Attacks/Breaches
6/10/2014
11:30 AM
Sara Peters
Sara Peters
Quick Hits
Connect Directly
Twitter
RSS
E-Mail
100%
0%

Zeus Being Used In DDoS, Attacks On Cloud Providers

The popular Zeus RAT is being used for more than just financial fraud and data theft.

The Prolexic Security Engineering and Response Team (PLXSert) has released a threat advisory outlining new payloads from the Zeus toolkit that it has seen in the wild. In addition to the data theft and financial fraud Zeus is known for, PLXSert has discovered Zeus being used in crypto-currency mining, spam, distributed denial-of-service (DDoS) attacks, and attacks customized for specific PaaS and SaaS infrastructure.

According to the report, "Although Zeus/Gameover version reportedly introduced DDoS capabilities, PLXSert has no evidence that the Zeus framework kit can orchestrate significant DDoS campaigns by itself, but if combined with other DDoS toolkits, the capabilities of the Zeus framework would enable malicious actors to use it as a powerful DDoS botnet builder."

PLXSert has already seen Zeus being used in tandem with popular DDoS kits, including Drive, a variant of Dirt Jumper. The researchers have also seen attackers targeting cloud-based applications through PaaS and Saas infrastructures. They say that "well-known SaaS/PaaS vendors" have been targeted, but they do not name those vendors.

"By targeting SaaS/PaaS," the report reads, "cybercriminals take advantage of the resources of both the end users and the providers. The providers' defense technologies allow the attackers the advantage of gaining anonymity behind the providers' cloud-based infrastructure."

See the full report here.

Sara Peters is Senior Editor at Dark Reading and formerly the editor-in-chief of Enterprise Efficiency. Prior that she was senior editor for the Computer Security Institute, writing and speaking about virtualization, identity management, cybersecurity law, and a myriad ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/11/2014 | 10:02:45 AM
Re: Zeus Impact
This probably isn't earth shattering news for anyone but the best way to combat Zeus is to avoid initial infection.  Zeus primarily propagates via email and drive by downloads, therefore a combination of spam filtering, user education, web filtering,  and updated security patches are the best defense.

Spam filtering (ProofPoint, Barracuda, etc) is great at stopping the vast majority of Zeus emails however not all of them.  This is where user education comes into play.  Enterprises must educate their users on what to look for in their emails to prevent them from clicking links or opening infected attachments.

Just as with spam filtering web filtering will block the majority of Zeus compromised sites, however not all.  Since most drive by download infections take advantage of known security vulnerabilities, this is where having up to date security patches will save you.

As with anything, there are exceptions, but this recipe should prevent a large number of Zeus and other infections.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
6/11/2014 | 7:03:49 AM
Re: Zeus Impact
@Robert McDougal -- How are you dealing with Zeus today? Any practical suggestions you care to share with the Dark Reading community?
Robert McDougal
50%
50%
Robert McDougal,
User Rank: Ninja
6/10/2014 | 5:09:00 PM
Re: Zeus Impact
I wish that the disruption effort would have a positive effect, but I highly doubt it will in the long run.  Zeus has been around in one form or another since 2007.  Since that time it has evolved and forked into the thorny creation we have to deal with today.  I suspect that it will continue to do so for the foreseeable future.
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/10/2014 | 3:14:55 PM
Re: Zeus Impact
@Sara Peters

I tend to agree with the comments on the Tovar article that while optimism is ideal, this may be a test bed for future initiatives.  I admire the tactics and strategy, but here is the one flaw I see in this, and that is the need to be more like the cyber criminals in question. 

Like guerilla warfare, when turning the predictability off and removing public access to strategy details, I think we could do with some government and state law enforcement "black hatting".  That is, writing software that is vicious and destructive to the cyber criminals resources, getting on the offensive and attacking first.

It may sound more like a novel setup, but destroying access to money, to systems, to networks and other resources repeatedly - as often as they are obtained - is as valid a challenge to their activity as a defense against their attacks on our end is.  I often feel we aren't hard enough on cyber crime because many of the folks that write the laws and initial responses aren't tech savvy. 

But all one has to do is look at the result of how it can devastate the average person's livelihood, and then we realize we simply can't allow it to happen.  The drain on our economy is massive - the global drain even more so.  Money aside, attacking our power infrastructure and nuclear programs?  Unforgivable.  We need to fight harder and fight dirty.

 
Sara Peters
50%
50%
Sara Peters,
User Rank: Author
6/10/2014 | 1:25:53 PM
Re: Zeus Impact
@christianabryant  Thanks for the info. Do you think that the big effort to disrupt GOZeus will make any dent on the Zeus business, or is it basically going to return to business as usual?
Christian Bryant
50%
50%
Christian Bryant,
User Rank: Ninja
6/10/2014 | 12:27:43 PM
Zeus Impact
Zeus is definitely one of the more concerning kits.  Microsoft led a few attacks on Zeus servers  (2012 and 2013 saw some great news items, including MS teaming with US Marshalls to bring down a Zeus operation) and Zeus was named by Microsoft as one of the more troubling kits out there, calling it out in papers related to last year's MS cybercrime initiatives.  It also has some deadly variants, one of which is the mobile variant ZitMo (born roughly 2010) which I expect to see much more on in the news this year.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3345
Published: 2014-08-28
The web framework in Cisco Transport Gateway for Smart Call Home (aka TG-SCH or Transport Gateway Installation Software) 4.0 does not properly check authorization for administrative web pages, which allows remote attackers to modify the product via a crafted URL, aka Bug ID CSCuq31503.

CVE-2014-3347
Published: 2014-08-28
Cisco IOS 15.1(4)M2 on Cisco 1800 ISR devices, when the ISDN Basic Rate Interface is enabled, allows remote attackers to cause a denial of service (device hang) by leveraging knowledge of the ISDN phone number to trigger an interrupt timer collision during entropy collection, leading to an invalid s...

CVE-2014-4199
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, allows local users to write to arbitrary files via a symlink attack on a file in /tmp.

CVE-2014-4200
Published: 2014-08-28
vm-support 0.88 in VMware Tools, as distributed with VMware Workstation through 10.0.3 and other products, uses 0644 permissions for the vm-support archive, which allows local users to obtain sensitive information by extracting files from this archive.

CVE-2014-0761
Published: 2014-08-27
The DNP3 driver in CG Automation ePAQ-9410 Substation Gateway allows remote attackers to cause a denial of service (infinite loop or process crash) via a crafted TCP packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.