Destroy ZeuS, the 'lord' of banking trojans

For most people, when it comes to sending money in a safe place, a bank is definitely the first choice. Banking services are evolving and now you can make money transfers, withdrawals or other transactions online without having to go to a bank branch.

All these digital advancements make our lives easier, more comfortable. However, it also means it's easier for bank criminals to steal our money. The more the world moves to digital, the more opportunities cybercriminals have to operate.

In this article, TipsMake.com invites you to follow the story of ZeuS, an extremely dangerous banking trojan. It has flourished and stolen hundreds of millions of dollars without most of the victims knowing.

SLAVIK - ZEUS BIRTHDAY

Back in 2006, when the online banking system had only been in operation for about 10 years. Bank fraud is not new and it has been going on for many years but before the digital trend, scammers are also starting to evolve. Now, one's bank account can be hacked by someone somewhere in the world.

A young man noticed this trend. This young Russian boy harbors ambitions to one day get his hands on that inexhaustible source of money. He is young, 23 years old, but full of ambition in his heart. Don't let his age fool you, in his twenties he was a very good programmer with a sharp mind and great calculation ability. After going back and forth, he chose for himself the nickname Slavik.

In October 2006, on the techsupportguy.com support forum appeared a plea from a victim. He said he found strange software on his sister's Windows computer. He asked people if they knew what the software was.

This software is so new, so different that almost no one knows what it is. A number of security researchers sent samples of this software around for questioning, eventually concluding it was some kind of malicious code. They named it WSNPoem after one of the software's folders.

WSNPoem quietly collects data on the victim's computer. It rummages through files, memory, and browsers looking for information like victim names and passwords. WSNPoem sends the collected data to its owner.

It works extremely fast and pays special attention to online bank account logins. From that, it was concluded that WSNPoem is a banking malware with the goal of stealing money from people's bank accounts. At the time, it was rumored that WSNPoem was the product of a Russian hacker group called UpLevel.

Things progressed quite quickly, in June 2007, an upgraded, more efficient variant of WSNPoem was revealed. It is named PRG. In August of that year, a huge database was found for sale on a forum for cybercriminals.

The data associated with this PRG Trojan includes bank account information, card details, social security numbers, usernames and passwords of the victims. An estimated 46,000 victims were attacked.

As of December 2007, the hackers behind PRG and WSNPoem have stolen more than $200,000 from commercial bank accounts across the US, UK, Italy and Spain. Attack method of hackers at that time was also quite simple, they sent malicious code through spam email system, tricked victims to download and install to try to infect as many computers as possible.

Once installed, it will search and collect all the login information stored on that computer. Next, the malware silently waits for the victim to log into the bank account.

As soon as that happens, the malicious code will send a signal to the hacker to let the hacker access the victim's computer to transfer money from their account to the hacker's account as if they were sitting in the same room and sharing the same computer. count. Money is stolen from the account right in front of the victim without them knowing and being unable to do anything about it.

Hackers find that if they improve the malware a bit and scale it up a bit more, they can steal a lot of money. Therefore, they continue to develop their malicious code and hacking skills.

Another six months have passed and experts have discovered a new version of this malicious code with the new name Zbot, short for ZeuS Bot. This time, Zbot attacks the victim in two different directions.

The first direction, as you know, it steals data, steals money in the victim's bank account. The second direction, it turns the victim's computer into a spy machine, a slave computer completely under the hacker's control. Those computers will join a botnet, a giant network of infected computers.

Hackers organize this botnet and then use their power as a formidable force for some shady purposes.

At this point, security experts have also rejected the idea that Zbot is the product of a new hacker group. They are sure that the person behind the ZeuS Bot is the same person who created PRG and WSNPoem. And that person was none other than a Russian boy nicknamed Slavik.

SLAVIK - RULE

In 2008, Zbot officially changed its name to ZeuS, a name Skavik gave it at some point in its development. If you don't know, Zeus is the supreme god in Greek mythology. Zeus is the king of the gods, he is the god of the sky and thunder.

Slavik liked the idea of ​​being a ruler and that's why he named his malware ZeuS. He liked the idea of ​​having a single botnet that would rule them all, and that idea seems to have partially materialized as ZeuS has finally become king of all banking malware.

Not only good at programming, Slavik is also very good at business. He wants to create more sources of income, so he constantly updates and develops ZeuS, adding new features regularly.

Often other malicious code only has one or two versions, developers only need to write it once. But Zeus is different. Slavik distributes ZeuS himself to steal money from his victims, but he also sells it on crime forums and the dark web.

Slavik sells ZeuS to other hackers as a DIY toolkit that allows them to build their own banking trojan botnet. He charges a fee when hackers want to use Zeus but will provide ongoing support if they need it. At that time, many hackers wanted to have the power of a botnet at their fingertips but did not have the skills to build it themselves.

Therefore, ZeuS, with its easy-to-use interface, does not require technical knowledge to spread and can listen to commands from any owner, has become the favorite tool of many hackers. In 2007, a notorious hacker group specializing in stealing banking information via phishing emails called Rock Phish added ZeuS to their arsenal.

With this combination, victims who receive a Rock Phish phishing email will be attacked in two different ways. First, the victim can click on the fake address, visit the fake bank website, and enter the information to have it stolen. If the victim is not deceived in that way, then Zeus will take action, infiltrate and steal your information.

Over time, Rock Phish disappeared to make room for another hacker group, Avalanche. With a structure that includes some former members of Rock Phish, Avalanche also loves using ZeuS and the whole cybercrime community likes ZeuS.

Along with the advancement of security technology, Slavik constantly updates ZeuS so that it is not outdated. This boy always keeps things moving forward, always full of ambition and greed.

BREAKING FOR THE FBI

By May 2009, the FBI began to receive reports of large-scale money transfers made by fraudulent means. However, there is no evidence of any cybersecurity breaches.

J is a new FBI agent who has only worked for a few months in the Cybercrime Task Force. Little did he know he was about to get caught up in a complex web created by one of the master programmers, who always wanted to be one step ahead of everything and wanted to rule everything.

At that time, a First National Bank of Omaha customer reported that $100,000 in his account had disappeared without a trace. J was dispatched and immediately began to investigate what had happened.

However, J found the transaction to be nothing out of the ordinary. The stolen money is transferred by the customer from the customer's own IP address, on the customer's own browser, not from a strange IP address.

The money was transferred to foreign accounts so J conversely deduces that the customer is trying to scam and lie that the money has been stolen. But J immediately dismissed that thought because the bank could know who was sending the money, so this kind of fraud couldn't happen.

But how can a thief get into a customer's home to make a money transfer? The FBI agent was really confused, unable to explain how the criminals did it.

UNDERSTAND THE TRUTH

Slavik is also known by other nicknames such as AZ, Monstr, lucky12345. He continues to sell the right to use ZeuS as a toolkit to support cybercriminals. On average, each ZeuS transaction brings Slavic $3,000, and up to 5,000 different customers use ZeuS.

But Slavic was not satisfied because some other guys made money on ZeuS by selling it to other hackers.

Besides, banks are also increasingly updating security methods. Many types of two-factor authentication exist for hackers to pass before breaking into an account.

So, in early 2019, Slavik teamed up with Avalanche to launch the next version of ZeuS called JabberZeuS. This new version has the ability to add and remove modules to the user's liking. Among them, the most notable module is Jabber because it allows ZeuS to send instant messages to the owner to report the situation.

For example, ZeuS can send a report message when it detects that a victim has logged into a bank account with a balance exceeding a certain amount. It can instantly update owners with information such as accounts, passwords, two-factor authentication codes, security questions and answers.

On June 29, 2009, employees at First Federal Savings Bank discovered some unusual things in a customer's account. This account belongs to the Bullitt County Financial Court in Kentucky. The banker said 25 new employees were added to the court's pay list from June 22.

As soon as a new employee is added, they will be transferred an amount of less than 10,000 USD. Fortunately, the bank staff found out early and contacted the court. The Court replied that they did not know about this so the bank immediately reversed the transactions. It was definitely a cybercriminal attack.

But how do they do that?

The Bullitt County Financial Court imposes several additional security measures. On this bank account, it is necessary to log into two accounts one of the treasurer and one of the judge to be able to sign the transfer confirmation.

Combining industry sources and an investigation, the FBI determined everything was caused by JabberZeuS. And here's how they do it:

1. First, this group of hackers targeted the court treasurer. Somehow they infect JabberZeuS into the cashier's computer.
2. Next, JabberZeuS does its job, fetching the owner the First Federal Savings bank account login information and also the email login information.
3. By using reverse connection and VPN modules, hackers ensure that they are using the cashier's own internet connection when logging into the bank.
4. The hacker group accessed the bank account to see the names of the accounts that needed to be signed each time money was transferred. They got the judge's account name.
5. They discovered they could use the cashier's email to reset the password for the judge's account, and so they had two accounts to confirm the transfer in hand.
6. Finally, they created fake employee accounts, using the cashier's account to add to the payroll.

The above process sounds complicated, but it is actually done in less than 10 minutes. The hacker group stole $415,000 from the Court. Fortunately, the bank detected it in time and reversed some of the transactions to recover the money.

After this incident, the people behind JabberZeuS continued to attack banks, small businesses and even schools in the following months.

FBI agents also had to stretch themselves to keep a close eye on JabberZeuS's activities. Finally, in September 2009, their investigation took a big step forward. The FBI found a way to track the domain of the Jabber server used by ZeuS to send instant messages. The malicious code directs them to a domain called incomeet.com. Next, the IP address leads them to a server company hosted by Ezzi.net, located in Brooklyn, New York.

Ezzi.net is an American company, so it must allow the FBI to search in order to get detailed information about customers who are paying for that IP and server. FBI agents entered the room and only saw a computer there. It runs CentOS 5.0, has a 500GB hard drive, 2GB of RAM, and a dual-core AMD processor.

The FBI asked representatives of Ezzi.net who used this server. There is no specific answer. The Ezzi.net side only knows that this server is rented by an individual claiming to be Alexi S., from a company based in Moscow, Russia.

The FBI seized the server for testing. They found chat logs between the hackers in the group, all in Russian. They find records of every attack, attack logs as well as lists of victims. The server will be evidence for the FBI to charge the hackers if they catch them.

ZEUS VASS HADES

At this point, Slavik is using ZeuS to make money in three different ways: he uses it to steal money from banks; he leases it to people who want to use the botnet; he sold the ZeuS software for over $8,000. He makes a lot of money from these criminal activities and doesn't want to stop.

Slavik continues to update, add more new features and release ZeuS V2, which gives hackers the ability to monitor network traffic, take screenshots, record victim keystrokes, type stealing certificates and connecting to other banking systems.

Others also see how effective ZeuS is and want to make a profit as well. Some guys nicknamed Gribodemon and Harderman bought ZeuS and then modified it to create new malware called SpyEye. The first version is of poor quality, but in return it sells for only $ 400, a great price compared to $ 8,000 of the ZeuS.

Because SpyEye was so cheap, it started to attract attention. More and more people buy SpyEye the more push Gribodemon to improve it. After the upgrade, the price of SpyEye increased from $400 to $1,000.

The hacker group behind SpyEye also tries to "raise" ZeuS customers with discounts and promotions. This creates a power struggle between SpyEye and ZeuS. SpyEye is also programmed so that when it infects a computer it will check for ZeuS and if so it will delete the ZeuS.

The battle between SpyEye and ZeuS is like a power struggle between Zeus and Hades. Slavik, of course, did not like this. He updates ZeuS to detect and remove SpyEye.

But a strange thing happened, in October 2010, both ZeuS and SpyEye announced that ZeuS would no longer be sold. Instead, the ZeuS business will be transferred and merged into Gribodemon's SpyEye. Slavik retreated into the dark.

But the merger never really happened. SpyEye never uses ZeuS code or features or botnets. Meanwhile, FBI agents silently follow the clues and traces of both SpyEye and ZeuS. They discovered there is a SpyEye server in Atlanta, USA.

The FBI conducted a search and discovered that the server here is controlling more than 200 bots and has information related to many financial institutions on it. This gives the FBI more clues about who is behind SpyEye.

In 2011, suddenly the source code of ZeuS was publicly posted on the internet. This means anyone can download and create their own custom ZeuS malware. At that time, Slavik was still silent, without any activity.

SpyEye is still evolving, still releasing new updates. However, then Gribodemon also quietly disappeared and is no longer active on cybercrime communities.

Some time later, Gribodemon, the boss of SpyEye, goes on vacation to the Dominican Republic. He had no idea that he was being watched by the FBI. Immediately after arriving at the airport, Gribodemon was arrested by Dominican authorities and extradited to the US. Gribodemon's real name is Aleksandr Panin, 27 years old, Russian nationality. Gribodemon sentenced to 9 years in prison for creating SpyEye, money laundering and bank fraud.

Another person arrested in this case is Hamza Bendalladj, 27 years old, from Algeria. Bendalladj was in charge of marketing and distributing SpyEye, so he was sentenced to 15 years in prison.

THE LAST CHAPTER Revealed

To the world, Slavik has disappeared, but in fact he is quietly developing a new version called ZeuS V2.1. Now, from a software using a copyright license system, ZeuS has operated under a subscription model and is distributed via the Cloud.

In 2011, ZeuS V2.1 became ZeuS Version 3 and it was the first online banking malware to be offered as a malware-as-a-service (MAAS). Not long after that, it continued to evolve into Gameover Zeus.

Gameover ZeuS is considered the most effective and successful version of ZeuS. Many attacks with great damage have been carried out by Gameover Zeus. In September 2012, Gameover ZeuS was used in an attack that stole $2 million from a US printing company. In November 2012, Gameover ZeuS continued to help hackers steal $6.9 million from a single victim.

Not only that, after attacking the victim and stealing money, Gameover ZeuS is also capable of DDoSing the victim. No one knows if these large-scale attacks were carried out by any hacker or hacker group, whether Slavik or not.

From 2012 to 2013, large corporations and authorities worked together to bring down the ZeuS botnet, but without success. They can take down domains, but Zeus always has a backup so they can recover quickly.

However, the FBI also has information about the executive members of ZeuS, but they still do not know who Slavik really is.

According to the FBI, Slavik basically calls his group the Business Club with 6 members. Each person on the team has their own expertise, some are good at tech support, others are good at writing malware and others are good at recruiting people who can help them launder money.

Working together, Slavik's team always seemed to anticipate what the opponent would do and prepare countermeasures. The resiliency of the Zeus is extremely amazing.

They even decided to take ZeuS to the next level by integrating the CryptoLocker ransomware. You can see how dangerous ZeuS is as it can both steal money from your bank account, can do DDoS attacks and can encrypt your data for ransom. In November 2013, a police department in Massachusetts, USA, was the first victim to be attacked by ZeuS using all three methods above.

By May 2014, the FBI officially confirmed Slavik's identity. He had just turned 31 at the time, his real name is Evgeniy Bogachev, living in Anapa, Russia. Bogachev was immediately prosecuted by the US side for many crimes including bank fraud and money laundering.

In 2014 and 2015, many agencies, businesses and organizations in many countries worked together to bring down the ZeuS botnet. They had to work very hard to do that.

Slavik is on the FBI's most wanted list. The reward for anyone providing information leading to Slavik's arrest is $3 million, the largest reward ever offered to a hacker. Even so, until now Slavik has not been arrested because he did not leave Russia. The FBI tried to work with the Russian side many times, but still could not reach an agreement to extradite Slavik to the US.

In total, it is estimated that ZeuS has infected between 500,000 and 1,000,000 computers worldwide, and 25% of them are in the US. The FBI reported that American victims lost more than $100 million in money from hackers and another $27 million in data ransoms. ZeuS is considered one of the most sophisticated and most profitable malware ever.