The present era belongs to highly
sophisticated and accurately targeting malware that are compromising
computer systems at will. Not only they have the capabilities to
infect even the most secured and sophisticated systems, they are also
designed to remain
under the radar and work in a stealth mode. Malware like Stuxnet,
Duqu, Flame,
Uroburos/Snake,
Blackshades,
FinFisher,
etc just few examples that we are aware of and there are many more
still operating that we are not aware of at all. Some of them are
operating in the hidden
Internet or deep web using encryption and anonymous systems.
Financial institutions and
financial credentials are widely targeted by Malware for obvious
reasons. Besides targeting financial organisation, botnet are used
for all sorts of illegal activities over the Internet. For instance,
for online advertisement industry alone, botnet
are causing losses upto the extent of $6 million a month.
One such Malware is known as
Zeus
that is well known for stealing banking information by
man-in-the-browser keystroke logging and form grabbing. It is also
used to install the CryptoLocker ransomware. Zeus is spread
mainly through drive-by downloads, spam and phishing techniques.
Infected systems can also be used to engage in other malicious
activities, such as sending spam or participating in distributed
denial-of-service (DDoS) attacks. The latest variant of Zeus is
known as Gameover Zeus, or GOZ botnet.
According to a good
research analysis (PDF) of GOZ botnet, Zeus is a family of
credential-stealing trojans which originally appeared in 2007. The
first two variants of Zeus are based on centralized command servers.
These command servers are now routinely tracked and blocked by the
security community. In an apparent effort to withstand these routine
countermeasures, the second version of Zeus was forked into a
peer-to-peer variant in September 2011. Compared to earlier versions
of Zeus, this peer-to-peer variant is fundamentally more difficult to
disable.
Due to its lack of centralized C2
servers, P2P Zeus is not susceptible to traditional anti-Zeus
countermeasures, and is much more resilient against takedown efforts
than centralized Zeus variants. The main P2P network is divided into
several virtual sub-botnets by a hardcoded sub-botnet identifier in
each bot binary. While the Zeus P2P network is maintained and
periodically updated as a whole, the sub-botnets are independently
controlled by several botmasters.
The Zeus P2P network serves two main
purposes. These are: (1) Bots exchange binary and configuration
updates with each other and (2) Bots exchange lists of proxy bots,
which are designated bots where stolen data can be dropped and
commands can be retrieved. Additionally, bots exchange neighbor lists
(peer lists) with each other to maintain a coherent network. As a
backup channel, P2P Zeus also uses a Domain Name Generation Algorithm
(DGA), in case contact with the regular P2P network is lost.
According to researchers, P2P Zeus
has evolved into a complex bot with attack capabilities that go
beyond typical banking trojans. They believe that P2P Zeus is used
for activities as diverse as DDoS attacks, malware dropping, Bitcoin
theft, and theft of Skype and banking credentials. Researchers have
also found that till recently bot traffic was encrypted using a
rolling XOR algorithm, known as “visual encryption” from
centralized Zeus, which encrypts each byte by XORing it with the
preceding byte. Since June 2013, Zeus uses RC4 instead of the XOR
algorithm, using the recipient’s bot identifier as the key. Rogue
bots used by analysts to infiltrate the network typically use
continuously changing bot identifiers to avoid detection. The new RC4
encryption is a problem, because a rogue bot may not always know
under which identifier it is known to other bots, thus preventing it
from decrypting messages it receives. In addition, RC4 increases the
load on botnet detection systems which rely on decrypting C2 traffic.
Zeus uses RSA-2048 to sign sensitive
messages originating from the botmasters, such as updates and proxy
announcements. In all P2P Zeus variants researchers studied, update
exchanges and C2 messages feature RC4 encryption over an XOR
encryption layer. For these messages, either the identifier of the
receiving bot or a hardcoded value is used as the RC4 key, depending
on the message type. Each Zeus bot runs a passive thread, which
listens for incoming requests, as well as an active thread, which
periodically generates requests to keep the bot up-to-date and
well-connected.
The researchers have concluded
(PDF) that P2P Zeus is a significant evolution of earlier Zeus
variants. Compared to traditional centralized versions of Zeus, P2P
Zeus is much more resilient against takedown attempts. Potential
countermeasures against P2P Zeus are complicated by its application
of RSA-2048 signatures to mission critical messages, and rogue bot
insertion is complicated by the Zeus message encryption mechanism
which makes the use of random bot identifiers impossible. Poisoning
attempts are forced to use widely distributed IPs due to a per-bot IP
filter which only allows a single IP per /20 subnet. The network’s
resilience against takedown efforts is further increased by its use
of a Domain Generation Algorithm backup channel, and by an automatic
blacklisting mechanism. P2P Zeus demonstrates that modern P2P botnets
represent a new level of botnet resilience, previously unseen in
centralized botnets.
On the legal side, the creator
and users of Gameover Zeus are difficult to prosecute. This is
because the cyber attack scenario has shifted its nature and
territorial scope from being fun and regional to become a potential
tool of cyber warfare and cyber espionage. We have no globally
acceptable international
legal regimes for cyber attacks as on date. Thus, international
legal issues of cyber attacks are yet to be resolved.
Cyberspace also put forward
complex problems of authorship
attribution for cyber attacks and anonymity. Cyberspace also
gives rise to conflict
of laws in cyberspace where multiple laws of different
jurisdictions may be applicable at the same time. Thus, cyber
security and international cooperation cannot be separated in
these circumstances. Nevertheless international cooperation among law
enforcement agencies of different Nations and entering of extradition
treaty among themselves can be a good beginning. Some success has
already been achieved in this regard and more international
cooperation is expected very soon in the cyber law and cyber security
fields.