Researchers dissect ZeuS botnet blueprint

A little knowledge and a few thousand dollars is all it takes to build a fully functional botnet, according to security experts.

Cisco researchers Patrick Peterson and Henry Stern told delegates at the 2010 RSA conference in San Francisco that a botnet running the infamous ZeuS malware could be built for US$2,500 ($2,753.50).

ZeuS is primarily a data-gathering and botnet control tool, but has become particularly loathed in the security community because it directly injects content into pages and intercepts credentials before they are sent to legitimate sites.

Making matters worse, the monetary and technical thresholds for running Zeus are particularly low. Peterson and Stern said that a current version of Zeus can be had for roughly US$700, while older versions can be obtained for free.

A criminal could then obtain an exploit tool to install the malware for roughly US$800, while a server will cost around US$300 and an additional US$700 to hire and maintain affiliates to drive traffic to the attack sites.

The hard part, according to the researchers, is turning the stolen credentials into cash. Whether the data is sold to other criminals or used to access and empty bank accounts, criminals must find a way to get the money without alerting the authorities.

This is where money mules enter the picture. Often recruited from spam campaigns or fake job sites, and usually operating without knowledge of the illegal nature of their activities, the mules launder stolen funds by receiving the money from hacked accounts into their own accounts, then sending the funds to the criminal as a wire transfer while keeping a small percentage.

The process allows the criminal to cash in on the stolen accounts, and to shake off law enforcement and security researchers because wire funds are harder to track.

Stern and Peterson believe that this exact process was recently used to steal US$415,000 from the Bullitt County treasury in Kentucky.

An attacker was able to install ZeuS on the PC of the treasurer, gaining access to the county's payroll accounts. The stolen funds were then transferred via 43 separate money mule accounts and sent to the Ukraine.

To prevent a similar attack, the researchers urged administrators to employ common security measures such as monitoring traffic and keeping systems patched and updated, and to educate users on common social engineering practices and how to spot potential attack sites.