Titans' revenge: Detecting Zeus via its own flaws

Malware is one of the main threats to the Internet security in general, and to commercial transactions in particular. However, given the high level of sophistication reached by malware (e.g. usage of encrypted payload and obfuscation techniques), malware detection tools and techniques still call for effective and efficient solutions. In this paper, we address a specific, dreadful, and widely diffused financial malware: Zeus. The contributions of this paper are manifold: first, we propose a technique to break the encrypted malware communications, extracting the keystream used to encrypt such communications; second, we provide a generalization of the proposed keystream extraction technique. Further, we propose Cronus, an IDS that specifically targets Zeus malware. The implementation of Cronus has been experimentally tested on a production network, and its high quality performance and effectiveness are discussed. Finally, we highlight some principles underlying malware-and Zeus in particular-that could pave the way for further investigation in this field.

[1]  Richard Ford,et al.  Cent, five cent, ten cent, dollar: hitting botnets where it really hurts , 2006, NSPW '06.

[2]  Marco Cremonini,et al.  A framework for financial botnet analysis , 2010, 2010 eCrime Researchers Summit.

[3]  Amr M. Youssef,et al.  On the analysis of the Zeus botnet crimeware toolkit , 2010, 2010 Eighth International Conference on Privacy, Security and Trust.

[4]  HyunCheol Jeong,et al.  Botnet Detection and Response Architecture for Offering Secure Internet Services , 2008, 2008 International Conference on Security Technology.

[5]  D. Kahn The codebreakers : the story of secret writing , 1968 .

[6]  Ahmad-Reza Sadeghi,et al.  A Forensic Framework for Tracing Phishers , 2007, FIDIS.

[7]  Peter Martini,et al.  Finding and extracting crypto routines from malware , 2009, 2009 IEEE 28th International Performance Computing and Communications Conference.

[8]  Rick Howard,et al.  Cyber Fraud: Tactics, Techniques and Procedures , 2009 .

[9]  Stephen McCamant,et al.  Binary Code Extraction and Interface Identification for Security Applications , 2009, NDSS.

[10]  Peter Martini,et al.  NGBPA Next Generation BotNet Protocol Analysis , 2009, SEC.

[11]  Xuxian Jiang,et al.  Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction , 2007, CCS '07.

[12]  Amr M. Youssef,et al.  Defaming Botnet Toolkits: A Bottom-Up Approach to Mitigating the Threat , 2010, 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies.

[13]  Jonathon T. Giffin,et al.  Impeding Malware Analysis Using Conditional Code Obfuscation , 2008, NDSS.

[14]  Marco Cremonini,et al.  The Dorothy Project: An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization , 2009, 2009 European Conference on Computer Network Defense.

[15]  Roberto Di Pietro,et al.  Taming Zeus by leveraging its own crypto internals , 2011, 2011 eCrime Researchers Summit.

[16]  Shambhu J. Upadhyaya,et al.  PHONEY: mimicking user response to detect phishing attacks , 2006, 2006 International Symposium on a World of Wireless, Mobile and Multimedia Networks(WoWMoM'06).

[17]  Young-Baek Kim,et al.  A New Bot Disinfection Method Based on DNS Sinkhole , 2008 .

[18]  Vinod Yegneswaran,et al.  BotHunter: Detecting Malware Infection Through IDS-Driven Dialog Correlation , 2007, USENIX Security Symposium.