Professional Documents
Culture Documents
Al Bataineh2012
Al Bataineh2012
978-1-4673-4879-9/12/$31.00 2012
c IEEE 26
(a) The botnet DIY toolkit (b) Observable network activity a Zbot (c) Byte Entropy of Zbot POST contents
Zbots) [20]. SpyEye started as Zbot competitor, but ended The information stealing capabilities implemented in
in a merge of their source code making more powerful data Zbots exceed traditional keyloggers and spyware. The
stealing botnets [23]. design of the toolkit makes it highly configurable, such
Zbot appeared in 2007 and since then it has grown to be that new modules can be added to newly generated bina-
one of the top banking Trojans, infecting 41% of govern- ries increasing their sophistication. Data stolen using a
ment networks, according to US-CERT [6]. Zbot was also Zbot range from account credentials, PKI certificates, and
used in the Mumba Botnet [5] which stole 60GB of data HTTP Cookies to screen shots, specific files, and databases.
from computers in U.K. and Germany, and in the Kneber What makes Zbot especially dangerous is its ”man-in-the-
Botnet [15] which targeted 374 US-based firms. Rrecently, browser” ability. When a user opens a browser to log into
the FBI and international law enforcement agencies discov- his bank website, for example, Zbot grabs all values filled
ered a ring of criminals that used Zbots to steal around $70 in the form and injects additional form fields into the page
million from victim’s bank accounts [9]. Zeus continues to which will lure the user into entering more information such
be a great threat until today, therefore it is used as an exam- as their social security number or ATM pin numbers. Some
ple of a data stealing botnet. Zbot variants also contain a feature called ”Jabber Zeus”
which relays the victim’s credentials to the criminals in real-
2.1 Zeus Toolkit time via Instant Messenger (IM). This real time interception
allows criminals to login into the account while the user is
As mentioned earlier, Zeus is not a single botnet, the using it and wire money to third parties.
name actually refers to the Do-It-Yourself (DIY) software
kit that is used to create one or more botnets as shown in 2.2 Network Behavior
Figure 1(a). We were able to obtain an old copy of the kit
after it was released to the public by its developers. Our We looked into the network behavior of Zbots by running
analysis shows that the kit has two modules; Binary Builder a large set in a controlled environment (i.e. sandbox), see
which is responsible for creating new Zbot samples, and Figure 1(b). The bot first attempts to establish a connection
a web application called Control Panel. Each Zbot sam- with C&C server using the 3-way TCP handshake over port
ple requires static and dynamic configurations. Static con- 80. After successful connection, it issues a GET request
figurations sets the name of the botnet, time intervals for to download a new configuration file, and a POST request
downloads and uploads, URLs for getting the config file, to upload a log of statistics or stolen data. This pull/push
and an encryption key. The dynamic configurations lists the process is repeated periodically based on the time settings
URLs of bot download server(s), data upload server(s), and in the static configuration. The most interesting feature of
backup download servers for configuration files. The Con- this process is that GET and POST request/response pay-
trol Panel runs on the C&C server for botnet administration; loads appear to be encrypted. Furthermore, we noticed that
it allows the botnet owner to view the status of his botnet by most of POST Content-Type was text/html while the
listing statistics about the number of total bots and the cur- payload is not text. We also noticed that some OK replies of
rent active ones. POST requests embed encrypted content possibly contain-