Attacks/Breaches
6/10/2014
11:30 AM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Zeus Being Used In DDoS, Attacks On Cloud Providers

The popular Zeus RAT is being used for more than just financial fraud and data theft.

The Prolexic Security Engineering and Response Team (PLXSert) has released a threat advisory outlining new payloads from the Zeus toolkit that it has seen in the wild. In addition to the data theft and financial fraud Zeus is known for, PLXSert has discovered Zeus being used in crypto-currency mining, spam, distributed denial-of-service (DDoS) attacks, and attacks customized for specific PaaS and SaaS infrastructure.

According to the report, "Although Zeus/Gameover version reportedly introduced DDoS capabilities, PLXSert has no evidence that the Zeus framework kit can orchestrate significant DDoS campaigns by itself, but if combined with other DDoS toolkits, the capabilities of the Zeus framework would enable malicious actors to use it as a powerful DDoS botnet builder."

PLXSert has already seen Zeus being used in tandem with popular DDoS kits, including Drive, a variant of Dirt Jumper. The researchers have also seen attackers targeting cloud-based applications through PaaS and Saas infrastructures. They say that "well-known SaaS/PaaS vendors" have been targeted, but they do not name those vendors.

"By targeting SaaS/PaaS," the report reads, "cybercriminals take advantage of the resources of both the end users and the providers. The providers' defense technologies allow the attackers the advantage of gaining anonymity behind the providers' cloud-based infrastructure."

See the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/11/2014 | 10:02:45 AM
Re: Zeus Impact
This probably isn't earth shattering news for anyone but the best way to combat Zeus is to avoid initial infection.  Zeus primarily propagates via email and drive by downloads, therefore a combination of spam filtering, user education, web filtering,  and updated security patches are the best defense.

Spam filtering (ProofPoint, Barracuda, etc) is great at stopping the vast majority of Zeus emails however not all of them.  This is where user education comes into play.  Enterprises must educate their users on what to look for in their emails to prevent them from clicking links or opening infected attachments.

Just as with spam filtering web filtering will block the majority of Zeus compromised sites, however not all.  Since most drive by download infections take advantage of known security vulnerabilities, this is where having up to date security patches will save you.

As with anything, there are exceptions, but this recipe should prevent a large number of Zeus and other infections.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/11/2014 | 7:03:49 AM
Re: Zeus Impact
@Robert McDougal -- How are you dealing with Zeus today? Any practical suggestions you care to share with the Dark Reading community?
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/10/2014 | 5:09:00 PM
Re: Zeus Impact
I wish that the disruption effort would have a positive effect, but I highly doubt it will in the long run.  Zeus has been around in one form or another since 2007.  Since that time it has evolved and forked into the thorny creation we have to deal with today.  I suspect that it will continue to do so for the foreseeable future.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/10/2014 | 3:14:55 PM
Re: Zeus Impact
@Sara Peters

I tend to agree with the comments on the Tovar article that while optimism is ideal, this may be a test bed for future initiatives.  I admire the tactics and strategy, but here is the one flaw I see in this, and that is the need to be more like the cyber criminals in question. 

Like guerilla warfare, when turning the predictability off and removing public access to strategy details, I think we could do with some government and state law enforcement "black hatting".  That is, writing software that is vicious and destructive to the cyber criminals resources, getting on the offensive and attacking first.

It may sound more like a novel setup, but destroying access to money, to systems, to networks and other resources repeatedly - as often as they are obtained - is as valid a challenge to their activity as a defense against their attacks on our end is.  I often feel we aren't hard enough on cyber crime because many of the folks that write the laws and initial responses aren't tech savvy. 

But all one has to do is look at the result of how it can devastate the average person's livelihood, and then we realize we simply can't allow it to happen.  The drain on our economy is massive - the global drain even more so.  Money aside, attacking our power infrastructure and nuclear programs?  Unforgivable.  We need to fight harder and fight dirty.

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/10/2014 | 1:25:53 PM
Re: Zeus Impact
@christianabryant  Thanks for the info. Do you think that the big effort to disrupt GOZeus will make any dent on the Zeus business, or is it basically going to return to business as usual?
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/10/2014 | 12:27:43 PM
Zeus Impact
Zeus is definitely one of the more concerning kits.  Microsoft led a few attacks on Zeus servers  (2012 and 2013 saw some great news items, including MS teaming with US Marshalls to bring down a Zeus operation) and Zeus was named by Microsoft as one of the more troubling kits out there, calling it out in papers related to last year's MS cybercrime initiatives.  It also has some deadly variants, one of which is the mobile variant ZitMo (born roughly 2010) which I expect to see much more on in the news this year.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, September 16, 2014
Malicious software is morphing to be more targeted, stealthy, and destructive. Are you prepared to stop it?
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2886
Published: 2014-09-18
GKSu 2.0.2, when sudo-mode is not enabled, uses " (double quote) characters in a gksu-run-helper argument, which allows attackers to execute arbitrary commands in certain situations involving an untrusted substring within this argument, as demonstrated by an untrusted filename encountered during ins...

CVE-2014-4352
Published: 2014-09-18
Address Book in Apple iOS before 8 relies on the hardware UID for its encryption key, which makes it easier for physically proximate attackers to obtain sensitive information by obtaining this UID.

CVE-2014-4353
Published: 2014-09-18
Race condition in iMessage in Apple iOS before 8 allows attackers to obtain sensitive information by leveraging the presence of an attachment after the deletion of its parent (1) iMessage or (2) MMS.

CVE-2014-4354
Published: 2014-09-18
Apple iOS before 8 enables Bluetooth during all upgrade actions, which makes it easier for remote attackers to bypass intended access restrictions via a Bluetooth session.

CVE-2014-4356
Published: 2014-09-18
Apple iOS before 8 does not follow the intended configuration setting for text-message preview on the lock screen, which allows physically proximate attackers to obtain sensitive information by reading this screen.

Best of the Web
Dark Reading Radio