ZeuS on the LeuS



Yes, it’s true. As reported earlier today by  Jordan Robertson for the Associated Press “Corporations, agencies infiltrated by ‘botnet’,” and now trickling its way to FOXNews.com (“Massive Hack Attack Shows Major Flaws in Today’s Cybersecurity“) and elsewhere, yet another incarnation of the ZeuS trojan and botnet is on the loose. According to the AP article, “Security experts have found a network of 74,000 virus-infected computers that stole information from inside [more than 2,400 organizations including] corporations and government agencies.” Just last week I was teaching a Global Knowledge course titled “Defending Windows Networks,” in which students use hacker tools to create trojan horse applications in two of the lab exercises.

What the recent news articles don’t spell out is something many of my students realized last week – just how incredibly easy it is for someone to use free software to create such software infections and infestations. You don’t need to be a software engineer, or an evil genius. All you have to know how to do is press a few buttons and maybe even type in a few parameters to spell out what you want your software robots to do. If you manage to implant such software within organizations around the net, you have a botnet. It’s almost too trivial.

Of course, one of the ways in which such bots can go viral and spread themselves into numbers such as 74,000 computers is that they are able to be morphed into many different strains. The Kneber strain of ZeuS has obviously evaded detection for some time although earlier forms of ZeuS from a year ago are readily detected by many organizations’ defenses. The FOXNews article notes that “NetWitness points out that over half the machines infected with Kneber were also infected with Waledac, a peer to peer botnet.” Indeed, there have been patches and scanner updates available to detect and quarantine Waledec outbreaks as well.

How do new strains of these pieces of software evade detection so successfully? A fundamental aspect of the Anti-Virus, Anti-Spam, and Anti-Malware industries is that these systems are predominantly reactive. When a worm, virus, or other sort of attack makes use of a security vulnerability, several things typically follow in reaction to it. Depending on the nature of the beast, operating system vendors such as Microsoft may develop and release patches such as hot fixes to protect Windows from software which makes use of these vulnerabilities, or equipment vendors such as Juniper or Cisco may release firmware updates to protect network equipment. Intrusion detection and prevention systems (IDS/IPS) and virus scanners are updated with signatures of the current strain of the attack.

As Marcus J. Ranum stated in “The Six Dumbest Ideas in Computer Security,” which I still refer students to even though it was written several years ago, the ways in which many organizations approach computer and network security is wrong. In fact, both in the “Defending Windows Networks” class last week and the “Managing, Maintaining, and Securing Your Networks Through Group Policy” course I’m teaching this week, most students noted that their organizations have classically used a “Default Permit” + “Enumerating Badness” approach which is the default in so many subsystems of Windows rather than the “Default Deny” + “Enumerating Goodness” combination which makes sense when you just look at the big picture for a few moments.

As the AP news article about ZeuS-Kneber+Waledec botnet notes “The unusual thing about the incident is not that it happened but that it was discovered.” Even that one sentence should be enough to motivate us to approach systems security differently.

Image: Painting of Zeus © Mario Larrinaga

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.