Professional Documents
Culture Documents
Abstract
Now a day, computer networks and communications systems have become the backbone
of all the businesses as well as play crucial role in fulfilling necessities of our daily life. Since we
are sharing cyberspace for our daily life, everyone needs a flexible and easily accessible but
reliable and secure cyber environment from business to personal life. Banking and e-commerce,
online shopping and entertainment are some of the requirement of our daily life that rely on
shared cyber space. Therefore, our personal data is scattered and placed on different location
within the cyber environment and there is always risk that someone can steal our confidential
data by gaining unauthorized access to system where our information is located. To prevent
unauthorized access to our confidential data and ensure its integrity, we need secure cyberspace.
Cybersecurity is not limited to advanced understanding of computer systems, data and
networking; it rather involves understanding the mathematics of cryptography, social philosophy
to understand business processes and organization theory as well. According to experts, security
issues and threats we face today for our cyber environment will drastically be different from
those we will face five years from now. Therefore, effective learning approach and adaptability
to new realities and quick understanding of their impacts makes a security expert more efficient.
Attackers/hackers use different methods to gain unauthorized access to data and exploit systems.
This report is based on a project to set up a botnet environment using Zeus botnet in
virtual network to learn the procedures and methods used to gain unauthorized access to
someone's confidential data or exploit their systems using someone else's computers while
concealing actual attacker's identity. By understanding these processes, we can develop effective
methods and approach to ensure security of our systems. This report explains all the concepts
and practical worked involved to accomplish the desired. To explain concepts and further details,
information has been gathered from some books, internet resources and class lectures and
wherever it draws on the work of others, such sources are clearly acknowledged
Table of Contents
Abstract.......................................................................................................................................- 2 1.0. Introduction:.........................................................................................................................- 5 2.0. Cybersecurity:......................................................................................................................- 6 2.1. Complexities in Defense against Attacks:........................................................................- 6 3.0. Classes of Malicious Software:............................................................................................- 7 3.1. Virus:................................................................................................................................- 7 3.2. Worms:.............................................................................................................................- 7 3.3. Trojans:.............................................................................................................................- 7 3.4. Bots:.................................................................................................................................- 8 4.0. Botnet:..................................................................................................................................- 9 4.1. Uses of Botnets:...............................................................................................................- 9 4.2. Types of Bots:................................................................................................................- 10 4.3. Types of Botnets:............................................................................................................- 10 5.0. Zeus Botnet:.......................................................................................................................- 11 5.1. Overview of Zeus CNC control panel:...........................................................................- 11 5.2. Zeus bots activities:........................................................................................................- 12 5.2.1 Intercepting HTTP/HTTPS requests:.......................................................................- 13 5.2.2. Webpage injections:................................................................................................- 13 5.2.3 Gathering information from users programs:.........................................................- 14 5.2.4. Control panel scripts command:.............................................................................- 14 6.0. Requirements to create Zeus botnet:..................................................................................- 15 6.1 Zeus botnet files:.............................................................................................................- 15 7.0. Zeus botnet implementation:..............................................................................................- 16 7.1. Database configuration:.................................................................................................- 16 7.2. Configuration of Zeus builder:.......................................................................................- 17 7.3. Creating Trojan horse:....................................................................................................- 18 7.4. Gathering information from zombie machine:...............................................................- 18 7.4.1. Grabbing information from forms:.........................................................................- 19 7.4.2. Executing scripts:....................................................................................................- 22 2
8.0. Detecting and deleting Zeus bot:.......................................................................................- 23 8.1. Windows default programs behavior:............................................................................- 23 8.2. Malware detection software:..........................................................................................- 25 9.0. Summary:...........................................................................................................................- 26 References.................................................................................................................................- 27 -
1.0. Introduction:
Internet has become the essential requirement of human life and shared cyberspace is
used to interact with rest of the world. Therefore, incidents like stealing confidential data,
outages, virus/malware infection, hacking, etc. can gravely influence our lives. Opportunities to
exploit systems increase with the advent of newer technologies. Moreover, processing and
storage of confidential data on various different locations and transmitting it across multiple
networks needs more security measures and safeguard policies to prevent any potential cyber
attacks.
There are different cybersecurity threats, which need our attention on daily basis. Some
important threats include initiate attack with botnet on other networks using your PC while you
are unaware of it, viruses and malwares that crash complete systems, illicit access to your
resources and data modification, stealing your bank account and credit card information and
identity theft.
To secure cyberspace, we need to ensure that security properties of assets of both
organizations and users are accomplished/continued in an appropriate fashion in order to
minimize cybersecurity threats. No matter how effective security measures you take, it is not
viable to attain 100% security. However, several safeguard policies can be implemented to
minimize the risk.
This report discusses some cybersecurity terms and key threats. In addition, the technical
bits of Zeus botnet and its functionality based on implementation of Zeus network in a lab
environment have also been discussed in this report while explaining the systematic
configuration process of implementing Zeus botnet in virtual lab environment. At the end, this
report illustrates some methods to avoid devastations of Zeus and a summary of complete report.
2.0. Cybersecurity:
Security, in general context, is the quality of being free from danger or degree of
resistance to threats. Whereas, cybersecurity is a combination of processes and policies, risk
management strategies, safeguard principles and best practices to design and implement modern
tools and technologies to secure our cyberspace and assets. Integrity and protection of
information/data can be achieved by detection of attacks as well as applying suitable prevention
mechanisms to eliminate threats and minimize risk.
However, it is impossible to acquire perfection in security because it is not the absolute
rather a process. There should be considerable balance between protection and availability which
can be achieved by allowing reasonable access to resources with a defined level of security while
minimizing risk from potential threats.
Cyberspace is comprise of user and organizational assets including, but not limited to,
telecommunications infrastructure, applications and services, connected systems and devices,
and stored/transmitted data in cyberspace.
2.1. Complexities in Defense against Attacks:
One of the major causes behind increase in cybersecurity breaches is the growth in
computer power and vulnerabilities in software systems. Further, simplicity and ease of access to
exploitation tools permit hackers to initiate attacks on cyberspace assets in order to exploit
systems without even having enough knowledge and skills. In contrast, security professionals
should be skilled enough and aware of all kind of potential hacks and attacks in order to prevent
any malicious activities on their network/systems. However, there are some complexities in
defense against attacks, which are enumerated below.
While not being much skillful, hackers can still create enough trouble because of the
simplicity and ease of access to exploitation tools.
Suppleness of exploitation tools permit same attack to be simulated differently making
attacks more sophisticated.
Since devices are connected universally, attack can be kicked off by anyone from
anywhere in the worldwide.
Enhanced attack speed i.e. targeting many computers at same time.
Distributed attacks i.e. one network or system is attacked by multiple infected machines
at once.
Quicker detection of security holes and vulnerabilities in both hardware and software
systems
Impediment and incompetent release of product's security patches makes security weaker
Users need to take crucial steps with minimal instructions that often create confusion.
Damage caused by malware can vary from minor irritation to destroying data/disabling
systems and stealing confidential information. However, malware can only damage the software
and data residing on the systems/equipment and not the physical hardware.
Some common types of malware include viruses, Trojans, worms, back doors, spyware,
bots, and adware. Some major classes of malware are described as under.
3.1. Virus:
Virus is a type of malicious software that propagates by becoming a part of another
program when inserted its copy into the system. Usually viruses are attached with executable
files and will not be active until user installs that program. It spreads computer to computer,
while leaving infection, when infected program is transferred via any communication channel.
Severity of virus can range from causing meek annoy to data loss or creating denial-of-service
conditions.
3.2. Worms:
Similar to viruses, worms replicate their copies and cause same kind of harm as viruses
do. However, worms are standalone and do not entail human interaction or host program for
propagation. Worms are spread by either social engineering to trick users or vulnerability
exploitation on target system and then travel using some file/information transport features.
3.3. Trojans:
Trojan is a malware that looks legitimate but is very harmful. Users' are tricked to load
and execute it on their systems. It then starts attacking infected host and damage data, steal
information, and/or activate/spread other viruses. However, Trojans are usually used to create
back doors in system to give malicious users access. Instead of reproducing while infecting other
files or by self-replication, Trojans spread involving some user interaction i.e. opening email
attachment or downloading programs form internet.
3.4. Bots:
Bot refers to automated process adopted to interact with other network services.
Information gathering, dynamic website interaction and automatic interaction with Internet Relay
Chat (IRC) or Instant Messaging (IM) are some common uses of bots. Bot is self-propagating
malicious software that infects and connects a host back to command and control (C&C) center
server creating network of compromised devices, commonly known as 'Botnet'.
Attackers can launch remotely controlled broad-based flood-type attacks against their
target systems. Bots have ability to capture and analyze packets, gather credentials and log
keystrokes, collect financial information, relay spam, open back doors on infected systems and
launch denial-of-service attacks.
4.0. Botnet:
Botnet is a network of malicious/infected computers (also known as zombies) under the
control of botmaster (human operator). Malicious software (malwares) distributed by criminals
turn your computer into a bot, which then performs automated tasks over internet without being
in your knowledge. Botnets are used to spread viruses, attack networked devices, send spam
emails, theft identity and commit other crimes.
Because of their huge size, botnets cause severe threats even if we only consider DoS
attack. Due to combined bandwidth effect, a small botnet of 1000 bots can even create big mess.
Below calculations show the combined average bandwidth of 1000 bots is approximately
128Mbps, which is more than internet connection of most organizations' systems.
Average upstream of 1 home PC = 128kbps
Average upstream of 1000 PCs = 1000 x 128kbps = 128Mbps
Furthermore, it is difficult to construct, deploy, and maintain filters because of bots' IP
based distribution.
Bots cause background noise on the internet, particularly on TCP ports 445 and 135,
because of their dispersion/propagation method. TCP port 445 is used for resource sharing
(Microsoft-DS Service) whereas Microsoft Remote Procedure Call Service uses port 135.
4.1. Uses of Botnets:
Botnet is used as tool with different motives behind it. Most common use of botnet is
either monetary or destruction. Some of the common uses of botnets are enumerated below.
Spread Malware
Distributed Denial-of-Service Attacks
Sniff Traffic
Mass Identity Theft
Spamming
Keylogging
Google AdSense Abuse
Install Advertisement Addons and Browser Helper Objects
Attacking IRC Chat Network
Manipulate Online Polls/Games
Above enumeration shows that botnets can be employed to cause large destruction and
criminal acts while making it difficult to prevent threats on target systems.
Mytob (first piece of malware to combine the features of a bot and mass-mailer)
Storm Botnet (first peer-to-peer architecture based botnet with decentralized command)
Zeus Botnet (king of botnet kits)
Ikee (harmless iPhone threat caused by jailbreaking)
Operation Aurora (Early Advance Persistent Threat)
Stuxnet (executes form infected USB)
Flashback (designed to target Mac OS X and Java)
10
Statistic page is divided on summary and OS pages. Summary section contains the
information about total reports, bots and bot versions information. Also it shows current botnets,
new bots and online bots. OS section shows which operation systems are used by bots.
Bots section on botnet page shows all information about bots that can be filtered by
different parameters. We can also access bots action from this page, for example we can get the
full information and screenshot from the infected machine. Scripts section allows to run scripts
on chosen bots.
Reports page is mainly used for searching database. Database search can be
implemented by bots, botnets, IP addresses or countries. As a result of the search we can read the
information that bot gathered from the zombie machine. Also CNC server can send notifications
to Jabber client of a hacker, for example when user on infected machine goes to online bank.
On the systems page the general information and options of Zeus botnet CNC is located.
Also we can create and modify users to operate with botnet and control panel.
5.2. Zeus bots activities:
Zeus bot is written to be used on Vista/7 Windows OS even if UAC enabled. Moreover
bot can be run even with minimum privileges (guest). However bot can infect all users on
zombie machine. When bot is installed it copies itself to home directory. Session with bot and
server uses white list applications that allow bypassing some firewalls. Bot sends the
information over HTTP-protocol, all data is encrypted by a specific encryption key.
When the bot successfully executes on the victims machine it goes to the website stored
in its configuration and downloads a new encrypted configuration file. Also it opens a backdoor
that allows exchanging the information with CNC server. This information contains updates of
the configuration file, uploads the stolen information. The bot also starts grabbing the financial
information when user types the credit card number. Finally Zeus bot takes the real time
screenshots, reads cookies and digital certificates.
There are several steps in a communication between zombie machine and command
server:
12
13
IIS 7
DNS and DHCP
MySQL community-5.6.14.0
PHP-5.3.27-Win32-VC9-x86
phpMyAdmin-4.0.8-rc1
Firefox browser to configure bot server.
It is preferred to use computer with Windows 2008 Server with following minimal
configuration:
2 Gb of RAM
2x CPU
HDD 7200 RPM
For HTTP server we used IIS on port 80 or 443. It is recommended not to use PHP with
HTTP-CGI. On PHP configuration file we put following parameters:
save_mod = off
magic_quotes_gpc = off
magic_quotes_runtime = off
14
15
To configure builder we should run Zeus builder program (see screenshot below). In this
program we locate source configuration file and encryption key. As a result of executing builder
we get bot configuration and bot executable files. The configuration file should be uploaded to
webserver. Bot executable file is to infect victims machines to manipulate them.
16
17
We can also get more information about zombie machine, which includes getting realtime screenshots, cookies information, and login details to different web pages etc. (see
screenshots below).
18
In the CNC webpage we can obtain in reports information from zombie machine.
As shown on screenshot below, Zeus bot successfully grabbed login information and
even password.
19
However, we used extra NIC to go to internet from zombie and steal login details for
Gmail account as well. See the screenshots below.
20
21
Windows 7 with UAC and Firewall enabled poped-up with Security alert displayed
following message when bot executes. However, even clicking cancel button windows 7
machine get infected, see screenshots below.
22
Windows 8 Defender automatically detected malware when we copy game from server
and deleted it. Even disabling Windows Defender and firewall bot cannot be spread on
Windows 8 machine and Windows 8 machine did not displayed in Zeus CNC panel.
23
24
9.0. Summary:
In brief, there is a vital need of implementing and ensuring strict security in order to
secure our cyberspace and prevent any crimes. Since, everyday new viruses, threats and
vulnerabilities are introduces, we need to have a continual process of security policies
implementation and risk management.
Although, threats are always there and we cannot achieve perfect security but we can
minimize the risk to the maximum. Specially, if we need to secure our systems form Zeus and
other botnet, we need to understand the functionality, command and control, and communication
process of Zombie machines. Effective security can only be implemented to counter botnet
attacks if we are able to understand the logic and working of botnets.
25
References
1. (n.d.). What is the difference: viruses, worms, trojans, and bots? Retrieved Sep 23, 2013
From
http://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html
2. Waston D. (2009). The Honeynet Project. Retrieved Sep 27, 2013 From
http://www.honeynet.org/node/51
http://www.honeynet.org/node/52
http://www.honeynet.org/node/53
3. Landesman M. (n.d.). Zeus botnet. Retrieved Oct 01, 2013 From
http://antivirus.about.com/od/virusdescriptions/p/zeusbotnet.htm
4. Eco. (2010). Anti-Botnet advisory centre. Retrieved Oct 01, 2013 From
https://www.botfrei.de/en/index.html
5. Spider Security. (2011). Zeus user guide. Retrieved Oct 03, 2013 From
http://www.spidersecurity.org/zeusguide.html
6. Macdonald D., Manky D. (n.d.). Zeus: God of DIY Botnets. Retrieved Oct 12, 2013 From
http://www.fortiguard.com/legacy/analysis/zeusanalysis.html
26