TY - JOUR
T1 - Titans' revenge: Detecting Zeus via its own flaws
AU - Riccardi, Marco
AU - Di Pietro, Roberto
AU - Palanques, Marta
AU - Vila, Jorge Aguilà
N1 - Generated from Scopus record by KAUST IRTS on 2023-09-20
PY - 2013/2/4
Y1 - 2013/2/4
N2 - Malware is one of the main threats to the Internet security in general, and to commercial transactions in particular. However, given the high level of sophistication reached by malware (e.g. usage of encrypted payload and obfuscation techniques), malware detection tools and techniques still call for effective and efficient solutions. In this paper, we address a specific, dreadful, and widely diffused financial malware: Zeus. The contributions of this paper are manifold: first, we propose a technique to break the encrypted malware communications, extracting the keystream used to encrypt such communications; second, we provide a generalization of the proposed keystream extraction technique. Further, we propose Cronus, an IDS that specifically targets Zeus malware. The implementation of Cronus has been experimentally tested on a production network, and its high quality performance and effectiveness are discussed. Finally, we highlight some principles underlying malware - and Zeus in particular - that could pave the way for further investigation in this field. © 2012 Elsevier B.V. All rights reserved.
AB - Malware is one of the main threats to the Internet security in general, and to commercial transactions in particular. However, given the high level of sophistication reached by malware (e.g. usage of encrypted payload and obfuscation techniques), malware detection tools and techniques still call for effective and efficient solutions. In this paper, we address a specific, dreadful, and widely diffused financial malware: Zeus. The contributions of this paper are manifold: first, we propose a technique to break the encrypted malware communications, extracting the keystream used to encrypt such communications; second, we provide a generalization of the proposed keystream extraction technique. Further, we propose Cronus, an IDS that specifically targets Zeus malware. The implementation of Cronus has been experimentally tested on a production network, and its high quality performance and effectiveness are discussed. Finally, we highlight some principles underlying malware - and Zeus in particular - that could pave the way for further investigation in this field. © 2012 Elsevier B.V. All rights reserved.
UR - https://linkinghub.elsevier.com/retrieve/pii/S1389128612003556
UR - http://www.scopus.com/inward/record.url?scp=84875231562&partnerID=8YFLogxK
U2 - 10.1016/j.comnet.2012.06.023
DO - 10.1016/j.comnet.2012.06.023
M3 - Article
SN - 1389-1286
VL - 57
SP - 422
EP - 435
JO - Computer Networks
JF - Computer Networks
IS - 2
ER -