Attacks/Breaches
6/10/2014
11:30 AM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Zeus Being Used In DDoS, Attacks On Cloud Providers

The popular Zeus RAT is being used for more than just financial fraud and data theft.

The Prolexic Security Engineering and Response Team (PLXSert) has released a threat advisory outlining new payloads from the Zeus toolkit that it has seen in the wild. In addition to the data theft and financial fraud Zeus is known for, PLXSert has discovered Zeus being used in crypto-currency mining, spam, distributed denial-of-service (DDoS) attacks, and attacks customized for specific PaaS and SaaS infrastructure.

According to the report, "Although Zeus/Gameover version reportedly introduced DDoS capabilities, PLXSert has no evidence that the Zeus framework kit can orchestrate significant DDoS campaigns by itself, but if combined with other DDoS toolkits, the capabilities of the Zeus framework would enable malicious actors to use it as a powerful DDoS botnet builder."

PLXSert has already seen Zeus being used in tandem with popular DDoS kits, including Drive, a variant of Dirt Jumper. The researchers have also seen attackers targeting cloud-based applications through PaaS and Saas infrastructures. They say that "well-known SaaS/PaaS vendors" have been targeted, but they do not name those vendors.

"By targeting SaaS/PaaS," the report reads, "cybercriminals take advantage of the resources of both the end users and the providers. The providers' defense technologies allow the attackers the advantage of gaining anonymity behind the providers' cloud-based infrastructure."

See the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/11/2014 | 10:02:45 AM
Re: Zeus Impact
This probably isn't earth shattering news for anyone but the best way to combat Zeus is to avoid initial infection.  Zeus primarily propagates via email and drive by downloads, therefore a combination of spam filtering, user education, web filtering,  and updated security patches are the best defense.

Spam filtering (ProofPoint, Barracuda, etc) is great at stopping the vast majority of Zeus emails however not all of them.  This is where user education comes into play.  Enterprises must educate their users on what to look for in their emails to prevent them from clicking links or opening infected attachments.

Just as with spam filtering web filtering will block the majority of Zeus compromised sites, however not all.  Since most drive by download infections take advantage of known security vulnerabilities, this is where having up to date security patches will save you.

As with anything, there are exceptions, but this recipe should prevent a large number of Zeus and other infections.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/11/2014 | 7:03:49 AM
Re: Zeus Impact
@Robert McDougal -- How are you dealing with Zeus today? Any practical suggestions you care to share with the Dark Reading community?
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/10/2014 | 5:09:00 PM
Re: Zeus Impact
I wish that the disruption effort would have a positive effect, but I highly doubt it will in the long run.  Zeus has been around in one form or another since 2007.  Since that time it has evolved and forked into the thorny creation we have to deal with today.  I suspect that it will continue to do so for the foreseeable future.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/10/2014 | 3:14:55 PM
Re: Zeus Impact
@Sara Peters

I tend to agree with the comments on the Tovar article that while optimism is ideal, this may be a test bed for future initiatives.  I admire the tactics and strategy, but here is the one flaw I see in this, and that is the need to be more like the cyber criminals in question. 

Like guerilla warfare, when turning the predictability off and removing public access to strategy details, I think we could do with some government and state law enforcement "black hatting".  That is, writing software that is vicious and destructive to the cyber criminals resources, getting on the offensive and attacking first.

It may sound more like a novel setup, but destroying access to money, to systems, to networks and other resources repeatedly - as often as they are obtained - is as valid a challenge to their activity as a defense against their attacks on our end is.  I often feel we aren't hard enough on cyber crime because many of the folks that write the laws and initial responses aren't tech savvy. 

But all one has to do is look at the result of how it can devastate the average person's livelihood, and then we realize we simply can't allow it to happen.  The drain on our economy is massive - the global drain even more so.  Money aside, attacking our power infrastructure and nuclear programs?  Unforgivable.  We need to fight harder and fight dirty.

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/10/2014 | 1:25:53 PM
Re: Zeus Impact
@christianabryant  Thanks for the info. Do you think that the big effort to disrupt GOZeus will make any dent on the Zeus business, or is it basically going to return to business as usual?
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/10/2014 | 12:27:43 PM
Zeus Impact
Zeus is definitely one of the more concerning kits.  Microsoft led a few attacks on Zeus servers  (2012 and 2013 saw some great news items, including MS teaming with US Marshalls to bring down a Zeus operation) and Zeus was named by Microsoft as one of the more troubling kits out there, calling it out in papers related to last year's MS cybercrime initiatives.  It also has some deadly variants, one of which is the mobile variant ZitMo (born roughly 2010) which I expect to see much more on in the news this year.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Cartoon
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-3304
Published: 2014-10-30
Directory traversal vulnerability in Dell EqualLogic PS4000 with firmware 6.0 allows remote attackers to read arbitrary files via a .. (dot dot) in the default URI.

CVE-2013-7409
Published: 2014-10-30
Buffer overflow in ALLPlayer 5.6.2 through 5.8.1 allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a long string in a .m3u (playlist) file.

CVE-2014-3446
Published: 2014-10-30
SQL injection vulnerability in wcm/system/pages/admin/getnode.aspx in BSS Continuity CMS 4.2.22640.0 allows remote attackers to execute arbitrary SQL commands via the nodeid parameter.

CVE-2014-3584
Published: 2014-10-30
The SamlHeaderInHandler in Apache CXF before 2.6.11, 2.7.x before 2.7.8, and 3.0.x before 3.0.1 allows remote attackers to cause a denial of service (infinite loop) via a crafted SAML token in the authorization header of a request to a JAX-RS service.

CVE-2014-3623
Published: 2014-10-30
Apache WSS4J before 1.6.17 and 2.x before 2.0.2, as used in Apache CXF 2.7.x before 2.7.13 and 3.0.x before 3.0.2, when using TransportBinding, does properly enforce the SAML SubjectConfirmation method security semantics, which allows remote attackers to conduct spoofing attacks via unspecified vect...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.