6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
6th European Conference - Academic Conferences
You also want an ePaper? Increase the reach of your titles
YUMPU automatically turns print PDFs into web optimized ePapers that Google loves.
Anatomy of Banking Trojans – Zeus Crimeware (how<br />
Similar are its Variants)<br />
Madhu Shankarapani and Srinivas Mukkamala<br />
(ICASA)/(CAaNES)/New Mexico Institute of Mining and Technology, USA<br />
madhuk@cs.nmt.edu<br />
srinivas@cs.nmt.edu<br />
Abstract: To add complexity to existing cyber threats; targeted Crimeware that steals personal information for<br />
financial gains is for sale as low as $700 dollars. Baking Trojans have been notoriously difficult to kill and to date<br />
most antivirus and security technologies fail to detect or prevent them from causing havoc. Zeus which is<br />
considered as one of the most nefarious financial and banking Trojans targets business and financial institutions<br />
to perform unauthorized automated clearinghouse (ACH) and wire transfer transactions for check and payment<br />
processing. Zeus is causing billions of dollars in losses and is facilitating identity theft of innocent users for<br />
financial gains. Zeus Crimeware does one thing very well that every security researcher envy’s – obfuscation.<br />
Zeus kit conceals the exploit code every time a binary is created. Zeus Crimeware has an inbuilt binary generator<br />
that generates a new binary file on every use that is radically different from others; which evades detection from<br />
antivirus or security technologies that rely on signature based detection. The effectiveness of an up to date<br />
antivirus against Zeus is thus not 100%, not 90%, not even 50% – it’s just 23% which is alarming. No<br />
matter how smart and how different Zeus binaries are, most of them share a few common behavioral patterns<br />
such as an ability to take screenshots of a victim's machine, or control it remotely, hijacking E-banking sessions<br />
and logging them to the level of impersonation or add additional pages to a website and monitor them, or steal<br />
passwords that have been stored by popular programs and use them. In this paper we present detection<br />
algorithms that can help the antivirus community to ensure a variant of a known malware can still be detected<br />
without the need of creating a signature; a similarity analysis (based on specific quantitative measures) is<br />
performed to produce a matrix of similarity scores that can be utilized to determine the likelihood that a piece of<br />
code or binary under inspection contains a particular malware. The hypothesis is that all versions of the same<br />
malware family or similar malware family share a common core signature that is a combination of several<br />
features of the code (binary). Results from our recent experiments on 40 different variants of Zeus show very<br />
high similarity scores (over 85%). Interestingly Zeus variants have high similarity scores with other banking<br />
Trojans (Torpig, Bugat, and Clampi) and a well know data stealing Trojan Qakbot. We present experimental<br />
results that indicate that our proposed techniques can provide a better detection performance against banking<br />
Trojans like Zeus Crimeware.<br />
Keywords: Zeus Crimeware, banking Trojans, Torpig, Bugat, Clampi, malware similarity analysis, anatomy of<br />
Zeus, malware analytics<br />
1. Introduction<br />
One of the major concerns in network security is controlling the spread of malware over the Internet.<br />
In particular, polymorphic and metamorphic versions of the malware are the most troublesome among<br />
malware families, because of their capabilities not only to infect the systems but also have potential to<br />
steal confidential user data and be persistent. These kinds of malware are written with the intent of<br />
taking control of large number of hosts on the internet. Once the hosts are infected by Trojans, they<br />
may join a botnet for stealing personal data such as user credentials (Holz, Engelberth and Freiling,<br />
2008), (Kanich et al, 2008). Over a period of time writing malware has changed from developed for<br />
fun, to the present, where it is written for financial gains.<br />
Trojans in the past were used for sending spam emails, installing third party malware, keystroke<br />
logging, crashing the host machine, uploading or downloading of files on the infected machines. In the<br />
present generation Trojans are far more complex, when Trojan notices the user visiting the websites<br />
of targeted bank it springs into action. When the user is carrying out some transactions, the Trojan<br />
looks at the available balance and calculates how much money to steal. These Trojans are given<br />
upper and lower bound limits that are below the amount that triggers antifraud systems. ZEUS,<br />
Torpig, zlob, vundo, smitfraud, etc are a few examples for deadly Trojans that caused major financial<br />
loss.<br />
Torpig is a malware program that was developed to steal sensitive information from its infected hosts.<br />
In early 2005 over 180 thousand machines were infected and about 70 GB of data were stolen and<br />
uploaded to the bot-masters (Stone-Gross et al, 2009), (Nichols, 2009). Torpig depends on domain<br />
flux for its main C&C servers, and also the servers to perform drive-by-download to spread on a<br />
252