Why the Zeus ‘Malware Gang’ Arrest is Important, But Only Part of the Solution

On June 25, 2015, Europol announced that it had made an impressive breakthrough on its Zeus malware investigations. A joint investigation team, made up of authorities from Austria, Belgium, Finland, the Netherlands, Norway and the U.K., successfully located and arrested five suspected members of the cybercriminal group responsible for the development, distribution and use of the Zeus and SpyEye malware. These well-known trojans have been the cause of hundreds of millions of dollars of theft from international banks and have spawned numerous variation offshoots that have done further damage in other sectors. For example, the GameOver Zeus variant, which has caused the U.S. Federal Bureau of Investigation much grief since 2014, is just one of the many offshoots that has come from the Zeus malware, which was first discovered nearly five years ago.

The joint investigation team launched a simultaneous strike on four different cities in Ukraine on June 18 and 19, capturing five suspects and confiscating large amounts of computer equipment and data that could further the team’s efforts toward managing the threat that Zeus poses.

We believe that this is a first step in the right direction: Cyber criminals have been able to freely act without being brought to justice for too long. The joint action by these various nations is a step in the right direction to reduce global cybercrime.

However, this is only one drop in the ocean of cybersecurity. The Zeus malware and its many variants have already infected tens of thousands of computer systems worldwide, and the group responsible for this trojan also sold it to many other hacker organizations, meaning the threat this malware poses is still very real.

Why Zeus is such a major challenge

Zeus has posed such a major problem for organizations since its discovery because it utilizes a unique methodology for communication with its command and control (C&C) server known as a domain generation algorithm (DGA). DGA code randomly generates the domains that the malware uses to transmit information back to the hacker that implemented it, making it much harder to detect and trace. This makes Zeus and similar malware variants that also use DGA methodologies in their communications extremely difficult to detect by traditional detection approaches.

While capturing and arresting those responsible for the creation of malware is an important step in handling cybercrime, arresting the creators of the original is only part of solving the problem. This is because malware variants, each altered to evade detection, are broadly available for purchase on the darknet. The threat of DGA-based malware variants requires a novel approach for detection, as current approaches cannot offer an efficient way to identify DGA activity in the network.

Later this week we will be releasing analysis from Lotem Guy, our Head of Security Research, on DGA-based threats, their impact, and the reason why all the attempts to stop them, including the broad attempt by the FBI, have failed miserably so far. Next week we will publish an eBook offering effective approaches for detection of DGA-based attacks.

Potentially, with a combined approach of enforcement agencies hunting down the criminals and corporate security teams hunting down the attacks, Zeus-based malware and the like could eventually be eradicated.

Lital Asher-Dotan
About the Author

Lital Asher-Dotan

Lital is a Marketing Team Leader, Storyteller, Technology Marketing Expert. She joined Cybereason as the first marketing hire and built a full marketing department. Specializing in brand building, product marketing, communication and content. Passionate about building ROI-driven marketing teams.