Titans' revenge: Detecting Zeus via its own flaws

Authors:
Marco Riccardi;Roberto Di Pietro;Marta Palanques;Jorge Aguilí Vila
Affiliations:
Barcelona Digital Technology Centre, eSecurity Research Group, Roc Boronat 117, 5th Floor, 08018 Barcelona, Spain;Barcelona Digital Technology Centre, eSecurity Research Group, Roc Boronat 117, 5th Floor, 08018 Barcelona, Spain and Universití di Roma Tre, Maths Dept., L.go S. L. Murialdo 1, 00146 Roma, I ...;Barcelona Digital Technology Centre, eSecurity Research Group, Roc Boronat 117, 5th Floor, 08018 Barcelona, Spain;CaixaBank, CSIRT, Av. Diagonal, 621, 08028 Barcelona, Spain
Venue:
Computer Networks: The International Journal of Computer and Telecommunications Networking
Year:
2013

Citing 8
Cited 1

PHONEY: Mimicking User Response to Detect Phishing Attacks

WOWMOM '06 Proceedings of the 2006 International Symposium on on World of Wireless, Mobile and Multimedia Networks
Cent, five cent, ten cent, dollar: hitting botnets where it really hurts

NSPW '06 Proceedings of the 2006 workshop on New security paradigms
Stealthy malware detection through vmm-based "out-of-the-box" semantic view reconstruction

Proceedings of the 14th ACM conference on Computer and communications security
BotHunter: detecting malware infection through IDS-driven dialog correlation

SS'07 Proceedings of 16th USENIX Security Symposium on USENIX Security Symposium
Botnet Detection and Response Architecture for Offering Secure Internet Services

SECTECH '08 Proceedings of the 2008 International Conference on Security Technology
The Dorothy Project: An Open Botnet Analysis Framework for Automatic Tracking and Activity Visualization

EC2ND '09 Proceedings of the 2009 European Conference on Computer Network Defense
Defaming Botnet Toolkits: A Bottom-Up Approach to Mitigating the Threat

SECURWARE '10 Proceedings of the 2010 Fourth International Conference on Emerging Security Information, Systems and Technologies
Cyber Fraud: Tactics, Techniques and Procedures

Cyber Fraud: Tactics, Techniques and Procedures

Editorial: Editorial for Computer Networks special issue on ''Botnet Activity: Analysis, Detection and Shutdown''

Computer Networks: The International Journal of Computer and Telecommunications Networking

Quantified Score

Hi-index	0.00

Visualization

Abstract

Malware is one of the main threats to the Internet security in general, and to commercial transactions in particular. However, given the high level of sophistication reached by malware (e.g. usage of encrypted payload and obfuscation techniques), malware detection tools and techniques still call for effective and efficient solutions. In this paper, we address a specific, dreadful, and widely diffused financial malware: Zeus. The contributions of this paper are manifold: first, we propose a technique to break the encrypted malware communications, extracting the keystream used to encrypt such communications; second, we provide a generalization of the proposed keystream extraction technique. Further, we propose Cronus, an IDS that specifically targets Zeus malware. The implementation of Cronus has been experimentally tested on a production network, and its high quality performance and effectiveness are discussed. Finally, we highlight some principles underlying malware-and Zeus in particular-that could pave the way for further investigation in this field.