Zeus Bot Use Case

Summary:

"Zeus Bot Version 5.0" is a document detailing ArcSight's enhancements to its Zeus botnet detection capabilities within the ArcSight Enterprise Security Manager (ESM) software. Released in 2011, this update focuses specifically on improving security measures against the Zeus botnet, which primarily targets banks and steals financial information. The document outlines how ArcSight ESM 5.0 detects the presence of the Zeus Bot through methods like drive-by downloads, phishing, and PDF exploits. It also explains the characteristics of the Zeus botnet, its various aliases (WSNPoem, NTOS, Zbot), and its cost on the black market. The document emphasizes that ArcSight ESM is crucial for detecting and preventing future attacks by this malware. Key features include: 1. Detection via ArcSight ESM 5.0: Utilizes real-time network traffic analysis to identify threats like the Zeus Bot. 2. Zeus Botnet Characteristics: Discusses its aliases, modus operandi affecting banking systems, and costs in the black market. 3. Zeus Kit: Explains how the bot is encrypted for evasion, showcasing ESM's capability to monitor such traffic. The document is part of a series on cyber threat mitigation, demonstrating ArcSight's technological approach to protect enterprise networks from malware like the Zeus Botnet.

Details:

"Zeus Bot Version 5.0" is a document detailing ArcSight's Zeus Botnet detection capabilities through their ArcSight Enterprise Security Manager (ESM) software. Released on March 1, 2011, this version focuses on enhancing the security measures against the Zeus botnet, which primarily targets banks and steals financial information. The document begins with an overview of cybercrime in general, emphasizing the role of organizations like the FBI in combating such crimes through real-time network traffic analysis. ArcSight's ESM software is presented as a solution that not only monitors current threats but also analyzes past suspicious events to detect and prevent future attacks, including those by the Zeus botnet. Key features highlighted are: 1. **Detection via ArcSight ESM 5.0**: The document explains how this version of ESM helps in detecting the presence of the Zeus Bot on a network through various methods such as drive-by downloads, phishing, and PDF exploits. 2. **Zeus Botnet Characteristics**: Describes the botnet's known aliases (WSNPoem, NTOS, Zbot), its modus operandi affecting banking systems, and the costs associated with acquiring it on the black market. 3. **Zeus Kit**: Discusses how the Zeus bot comes in a kit, allowing for encryption of traffic to evade detection, which makes ArcSight ESM's capabilities even more crucial for thorough network monitoring. This document is part of a series explaining cyber threat mitigation and showcases ArcSight's technological approach to protect enterprise networks from malware like the Zeus Botnet. Zeus is a rootkit malware specifically designed for Windows systems, targeting versions ranging from XP SP2 to Windows 7. It comes in over 3,500 variants and utilizes encryption processes to evade detection. Each variant of the Zeus bot operates at the kernel level, allowing it to hide from most security software. The malware has been found on compromised machines with several file variants including:

• %SYSTEMROOT% system32tos.exe, %SYSTEMROOT% system32\wsnpoem\audio.dll, %SYSTEMROOT% system32\wsnpoem\video.dll (Variant A)

• %SYSTEMROOT% system32\oembios.exe, %SYSTEMROOT% system32\sysproc64\sysproc86.sys, %SYSTEMROOT% system32\sysproc64\sysproc32.sys (Variant B)

• %SYSTEMROOT% system32\twext.exe, %SYSTEMROOT% system32\twain_32\local.ds, %SYSTEMROOT% system32\twain_32\user.ds (Variant C)

The Zeus kit comprises a Control Panel for command and control, a config and loader builder for configuring settings, and a drop zone file primarily made in PHP. The Zeus host includes a config file and a randomly created binary file that is unique to each instance, along with the aforementioned components. To detect Zeus bot infections using Arcsight's ESM 5.0, look out for symptoms such as HTTP POST commands indicating data being sent from the infected computer to a resource (usually via forms). If these symptoms are observed, further investigation is necessary to confirm or rule out a Zeus bot infection on the network. To summarize, the text discusses how a Zeus bot could potentially carry out malicious activities such as redirecting users to spoofed websites to capture sensitive banking information, communicating via a Jabber client with its command center, altering local host files to redirect users to malicious sites, and having disproportionately more bytes sent out than received during communication. The conclusion highlights that these are just the tip of the iceberg in terms of potential threats posed by Zeus bots, and suggests that using an ESM (Extended System Management) can help detect such activities on a network.