Tech Insight: How To Defend Against Zeus

Blacklisting bad actors can help protect organizations from this pervasive and chameleon-like malware attack

Dark Reading Staff, Dark Reading

October 1, 2010

4 Min Read

Recent arrests and warrants in several countries have beheaded a few Zeus bot-wielding groups, but the ease of use and effectiveness of the Zeus crimeware kit means the arrests will have the effect of chopping the head off a hydra -- new groups will be popping up quickly to replace the ones taken down.

Zeus isn't the first crimeware kit, but it's the reigning champ thanks to its popularity among criminal groups for being incredibly powerful yet easy to use. A recent entry at the McAfee Labs Blog highlights some of the advanced features in one particular version of Zeus, including screenshots of the ZeuS Builder applications criminals can use to craft their custom Zeus bot.

While it is easy for criminal groups to create new Zeus variants to evade antivirus detection, there are some common defenses enterprises can deploy to help defend their networks and sensitive data. Likewise, there are several freely available resources that should be leveraged to help combat this advanced malware threat since relying on commodity security products for protection isn't enough.

It's impossible to ignore the fact that defense in-depth works and is a good foundation for effectively combating Zeus and similar malware. Some of the highlights defense in-depth include are a comprehensive anti-malware solution installed on all workstations, a Web and e-mail proxy providing content filtering and anti-malware detection, least privilege access for all users (i.e., no casual Web surfing or computer use as an administrator), intrusion detection or prevention systems (IDS/IPS), and firewalls where appropriate within the network and at the Internet gateway.

The problem with relying simply on commodity security solutions is that malware is changing so rapidly that security companies cannot keep their products up-to-date. There are some exceptions, such as offerings from Damballa and FireEye, but they are cutting-edge solutions breaking the commodity mold and not usually found in SMB environments.

IT needs to adapt to meet the current threat head-on and become more involved in actively combating the threat instead of relying on their antivirus solutions or firewalls to do it for them. Prevention is certainly preferred over the reactionary approach that follows detection. But both are incredibly important to be successful in combating Zeus and similar modern malware.

Because so many organizations, both large and small, rely on the false sense of security provided by antivirus on their desktops and e-mail gateways, they discount the need to stay abreast of the threats, thinking their current solutions will protect them. Instead, they would do well to leverage several free resources and inexpensive resources available to supplement their existing solutions.

Not every organization can afford to deploy a Web and e-mail filtering appliance and might be reluctant to outsource security functions to the cloud. One approach that works well is to restrict DNS lookups from internal clients only to company-managed DNS servers and implement DNS blacklists.

The first part of this approach prevents malware from changing infected clients' DNS settings to that of a malicious DNS server that the attackers control. The second part can use well-managed blacklists that track malicious domains and are updated regularly to address current threats. Two lists I've seen work well is the ZeuS Tracker and DNS-BH Malware Domain Blocklist.

Similar to DNS blacklisting, blocking IPs of known bad actors can also assist in a layered defense approach to protecting against IP addresses that have been verified to be hosting Zeus malware and exploits, involved in botnets, or are actively attacking. In addition to DNS for known Zeus domains, the ZeuS Tracker also provides lists of IPs that can be blocked using your firewall, a Squid proxy, iptables under Linux, and the Windows hosts file.

The Emerging Threats project also hosts several lists that can be used for blocking IPs based on the Shadowserver Foundation's Command and Control Server list, DShield Top Attackers,, and known Russian Business Network hosts.

It's important to note that blacklists are not foolproof and false positives do occur, but the value in adding them as an additional layer is much greater than the potential to block a nonmalicious site.

Organizations currently using a Snort-based IDS or IPS, or Suricata, should also consider using the bleeding edge rules from the Emerging Threats project. They are updated regularly, often multiple times daily, and focus on malware unlike most commercial rulesets due to the dynamic nature of malware.

And as of this week, Emerging Threats is now offering a professional subscription, including the current malware-focused IDS rules in addition to rules based on the top-notch research they receive from Telus Security Labs.

At the end of the day, it's important to realize that no one security solution is going to fix all security problems. It takes a layered, defense in-depth approach and an active role by IT to leverage the free and inexpensive options available to them that provide bleeding edge information about malware threats.

There is no set-it-and-forget-it option for tools to combat Zeus and modern malware -- companies are learning the hard way by losing money and suffering data breaches that they have to actively fight the current threats.

Have a comment on this story? Please click "Discuss" below. If you'd like to contact Dark Reading's editors directly, send us a message.

About the Author(s)

Dark Reading Staff

Dark Reading

Dark Reading is a leading cybersecurity media site.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights