The newest version of Zeus, a do-it-yourself crimeware kit responsible for millions of dollars in losses by consumers and businesses, comes with anti-piracy provisions similar to those used by Microsoft’s Windows, a researcher said today.
And that’s a good thing.
Like Windows, Zeus 1.3 ties itself to a specific computer using a key code based in part on the machine’s hardware configuration, said Kevin Stevens, a security researcher with Atlanta-based SecureWorks, and a co-author of a report on Zeus published last week. “It’s just like a Windows licence,” said Stevens as he explained how the key code is generated.
After launching the Zeus Builder kit — which sells for between $3,000 and $4,000 in its most basic configuration — the software generates a hardware ID based on the PC’s components as well as other factors, including the operating system’s version number, said Stevens. That ID is then forwarded by the criminal customer to the seller of the program, who in turn cranks out a product activation code necessary to begin using the toolkit.
There is one major difference between the product activation practiced by Microsoft and what’s used by Zeus, however. Although Microsoft will allow both minor and major changes to the hardware — the latter may require a phone call to convince a support representative to issue another activation code — there’s no such protection for Zeus buyers. Even a small modification to the PC’s hardware can prevent Zeus Builder from running.
“You could request another [activation] code from the person who sold it to you, but there’s no guarantee you would get one. The seller could say, ‘I already have your money, pay for another.'”
The copy protection technology was added for obvious reasons, the same ones Microsoft cites when it explains why it regularly updates Windows Activation Technologies (WAT), better known by its earlier name of Windows Genuine Advantage (WGA).
“This was definitely done to keep people from pirating the software,” said Stevens, who noted that the previous versions of Zeus had been widely copied, tweaked and sold by others. “There have been a lot of Zeus [kits] hacked up.”
Zeus 1.2, for example, only had a copyright disclaimer and a unique ID. If that ID was found on other copies in circulation, the malware seller might threaten to shut off sales to the buyer who had purchased, and likely leaked, the legitimate edition, said Stevens.
“It was a little like controlled pirating,” he added. “[Zeus] 220.127.116.11 would come out, and then it would leak for a few months. Then 18.104.22.168 would come out and that would leak around for a couple of months.”
The hackers who sell Zeus may have slapped on hardware-based copy protection to protect their investment, but a side effect is good news for computer users, argued Stevens. “I think it is good for us,” he said. “It means that these new versions, which are even deadlier, are not being traded like they were before.”
Zeus’ steep price — some modules go for as much as $10,000 — along with its new anti-piracy protections will make it more difficult for amateur hackers to get their hands on the build-a-botnet software. “This is mostly for professional criminals now,” said Stevens.
Zeus was first uncovered in late 2007 by SecureWorks researcher Don Jackson, who has been tracking its rise in the crimeware ranks since then. According to Jackson and Stevens, Zeus is probably the malware most used by criminals specializing in financial fraud.
Zeus was also in the news last week when reports surfaced of an ad hoc “takedown” of Troyak, an Internet providers associated with Zeus command-and-control servers.
Within hours, however, Troyak had reconnected to the Internet, meaning that the quarter of Zeus’ command-and-control systems that had been knocked offline were again able to reconnect with bots and issue new instructions.