Akamai Threat Advisory: Zeus Crimeware


Akamai LogoAkamai Technologies, Inc., the leading provider of cloud services for delivering, optimizing and securing online content and business applications, today released, through the company’s Prolexic Security Engineering & Response Team (PLXsert), a new cybersecurity threat advisory. The advisory alerts Fortune 500 enterprises to a high-risk threat of continued breaches from the Zeus framework. Malicious actors may use the Zeus crimeware kit to steal login credentials and gain access to web-based enterprise applications or online banking accounts.  The advisory is available for download at www.prolexic.com/zeus.

“The Zeus framework is a powerhouse crimeware kit that enterprises need to know about to better defend against it,” said Stuart Scholly, senior vice president and general manager, Security Business Unit, Akamai. “It’s hard to detect, easy to use, and flexible – and it’s being used to breach enterprises across multiple industries.”

Responsible for recent data breaches

Malicious actors using the Zeus crimeware kit have been responsible for several recent high-profile cybersecurity breaches of Fortune 500 firms. Computers, smart phones and tablets infested with the Zeus bot (zbot) malware become agents for criminals – serving a malicious master, sharing user data, and becoming part of a botnet to attack computer systems.

Using the kit, attackers harvest data, such as login usernames and passwords, as entered from a web browser on an infected device. In addition, an attacker may insert additional fields into the display of a web form on a legitimate website to trick the user into supplying more data than a site usually requires, such as a PIN number on a banking site. Attackers can even remotely request the user’s machine take a screenshot of the current display at any time.

All data requested by the attacker is sent back to a command and control panel, where it can be sorted, searched, used or sold. The harvested data is likely to be used for identify theft. It could also be sold to competitors or used to publicly embarrass a firm.

Stealing enterprise access and trade secrets

Many enterprise applications and cloud-based services are accessible from the web. Platform-as-a-service (PaaS) and software-as-a-service (SaaS) vendors are at risk of being victimized and may face the loss of confidential customer information, trade secrets, data integrity, reputation and more.

Employees, customers and business partners may uintentionally download the Zeus malware onto their enterprise computers or personal devices. When they subsequently login from the web using the device, they may inadvertently hand confidential information to malicious actors. With so many devices already infected, attackers may mine that data for credentials for specific web-based applications or services, bringing together a wealth of information from a large number of users to target a specific site.

Anti-virus software may not detect Zeus malware

The Zeus framework has been used to spread malware and gather information for many years. Its ignoble success is due in large part of its extreme stealth. Files are hidden, content is obfuscated, firewalls are disabled, and communication can be distributed. A Zeus tracking organization estimates the antivirus detection rate for Zeus at only 39.5 percent. Even devices with anti-virus software installed may be infected.

Enterprises advised to take steps to secure their network environment

“Zeus is insidious, even in the most secure environments,” Scholly noted. “Users are tricked into running programs that infect their devices, so strict enforcement of organizational security policies and user education can help. Enterprises are encouraged to develop a rigorous website security profile that includes a web application firewall. This approachcan disrupt Zeus communication patterns and help prevent data breaches and file scanning attempts.”

Get the Zeus Crimeware Kit Threat Advisory to learn more

In the advisory, PLXsert shares its analysis and details about the Zeus framework, including:

  • Origins and variations
  • How the kit works
  • Indicators of infestation
  • The process of infection
  • Remote command execution
  • A lab simulation showing its power and threat
  • Recommended mitigation

A complimentary copy of the threat advisory is available for download at www.prolexic.com/zeus