklist.

Similar to DNS blacklisting, blocking IPs of known bad actors can also assist in a layered defense approach to protecting against IP addresses that have been verified to be hosting Zeus malware and exploits, involved in botnets, or are actively attacking. In addition to DNS for known Zeus domains, the ZeuS Tracker also provides lists of IPs that can be blocked using your firewall, a Squid proxy, iptables under Linux, and the Windows hosts file.

The Emerging Threats project also hosts several lists that can be used for blocking IPs based on the Shadowserver Foundation's Command and Control Server list, DShield Top Attackers,, and known Russian Business Network hosts.

It's important to note that blacklists are not foolproof and false positives do occur, but the value in adding them as an additional layer is much greater than the potential to block a nonmalicious site.

Organizations currently using a Snort-based IDS or IPS, or Suricata, should also consider using the bleeding edge rules from the Emerging Threats project. They are updated regularly, often multiple times daily, and focus on malware unlike most commercial rulesets due to the dynamic nature of malware.

And as of this week, Emerging Threats is now offering a professional subscription, including the current malware-focused IDS rules in addition to rules based on the top-notch research they receive from Telus Security Labs.

At the end of the day, it's important to realize that no one security solution is going to fix all security problems. It takes a layered, defense in-depth approach and an active role by IT to leverage the free and inexpensive options available to them that provide bleeding edge information about malware threats.

There is no set-it-and-forget-it option for tools to combat Zeus and modern malware -- companies are learning the hard way by losing money and suffering data breaches that they have to actively fight the current threats.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Who Does What in Cybersecurity at the C-Level
Steve Zurier, Freelance Writer,  3/16/2018
The Case for Integrating Physical Security & Cybersecurity
Paul Kurtz, CEO & Cofounder, TruSTAR Technology,  3/20/2018
A Look at Cybercrime's Banal Nature
Curtis Franklin Jr., Executive Editor, Technical Content,  3/20/2018
Register for Dark Reading Newsletters
White Papers
Current Issue
How to Cope with the IT Security Skills Shortage
Most enterprises don't have all the in-house skills they need to meet the rising threat from online attackers. Here are some tips on ways to beat the shortage.
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.