SANS Digital Forensics and Incident Response Blog

Digital Forensics Case Leads: ZeusTracker; Legal Hold Software; Port Control as a Forensic Tool

The Zeus banking Trojan continues to siphon cash from businesses' bank accounts. Attackers compromise networks and computers then lie in wait until accounts are accessed, at which point authentication may be hijacked allowing attackers to submit transactions. The credentials match, even two-factor systems are being defeated. At last count, attackers made over $120 million in unauthorized transactions in Q3 2009 (source: FDIC).

Multi-factor and out-of-band authentication will not cure the ill if the customers' machines are owned by the attackers. Per transaction authentication is needed (probably digitally signed and with MAC). If you are working as an incident responder, it may be helpful to know some of the currently active command and control systems connected to Zeus. Here is a handy list, provided by ZeusTracker (note: SSL certificate errors may pop-up, but you are not going to be asked for any confidential info to input, or gather from, the site). It's noteworthy that many of the command and control systems are located in Russia and China.

Meanwhile, the ediscovery midnight oil is burning at banks and businesses hit by these attacks. Businesses claim that it's the bank's duty of care to protect funds held by the bank. Banks claim that they are only required to provide "reasonable security" against attacks. And, besides, they say, the attacks are on the customer's computer and network, not the bank's. Ah, the makings of a lawsuit, and proposals for regulation.

And, that's exactly what's happening. Customers are suing banks, and now a bank is suing a customer that is a victim of one of these attacks. See links in Research & Discovery below for more on the lawsuits, the victims, and proposed legislation.


  • DeviceLock is a port-device control and contextual DLP security software for managing Windows endpoints centrally through Active Directory Group Policy MMC snap-in. DeviceLock can also be used as a rich forensic tool if installed in advance of an event. The author of this posting had a recent incident that involved lost memory drives with critical ediscovery information. DeviceLock provides file shadow copying, and forensic viewing/indexing/searching of endpoint port-device activities that include any local, network, or virtual printing instances. Like email archiving, the powerful searching in DeviceLock makes it an interesting ediscovery pre-event planning tool. Rumors are that DeviceLock will be adding to its endpoint access control feature soon, with deep analysis of files and other communications through local peripheral ports, devices, and IP protocols.
  • A growing area of ediscovery includes the issues of legal holds of information. Legal hold software is designed to assist the team in preserving data and reducing legal hassles. Here's what to look for in a system.


  • Criminal "Hacker" Sentenced to 37 Months in Prison in Manhattan Federal Court for Scheme to Steal and Launder Money from Brokerage Accounts. This guy got just three years for perpetrating something that sounds like the Zeus banking attack? in addition to credit card fraud and other counts. No wonder cybercrime is proliferating.
  • Class action suit against Countrywide Financial: Plaintiffs ask $20 million after Countrywide employee stole and sold tens of thousands (or millions?) of customer records. The data was stolen through the use of a USB drive on the one work station that did not have epoxy in the USB ports. There are a number of issues here: Why using epoxy and not more granular controls? And, if you ARE going to use glue, you have to use it on every workstation. Looks like someone at Countrywide Financial might not have been familiar with Complete Mediation - only one way in and out of a system (and that ONE way is NOT a by-pass of controls!).
  • Another inside job: Bank of America Employee Charged With Planting Malware on ATMs. Where are the audit trails?


  • Listen to a one-on-one interview with a business that lost $233,000 from the attack, and is being sued by their bank. Their business is mentioned in the story above.
  • Trying to track down an attack that might have origins on one of the many underground "hacker" chat rooms? Some new research has some promising potential. Here is the abstract from a paper from the Artificial Intelligence Lab, Department of Management Information Systems, University of Arizona, Tucson:

    "The unprecedented growth of the Internet has given rise to the Dark Web, the problematic facet of the Web associated with cybercrime, hate, and extremism. Despite the need for tools to collect and analyze Dark Web forums, the covert nature of this part of the Internet makes traditional Web crawling techniques insufficient for capturing such content. In this study, we propose a novel crawling system designed to collect Dark Web forum content. The system uses a human-assisted accessibility approach to gain access to Dark Web forums. Several URL ordering features and techniques enable efficient extraction of forum postings. The system also includes an incremental crawler coupled with a recall-improvement mechanism intended to facilitate enhanced retrieval and updating of collected content. Experiments conducted to evaluate the effectiveness of the human-assisted accessibility approach and the recall-improvement-based, incremental-update procedure yielded favorable results. The human-assisted approach significantly improved access to Dark Web forums while the incremental crawler with recall improvement also outperformed standard periodic- and incremental-update approaches. Using the system, we were able to collect over 100 Dark Web forums from three regions. A case study encompassing link and content analysis of collected forums was used to illustrate the value and importance of gathering and analyzing content from such online communities."

    Here is the contact info for the researchers: Tianjun Fu ( Ahmed Abbasi ( Hsinchun Chen (



Digital Forensics Case Leads for 20100415 was compiled by Ira Victor G17799 GCFA GPCI GSEC ISACA CGEIT. Ira Victor is an analyst with Data Clone Labs, He is also Co-Host of The CyberJungle, the nations first live radio news talk show on security, privacy and the law, Saturdays 10a-12noon PT/ 1p-3p ET. Ira is President of Sierra-Nevada InfraGard, and a member of High Tech Crime International Association.