The Zeus botnet and the making of a cyber crime market

Competition between makers of ZeuS and SpyEye malware reveals the business side of the criminal malware realm

I recently had the opportunity to speak with two representatives from the Netherlands-based security research firm Fox-IT: Maurits Lucas, InTELL business director, and Andy Chandler, VP of WW sales and marketing. Collectively, the two shared an in-depth story of cyber-gang warfare suitable for Hollywood.

As the events unfolded through their words, I quickly began to see into the business minds of the cyber criminals they described. Even more interesting to me was that a cyber business was actually being created and an entirely new market was being defined. This piece provides a glimpse into how the cyber criminals used business best practices to rake in the cash.

[ Watch out for 11 signs you've been hacked -- and learn how to fight back. Find out how in InfoWorld's PDF special report. | Discover how to secure your systems with the Security Adviser blog and newsletter, both from InfoWorld. ]

The start-up

Our business case begins in 2006 and is rooted in technology. On the surface, this business case could sound like any other presented by one of the top universities, where the subject business is created from a well-balanced mix of supply and demand, driven by revenue, enabled by innovation, and rife with competition. However, this story isn't about your traditional mainstream commercial business. Instead, it is one of a lucrative underground cyber crime business.

Commercializing the POC

The POC (proof of concept) for the new business began with the creation, introduction, and successful use of a MitB (man-in-the-browser) malware kit that formed a botnet specifically targeting financial institutions. Victims were typically companies or wealthy individuals with large amounts of cash periodically available in their bank accounts -- for example, funds transferred to a specific account to pay the wages of their employees.

The malware itself was designed to first attach itself to the host browser, allowing it to modify any Web page it wanted to before rendering it to the user. Once hooked to the browser, the malware would insert additional code (a botnet) into the banking website page(s) the user visited.

[The sorry state of cyber crime]

This isn't the scary stuff, however. The real payload comes when the botnet leverages its newly-formed connection to the banking systems located on the other side of the browser as a channel through which it can insert the real attack: The insertion of monetary transaction code that essentially creates a digital money mule.

Zbot, now publicly referred to as ZeuS, was the first appearance of such a malicious botnet, complete with phone-home and C&C (command and control) service management. Its creator, known on underground channels as Slavik, sold the industry's original malware kit on the cyber underground for a going rate of $8,000. Slavik's POC turned out to work extremely well; he made a lot of money, and some of his customers made even more money by launching some serious online banking attacks using the malware kit he created and sold.

As the new market grew, the question for the business eventually became one of scale, margins, and greed.

I spy some competition

It took three years for a new version of the ZeuS botnet to surface. In 2009, ZeuS version 2 appeared, adding a tremendous amount of new functionality to the product. ZeuS v2 was more robust, capable of handling takedowns better, and included new features like the ability to monitor network traffic, capture screenshots, record the victim's keystrokes, steal certificates, and even connect to other systems using the victim's IP address. New versions signaled success: A business had been born.

As with most businesses, the exposure and recognition of success spurs the introduction of new offerings from one or more competitors. While the business of cyber crime is neither legal nor moral, it happens to be no different from a legitimate business in this sense. So, as you can imagine, as Slavik created and established this new bot-based banking fraud market, at least one viable competitor would surface. And it did.

The first competing product, SpyEye, was authored by someone using the underground aliases Gribodemon and Harderman. While the first versions of this malware were laughably bad, meaning they often failed to run and would even blue-screen-of-death the host victim's computer, these kits only cost $400. This was a huge slash in price compared to the $8,000 charged by Slavik for his ZeuS malware kit.

With its aggressive pricing, the market took notice of SpyEye. The revenue generated by SpyEye was seemingly re-invested by Gribodemon to quickly improve the software, and the competing product soon started to gain market share -- even after Gribodemon found he could successfully increase the price of his kit from $400 to $1,000.

As its foothold solidified and the SpyEye software became more mature, its author began to get extremely aggressive in other areas of the business. Gribodemon went directly after the ZeuS market share, looking for complete domination. A fierce battle ensued.

One example of a traditional tactic used by SpyEye was a competitive takeout. Gribodemon's goal was not only to just win net new customers, but also to replace existing ZeuS customers. Gribodemon built his SpyEye malware kit such that, upon successful injection of the botnet into the host browser, it would check for the existence of the ZeuS botnet and remove it, essentially taking over the system and all banking accounts previously compromised by ZeuS.

In true business form, Slavik responded in kind with updates to his Zeus kit. Another example of a traditional business tactic applied by SpyEye was one of a competitive migration. Gribodemon delivered a feature in SpyEye called "Spy Config" that extracts the configuration defined in the ZeuS malware kit, loads it into the SpyEye configuration, and provides additional documentation on how to leverage the ZeuS configurations.

[RSA researchers discover new alternative to Zeus | Annual cost of cyber crime hits near $400 billion]

With the configuration mapping and education complete, SpyEye's users would know how to follow the ZeuS injector; they would also have a clear view into what ZeuS was up to and what to do with the system, connections, and accounts. Most everyone interested in the SpyEye kit knew how to read ZeuS malware configurations. This feature made it extremely easy for customers to switch from the ZeuS malware kit to the SpyEye malware kit.

Caution: Lanes merging

Having not seen any updates for quite some time, the market found the ZeuS malware kit sitting at v2.0.8.9 in October 2010. On the underground forums, announcements surfaced from both of these fierce competitors -- Slavik and Gribodemon -- claiming that further development of ZeuS and SpyEye would cease as individual offerings and that Slavik's ZeuS business was to be handed over and merged in to Gribodemon's SpyEye business. This, as you could imagine, sent the market into a frenzy.

While the market still saw some unofficial versions of the kit surface and then disappear after October 2010, this was more likely the case of the ZeuS source code being used by some of Slavik's close friends, not the result of a successful partnership or business merger. The merger appears to have never really materialized in a substantial, official way. It's safe to say the SEC certainly didn't publicly sanction any merger.

In 2011, the entire set of ZeuS source code leaked, likely due to Slavik having handed the source to some of his not-so-careful customers/friends. This proved to be a very interesting period both in the cyber crime market and in the cyber security industry; now, anyone could develop their own MitB malware kit, modify it, and create nuances or even new families of it. Fox-IT saw open source MitB products become real solutions in their own right, Ice-IX and Citadel being two examples.

On the other side of the coin, some variants tried to improve upon the original ZeuS encryption methods but failed miserably. While all this is going on with ZeuS, SpyEye was still on the scene, though the development of the kit also started to falter. Eventually the market would see the introduction of SpyEye v1.3.4.8. This would be the last version of SpyEye to appear, and Gribodemon was never to be heard from again.

The researchers at Fox-IT kept following Slavik and discovered that he had in fact given his crown jewels to Gribodemon. But while it appeared on the surface that Slavik had given up on ZeuS and the business of cyber crime, this was far from the case. In fact, Slavik had some clever business plans up his sleeve.

Thanks for the gift horse

As it turns out, Slavik had been working on a new version of ZeuS all along, a version that would equate to a ZeuS v2.1. This new version, however, was never sold by Slavik as a kit. Nor was this new version ever delivered to Gribodemon. As he transitioned the source code to v2.1, Slavik redefined the market, converting his perpetual license software and business model into one based on a subscription model delivered via the cloud. ZeuS v2.1, which became v3 in September 2011, became the first online banking malware to be offered as a service -- the industry's first "MaaS" (malware as a service).

With this new release, ZeuS v3 also included peer-to-peer as a command and control protocol, and Slavik began referring to his new ZeuS v3 creation as P2PZeuS. Suddenly, the real reasons behind the silence in development and competition-turned-coopetition became evident: Slavik was tired of selling software as a kit. As more and more people joined his client base, the more time he had to spend supporting them.

[Cyber crime trends point to greater sophistication, stealthier malware, more encryption]

According to underground chatter analyzed by Fox-IT, some of the people purchasing his kit had no clue as to what they were doing; their attacks would fail, and they would blame Slavik's software. Slavik was forced to go underground to undo the damage caused by these claims, turning the blame back around to the "idiotic" customers. It is suspected that this was extremely time-consuming, exhausting, and left Slavik susceptible to attack and piracy.

With his new MaaS business model, Slavik could own the infrastructure and control how the software was used. In this environment, his customers were less likely to make mistakes and less likely to lash out at Slavik and his wares. It turns out that the  handoff of the perpetual kitwas simply a way for Slavik to transfer the ongoing, overwhelmingly expensive support for the ZeuS kit over to Gribodemon so Slavik could focus on his new business model.

With the new service up and running, Slavik didn't join Gribodemon as described underground. Instead, he became part of a gang using P2PZeuS to go after high-value accounts. Fox-IT has some individual examples where the gang targeted some large amounts. In September 2012, there was an attempt to steal $465K from a small U.S. company and send the fund to an account in a Chinese bank.

In a second example, also from September 2012, a U.S. printing company was hit by an attempt for no less than $2 million -- with plans for the money to be transferred (presumably through Cyprus) back to the gang. Fox-IT also found information supporting the theory that large attempts like these were tried more often around that date. For both examples, Fox-IT can't confirm if they were ultimately successful.

However, it is known that P2PZeuS was successful in pulling off many heists like these. With large sums like these in the cards, Slavik made more money as part of the gang than he could have by selling and supporting his malware kit on the black market. Slavik benefitted tremendously through his decision to steal away to work on P2PZeuS and to use it himself with his gang while also renting it out to friends and family.

By moving away from the ZeuS kit, Slavik also alleviated the unwelcome attention associated with the underground chatter. Perhaps worth more than the cost savings associated with eliminating the support efforts was the hand-off of the FBI-oriented attention to this cyber criminal activity. Gribodemon may have done well to look a little closer at the mouth of that gift horse. Since the transfer of the kit and the added attention from the FBI transferred to Gribodemon, the market has no longer seen anything from Gribodemon. He is no longer active on the scene; it is presumed he has retired -- or vanished.

Riding the horse of greed across the finish line

In 2012, a new Trojan appeared on the scene. Trusteer analyzed the loader component of the Trojan and found it was very similar to the loader component contained within Silon. Since T comes after S, this new Trojan became known as Tilon.

In the fall of 2013, Fox-IT gained access to the infrastructure and source code for Tilon and performed a deeper analysis of the Trojan and its supporting infrastructure. As it turns out, the loader component was the only piece to be derived from Silon; the core of the Tilon solution is actually a re-worked, further-developed version of SpyEye-- a SpyEye version 2 now offered as, you guessed it, a managed service.

[Cyber crime: Still only a tiny percentage of GDP, but it's growing]

One proof point of the many findings that Fox-IT uncovered is the fact that SpyEye  routinely referred to "sausages" and "sausage patterns" as part of the malware. When victims log in, SpyEye would steal little snippets of Web forms and URLs as a means to extract usernames and passwords. These bits of data were called sausages, and the regular expressions used to read them were called the sausage patterns. Tilon, or SpyEye v2, referred to the same exact elements.

Also of interest is that the first versions of Tilon include functionality to remove the SpyEye malware while not touching any other malware found on the system, including ZeuS. Some Tilon customers were invited to switch to v2 with an auto-upgrade. While some customers were invited to switch, most weren't. It is suspected by Fox-IT that if a lot of people were invited, the word would have gotten out that this new Trojan was in fact the next version of SpyEye.

Gribodemon also shared the same problems as Slavik in terms of customer support and therefore took this opportunity to leave "idiotic" customers behind. Both guys were there from the very beginning -- ZeuS and SpyEye were the two crimeware kits that started it all. Slavik kicked it off, Gribodemon entered as a worthy competitor to help establish it, and the rest of the players filled in the gaps to complete the creation of the market. However, after a long run by both, it seems that both Slavik's and Gribodemon's businesses have come to a halt.

There have been huge takedown operations for P2PZeuS. While Slavik has not been arrested, he has been identified by the FBI and is now on the FBI's most wanted list. According to Fox-IT, the FBI knows his address and that he has a boat somewhere on the Black Sea. He appears to be lying very low at the moment, doing nothing around banking malware. He must realize that he can't leave Russia without risking arrest.

Gribodemon went on holiday to the Dominican Republic. He was eventually arrested and extradited to the United States, where he awaits trial. The crime: Authoring the SpyEye malware kit. It's not certain if he will be convicted of SpyEye2 as well, but time will tell. Interestingly, Tilon (SpyEye2) went dark very soon after the arrest of Gribodemon. Both systems remain offline.

Select a viable alternative

It wasn't just these two businesses that were affected by the crackdown. Development on the Citadel code base also stopped, with the latest version seeing the light of day in late 2012. Fox-IT finds that the cyber criminals using Citadel are looking for a viable alternative as the outdated Citadel browser hooking code no longer works on the latest versions of FireFox and Chrome, making it virtually impossible for the attacks to succeed at scale.

Fox-IT sees a lot of cyber criminals switching to KINS. Much like Citadel, KINS is based on the ZeuS source code. Often referred to as VMZeuS in the security world, the author first named his malware KINS, for Kaspersky Internet Non Security. Later, it was renamed to Kasper Internet Non Security, leaving a subtle reference to a friendly ghost.

Malware analysts are very interested in the KINS configuration as it defines which financial institutions get targeted. As a means to shield the configuration from the deep-probing malware analysts, if the KINS malware recognizes it is being used by a researcher, the malware won't actually start or load.

[Security pros talk about playing defense against cyber crime | Businesses can do more in battle against Gameover Zeus-like botnets]

KINS has also implemented a virtual machine that hosts its configuration information in encrypted form and uses additional measures to determine if it has been compromised before decrypting and presenting the configuration. The use of the virtual machine is what gives this malware its alternative VMZeuS moniker. These are just a few of the most recognizable options available on the market. Fox-IT is tracking many more.

(Cyber) business lessons learned

It would be difficult to determine whether or not these cyber criminals purposefully followed any documented business best practices, but they did employ some as described below:

Follow the leader: Gribodemon saw the success of the ZeuS malware kit and introduced a competitive product that at first didn't have the best quality. However, it worked well enough to get people to consider his product and pay him money. It also enabled him to iterate in order to establish a solid foothold in the market.

Price to gain market share: Gribodemon first grabbed the mindshare of market due to his extremely competitive pricing. This afforded him the ability to gain net new customers and even steal some customers away from Slavik.

Embrace price elasticity: As his product quality improved, Gribodemon was able to increase the price of his wares -- more than double -- while remaining extremely competitive compared to Slavik's offering.

Conduct a competitive takeout: Gribodemon initiated the competitive takeout method as a means to make it easy for Slavik's customers to switch to SpyEye. In a bit of back-and-forth, Slavik employed the same method in response to Gribodemon's takeout campaign, making it easier for each other's customers to switch back-and-forth.

Conduct a competitive upgrade: To capitalize on the success of the actual ZeuS botnet functionality, Gribodemon took advantage of the ZeuS configuration, giving the new customer immediate access to all of the hooks, knowledge, and connections the ZeuS botnet had already gained through its host.

Tough market? Change it: Experiencing pain coming from two sides -- the competition and the customer -- Slavik saw there was a need to change the game. To do this, he handed the expensive and exhausting customer support over to Gribodemon and changed the delivery model of his product from a perpetual kit to software-as-a-service. This forced Gribodemon and the rest of the players to chase a new horse.

Keep your friends close and your enemies closer: With the market's two leaders now on the sidelines, it will be interesting to see how new business leaders, new businesses, and new technologies will surface, battle each other, align with each other, and ultimately drive each other to the legal edge. Until that story is written, I suggest the world's financial institutions continue to beef up their anti-fraud programs to protect their systems--and their money--from these bots.

Sean Martin is an information security veteran of nearly 25 years and a four-term CISSP with independent articles published globally covering security, cloud, mobile, networking, virtualization, risk, governance, and compliance--with a focus on specialized industries such as government, finance, healthcare, law, and the supply chain.

This story, "The Zeus botnet and the making of a cyber crime market" was originally published by CSO.

From CIO: 8 Free Online Courses to Grow Your Tech Skills
Join the discussion
Be the first to comment on this article. Our Commenting Policies