The Zeus Trojan is well known for its use in cyber crime, allowing cyber criminals to steal millions of dollars every year. However, cyber crime is not the only capability that Zeus provides miscreants.
The amount of money presently being stolen by cyber criminals is astronomical, and yet, relatively little outcry or action has taken place. The money gleaned from cyber crime currently outstrips that made by the narcotics trade.
“Just one of the Zeus controllers steals about $10 million a week from the United States,” according to Gary Warner, director of research in computer forensics at the University of Alabama at Birmingham.
Conducting crime through cyberspace allows criminals to operate with relative anonymity and in nations that do not actively seek to shut down cyber crime networks. As of last week, the Zeus Tracker, based in Switzerland, documented 694 active command and control servers for the Zeus Trojan, which means there were 694 active botnets last week.
However, the large number of botnets does not necessarily coincide with a large number of handlers. Based on extensive research by researchers at University of Alabama at Birmingham, over half of the domains registered to Zeus were actually one account, meaning one individual controlled over half of the botnets.
The researchers first asked themselves, “How do we turn lists into intelligence?” In response, the researchers examined domain name registration and IP address registration to track who was operating the various Zeus botnets.
Perhaps of greatest concern is how Zeus can be leveraged by foreign intelligence organizations. The information collected by the Zeus Trojan could be used to provide valuable intelligence snapshots and patterns for foreign intelligence agencies.
The Zeus program works as a key logger, stealing key strokes and transmitting them to the command and control server. The Trojan also allows hackers to add any additional malware to an infected machine.
The malware users are also capable of targeting government organizations through increasingly sophisticated attacks. In an attack that targeted the government, the infected computers had their hard-drives scanned and then sent to a computer in Belarus.
Warner is concerned with the threat posed by Zeus’ espionage capabilities. “Our best hope at the moment is that the enemy is drowning in data,” he said.
There have already been several incidents that point to the involvement of FAPSI, the Russian version of the NSA, in cyber espionage operations. In 1998, a German satellite, ROSAT, was rendered useless when it was hijacked and turned towards the sun. The resulting investigation found that FAPSI likely acquired the information contained in the satellite.
In a recent string of credit card fraud in Europe, the cyber criminal gang involved in the theft was linked to FAPSI. According to Jan Eiivind Fondal, director of risk management at Europay Norge in Norway, “We’ve seen techniques that could only have come from FAPSI.”