Wednesday, May 11, 2011

Zeus virus scorecard update

Thanks to release of the Zeus source code, I've been able to update The Perfect Virus Scorecard with new Zeus information. While Zeus is currently used primarily to loot bank accounts, there is no reason it couldn't be doing a whole bunch of other things. I'm still including SpyEye and Zeus in the same matrix, as it's most likely that the public source code revelation will allow accelerated SpyEye integration with Zeus. While you can go to the now-modified original Scorecard matrix, I'll summarize the changes to it here:
  1. Zeus cannot spawn or replicate to other computers,  principle #2, Feral Fertility. Zeus is spread via spam in most cases. Therefore it gets a zero for this matrix item. Of course, this means Zeus is ideal for a more targeted attack, since it does not behave in a measurably procreative fashion.
  2. I give Zeus a partial score for principle #4, Performance, since the control panels appear to optimize for at least the botnet operating system. And I'm assuming that Zeus itself is tightly coded for the target computer to reduce cycle usage and the possibility of detection.
  3. Zeus gets partial credit for principle #6, Mutation Control, since it dynamically checks for new versions of the configuration file as well as for newer versions of itself. It doesn't get full credit because it has no capability for Feral Fertility.
  4. Zeus gets partial credit for principle #13, Stratification, in that it has limited Mutation Control, a partial for Performance, and full credit for Prosumption.
  5. The control panel gives Zeus partial credit for principle 15 (Complete Life Cycle Management), principle #16 (Team Isolation), and principle #17 (Operational Sophistication). Not bad. It's a long way from full credit, but not bad for an underground virus effort not supported by government-scale resources. Then again, given that the Russian government didn't throw young Darth Vader into jail, maybe government-scale resources have been applied here.
  6. Finally, Zeus gets partial credit for principle #19 (Simultaneity), principle #20 (Individuality), and principle #21 (Institutional Memory). Simultaneity may be a "light partial," because the target Windows operating system is multi-threaded.
Based upon what I've been able to "grok" from the public Zeus revelations, this appears to be a formidable criminal tool which could be easily provisioned for activities other than looting bank accounts. Because of this, the urgency of workable legal and technical countermeasures cannot be understated. We need a credible deterrent force. As of yet, we don't have one.

Selah.

No comments:

Post a Comment

Implementation suggestions for THE MORGAN DOCTRINE are most welcome. What are the "Got'chas!"? What questions would some future Cyber Privateering Czar have to answer about this in a Senate confirmation hearing?