Executive Perspectives

Teaching Old Malware New Tricks

Why Carberp, ZeuS, and Other Vintage Malware Have a Bigger Bite Than You Think

(First in a three-part series)

As a sales engineer working at FireEye, I spend my days running production pilots with prospects, discussing advanced persistent threats (APTs), customer’s security posture, and the current advanced threat. While the focus here at FireEye is all about detecting the zero-day or advanced targeted attacks, I’m constantly surprised by how much plain old “commodity malware” or “crimeware” I find in networks.

I shouldn’t see these malicious files at all on networks supposedly protected by traditional defenses: next-generation firewalls, intrusion prevention systems, network anti-virus, secure web gateways, and so on. If these products are working as advertised, then the only malware left to discover should be the APT or zero-day attacks detected by our advanced technology.

The unfortunate reality is that relics such as ZeuS/Zbot, Ice IX, Carberp, and even Conficker are regularly spotted by FireEye in the field. These are all “mature” malware families — ostensibly defanged, if not vanquished, by traditional defenses long ago.

As the leak in June of Carberp’s source code reminds us, the line between “crimeware” (banking Trojans and other commodity malware) and APTs is blurry. And it doesn’t take a lot of technical savvy to use old-school malware in fresh new APT campaigns.

Supposed you are Bad-Guy Bob and want to steal inside information about Foo Corp.’s rumored takeover of Bar Inc. You have several options:

  1. Launch an attack using social engineering: send a targeted email with a URL that links to a zero-day exploit and a custom-built, never-before-seen malware payload
  2. Compromise a well-known website used by your targets and use it to host your custom exploit and malware payload
  3. Go shopping:

(~bob@evil.org) joined #secret_hacker_chat.

<bob>   Hey guys. Does anyone have any bots at Foo Corp?

<h4x0r> Yeah – I’ve got six. Two in R&D, one I think in Finance

and a few others.

<bob>   Good. I’ll buy them from you… How much?

 

In many cases, it really is as simple as option 3. Systems already comprised by old malware are available, for the right price, to use in targeted attacks. And as I witness every day in my line of work, an alarming number of systems are compromised.

Take ZeuS, for example. The ZeuS botnet family, known for the most part as a “Banking Trojan,” was first seen in 2007 [1]. It grew more widespread and by 2009 controlled 3.6 million U.S. PCs [2]. The ZeuS source code leaked into the public domain in August 2011, which led to new variants offering features such as peer-to-peer botnet communication.

Today, I see infections by ZeuS or one of its variants in almost every company I visit. It has a number of well-known offshoots (Citadel, Ice IX, Wsnpoem), and features prominently in news stories about high profile takedowns of botnets [3].

One of the fascinating aspects of ZeuS is just how resilient it has been. Data provided by the Zeustracker site [4], which compiles information about known and submitted ZeuS infections, shows the malware’s astounding knack for evading anti-virus systems.

As Table 1 shows, 3,416 samples — about 42% percent of the ZeuS-related samples submitted to malware analysis website VirusTotal — evaded 80 percent or more of the site’s anti-virus engines. And 626 samples, or about 7 percent of the total, remained undetected by any of the anti-virus engines.

VirusTotal, a free Google-owned service, lets users upload file sample and have them tested for malicious activity. It's important to note that using VirusTotal is illustrative and should not be thought of as a way to determine the absolute efficacy of AV. However, it can give us an indication.

Percentage of anti-virus

engines that detected

Number of ZeuS Binaries
100%47
90%585
80%643
70%514
60%551
50%741
40%678
30%968
20%1613
10%1177
0%626

Table 1: ZeuS detection rate for samples submitted to VirusTotal.

The upshot is clear: Shrugging off the threat posed by older malware (“But it’s only a ZeuS infection…”) is not just risky. It’s downright foolhardy.

Up next: Build your own ZeuS-based botnet in just 15 minutes.

[1] Reuters. “Hackers steal U.S. government, corporate data from PCs.” July 2007.

[2] University of Alabama at Birmingham. “UAB computer forensics links internet postcards to virus.” July 2009.

[3] Microsoft. “Microsoft, financial services and others join forces to combat massive cybercrime ring.” June 2013.

[4] http://zeustracker.abuse.ch