10. ZEUSold but gold
Zeus
Citadel
SpyEye
ZitMo
ZeusVM/KINS
Zberp
http://forum.fr.grepolis.com/
11. ZEUSmode of operation
1.Drop executable in users %APP% folder
2.Create and execute a batch file to delete dropper
3.Maintain registry key for persistence
4.Inject payload to system processes
5.Download customized configuration
22. Eddie In The Browser
USER
BANK.COM
BROWSER
inject
web
content
grab
user
input
+
23. •UpdateURL & ConfigBackup URL
•UploadURL
•InjectionInformation
•URL Masks:
•For identifying websites to log
•For identifying websites to screenshot
•URL Mappingsfor Redirection
•IP/URL Mappings to insert to host file to override DNS lookups
CONFIGURATION
24. SUMMING IT UP
DROPPERkilf.exe
C&C SERVER
control communication and updates
DELETE SCRIPT
KUQ9491.bat
ZBOT
vogiap.exe
CONFIGURATIONehri.ofu
drop Zbotfiles
delete dropper
PROCESS
explorer.exe
inject code
25. ZitMoZeus in the Mobile
Zeus Infection
Installation of ZitMo
Social Engineering
Spying of Online-Banking credentials
Capture mTAN
Do Transaction
26. ZeusVM/ KINS
Born December 2011
Sold as a kit since 2013
Heavily based on Zeus source code
http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/
32. Carberp
There is no honour among thieves:
“Leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory”
1.9GB Sources
http://krebsonsecurity.com/
39. HUNTING ZEUS
1.Drive-by infections
2.Anomalies in network traffic
3.Threat intelligence feeds to follow C&Cs
4.File system & registry key changes
5.Watch your data
40. malware Killchain
Awareness | Behavior | Correlation | Intelligence | Encryption
LURE
EXPLOIT
INFECT
CALL
HOME
STEAL
DATA