Attacks/Breaches
10/1/2010
01:39 PM
50%
50%

Tech Insight: How To Defend Against Zeus

Blacklisting bad actors can help protect organizations from this pervasive and chameleon-like malware attack

Recent arrests and warrants in several countries have beheaded a few Zeus bot-wielding groups, but the ease of use and effectiveness of the Zeus crimeware kit means the arrests will have the effect of chopping the head off a hydra -- new groups will be popping up quickly to replace the ones taken down.

Zeus isn't the first crimeware kit, but it's the reigning champ thanks to its popularity among criminal groups for being incredibly powerful yet easy to use. A recent entry at the McAfee Labs Blog highlights some of the advanced features in one particular version of Zeus, including screenshots of the ZeuS Builder applications criminals can use to craft their custom Zeus bot.

While it is easy for criminal groups to create new Zeus variants to evade antivirus detection, there are some common defenses enterprises can deploy to help defend their networks and sensitive data. Likewise, there are several freely available resources that should be leveraged to help combat this advanced malware threat since relying on commodity security products for protection isn't enough.

It's impossible to ignore the fact that defense in-depth works and is a good foundation for effectively combating Zeus and similar malware. Some of the highlights defense in-depth include are a comprehensive anti-malware solution installed on all workstations, a Web and e-mail proxy providing content filtering and anti-malware detection, least privilege access for all users (i.e., no casual Web surfing or computer use as an administrator), intrusion detection or prevention systems (IDS/IPS), and firewalls where appropriate within the network and at the Internet gateway.

The problem with relying simply on commodity security solutions is that malware is changing so rapidly that security companies cannot keep their products up-to-date. There are some exceptions, such as offerings from Damballa and FireEye, but they are cutting-edge solutions breaking the commodity mold and not usually found in SMB environments.

IT needs to adapt to meet the current threat head-on and become more involved in actively combating the threat instead of relying on their antivirus solutions or firewalls to do it for them. Prevention is certainly preferred over the reactionary approach that follows detection. But both are incredibly important to be successful in combating Zeus and similar modern malware.

Because so many organizations, both large and small, rely on the false sense of security provided by antivirus on their desktops and e-mail gateways, they discount the need to stay abreast of the threats, thinking their current solutions will protect them. Instead, they would do well to leverage several free resources and inexpensive resources available to supplement their existing solutions.

Not every organization can afford to deploy a Web and e-mail filtering appliance and might be reluctant to outsource security functions to the cloud. One approach that works well is to restrict DNS lookups from internal clients only to company-managed DNS servers and implement DNS blacklists.

The first part of this approach prevents malware from changing infected clients' DNS settings to that of a malicious DNS server that the attackers control. The second part can use well-managed blacklists that track malicious domains and are updated regularly to address current threats. Two lists I've seen work well is the ZeuS Tracker and DNS-BH Malware Domain Blocklist.

Similar to DNS blacklisting, blocking IPs of known bad actors can also assist in a layered defense approach to protecting against IP addresses that have been verified to be hosting Zeus malware and exploits, involved in botnets, or are actively attacking. In addition to DNS for known Zeus domains, the ZeuS Tracker also provides lists of IPs that can be blocked using your firewall, a Squid proxy, iptables under Linux, and the Windows hosts file.

The Emerging Threats project also hosts several lists that can be used for blocking IPs based on the Shadowserver Foundation's Command and Control Server list, DShield Top Attackers, Spamhaus.org, and known Russian Business Network hosts.

It's important to note that blacklists are not foolproof and false positives do occur, but the value in adding them as an additional layer is much greater than the potential to block a nonmalicious site.

Organizations currently using a Snort-based IDS or IPS, or Suricata, should also consider using the bleeding edge rules from the Emerging Threats project. They are updated regularly, often multiple times daily, and focus on malware unlike most commercial rulesets due to the dynamic nature of malware.

And as of this week, Emerging Threats is now offering a professional subscription, including the current malware-focused IDS rules in addition to rules based on the top-notch research they receive from Telus Security Labs.

At the end of the day, it's important to realize that no one security solution is going to fix all security problems. It takes a layered, defense in-depth approach and an active role by IT to leverage the free and inexpensive options available to them that provide bleeding edge information about malware threats.

There is no set-it-and-forget-it option for tools to combat Zeus and modern malware -- companies are learning the hard way by losing money and suffering data breaches that they have to actively fight the current threats.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
1.9 Billion Data Records Exposed in First Half of 2017
Kelly Jackson Higgins, Executive Editor at Dark Reading,  9/20/2017
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Jan, check this out! I found an unhackable PC.
Current Issue
Security Vulnerabilities: The Next Wave
Just when you thought it was safe, researchers have unveiled a new round of IT security flaws. Is your enterprise ready?
Flash Poll
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
[Strategic Security Report] How Enterprises Are Attacking the IT Security Problem
Enterprises are spending more of their IT budgets on cybersecurity technology. How do your organization's security plans and strategies compare to what others are doing? Here's an in-depth look.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.