This week brought us a wide variety of news about the ZeuS malware platform and its criminal users. While the platform has been very successful at stealing banking credentials and money from its victims, it may be showing some promising signs of weakness to the security community. While it has long been recognized as a modular and adaptable platform, the rising complexity in the system may be exposing it to security concerns found in traditional enterprise software. Identifying and exploiting these weaknesses may be an essential factor in disrupting its botnets and tracking down its controllers.
One of those features, highlighted in this week’s Cyber Risk Report, was a jump into mobile malware. One particular ZeuS adaptation has appeared as a combined threat between desktops and smartphones, with the ultimate goal of intercepting not only keyboard-entered user credentials, but also SMS messages from banks used for out-of-band user authentication.
Vulnerabilities Exist in Software
While it’s not true that all computer programs contain exploitable security flaws, it does take a significant investment of time and resources, and it must be a priority. ZeuS is certainly operating quite a bit like traditional commercial software, albeit via the black market. According to SecureWorks, recent versions have numerous modules for advanced features, including VNC remote control (a $10,000 option), hardware-dependent licensing, and even a beta program for debuting upcoming features (polymorphism is slated for the version 1.4 release).
As ZeuS’ authors work to focus on features that further monetize their software, it may not come as a surprise that the code has been found to contain an unauthorized script execution vulnerability. While these kinds of discoveries may not be the best option for those trying to legally disable botnets and their command-and-control structures, they may be appropriate for use in some circumstances. Most of all, they remind us that the criminals behind ZeuS are not untouchable, despite their massive success at infecting computers and amassing large botnets for their customers.
Vulnerabilities Exist in Organizations
Not only is the software behind ZeuS vulnerable, the people running botnets based off of its code are vulnerable as well. Two high-profile arrests recently in Britain were tied to the ZeuS botnet, one in connection with Operation Dynamophone, aimed at PII crimes, and the other of a gang of 19 individuals believed to have stolen over £20 million.
These arrests, and others, remind us that, just as in business enterprises, there are security concerns within criminal concerns. While the ZeuS platform may be technically sophisticated and capable of very effectively stealing funds from its targets’ bank accounts, it does not in and of itself make a criminal enterprise successful. In this way, ZeuS (or rather, one who purchases it) may be a victim of the platform’s success. Law enforcement agencies may benefit from an increased number of inexperienced criminals using ZeuS, getting caught, and producing more evidence against those higher in the ZeuS food chain.
Ultimately, while ZeuS stands out for its feature set, novelty, and business model, it is good to remember that security applies to us all. Complexity is the enemy of security, and more criminals, more features, and more novel methods of stealing bank credentials will result in failure along the way. And with an adversary as high-profile as ZeuS, it’s only a matter of time before those on the right side of the law find its Achilles Heel and bring the whole thing down.