14 DAY TRIAL // Zeus Trojan has been identified for the first time in July 2007 and the group behind it was arrested in 2010. They used the malicious code to collect credentials for financial institutions and then empty the accounts of the victims.
The damage was quite significant at the time, with millions of dollars stolen from banks in the U.K. and the U.S. filling the pockets of the prime suspects. The entire criminal syndicate behind the Zeus/Zbot malware managed to cash in tens of millions of dollars.
Yet, seven years later, the Zeus name still makes the headlines of publications in the security industry. The longevity of this malware family, which will soon reach the status of clan, is given by the fact that it was sold on underground websites to anyone who wanted to set up a cybercriminal operation, as long as they had a few thousand dollars.
It was offered as a ready-made kit, with instructions on how to build the Trojan, but the success of the operation depended on how business-savvy the cybercriminals were.
Apart from this, its source code leaked in 2011, and initially, it was up for grabs only from specific locations, but now it can be found with a single Google search. Of course, given the time that went by and the advancements in security, it is more suited for study rather than for starting a “business.”
This stimulated other cybercriminals to analyze the original version of the malware and apply their own optimizations to make it resilient to antivirus detection.
After several unfitting variants, the underground forums were provided with a new malware kit derived from Zeus code, called Citadel.
The operation worked for at least one year and a half, until Microsoft announced in June 2013 that the command and control servers for the botnets created by Citadel had been seized and were under the supervision of the good guys. Numerous law enforcement entities and multiple security companies in the private sector contributed to disrupting the botnets.
The lawsuit that ensued included a total of 82 defendants, all being accused of controlling a computer botnet. The number of botnets and infected computers was so large that Microsoft did not manage to finish the sink-hole process two months after it started.
Specifically, Citadel had spawned 1,462 botnets, while the number of infected computers amounted to millions.
One would think that this sort of engagement and dedication to disrupt this type of malicious actions would have caused the cyber-crooks to lay low for a while.
However, the organized crime regrouped quickly and came up with a new, significantly enhanced variant of Zeus, called GameOver Zeus, which was tightly controlled by a core group in Russia and Ukraine since October 2011.
On June 2, 2014, the GameOver Zeus botnet was dismantled in what was called Operation Tovar, but not completely disrupted, because the operators used a decentralized system of proxies and strong encryption to keep the master servers hidden.
This strain was not available for sale and, according to the U.S. Justice Department, it was employed in the theft of more than $100 million (€73,5 million). Its operators would hit high-dollar corporate accounts that were preceded by large distributed denial-of-service (DDoS) attacks in order to distract the victim from the account take-over activity.
In recent reports from security researchers, the GameOver Zeus malware is making a comeback, a little over a month after dismantling the botnet. This was to be expected given the complex nature of the network and the fast regrouping ability of the cybercriminals.
Again, this is not the same code used for creating the previous botnet. The malware developers integrated new features and protection mechanisms to ensure the longevity of the malicious campaign.
However, more concerning is the fact that despite all the impressive efforts made to take down the criminal organizations using Zeus-based malicious tools, some of them managed to slip through the cracks.
It has been reported recently that a group of cybercriminals successfully evaded the Citadel take-down in 2013 as well as the latest attempt from law enforcement to disrupt the GameOver Zeus operations, in June 2014.
The lucky crooks continued to work with Citadel until the end of 2013, when they switched to the GameOver Zeus malware. When Operation Tovar was deployed, this group remained untouched for the second time and kept on with their activity.
Apart from this, smaller variants of Zeus continue to appear; some are the work of less ambitious developers, others present evidence of professionals being involved in the creation and optimization of the code.
It may not take long until a new malware family replaces Zeus and buries it in the history pages of the security industry, but its resilience against the deployment of forces that include law enforcement agencies and leading security companies around the globe is definitely increasing the standard in malware writing.