By: Michael Sutton

Introducing Project Zulu

Malware

I want to personally and publicly thank Julien, Pradeep and Mike for all of their hard work over the past several months, to make today's launch of Project Zulu a reality. Zulu is a completely free service, open to anyone, which allows people to determine the risk posed by a particular web resource.

Zulu Launch Banner
Our goal in building Zulu, was to provide a simple and straightforward interface accessible to anyone regardless of security knowledge, while still delivering granular results that are of value to those that are more security savvy. I believe we've achieved this by providing a UI that requires no additional input beyond the UI to be analyzed, while allowing a few necessary advanced options, (User-Agent and Referer) when encountering malware triggered only when certain input variables are met. Results also display an overall ranking of Benign, Suspicious or Malicious, but also include details of elements that went into the overall score.

Zulu User Interface
We were also determined not to deliver a 'me too' project as there are already a number of great security projects available. Services like VirusTotal, Anubis and Wepawet for example, are invaluable tools when running specific tests (multi-AV, JavaScript/PDF analysis and sandboxing respectively). However, most projects such as these tend to focus on a specific threat or type of analysis. With Zulu, we sought to combine our own proprietary scanning techniques, with the great open source intel. that is available, to provide a broad view of the overall risk posed by virtually any web resource. We also look not just at a specific aspect of the resource, but instead, separately focus on determining risk for the content, URL and host separately, which is then combined into an overall risk score. For each component, we employ the following approaches:

Zulu results for Zeus Related Malware

  • Content – Page content is scoured for the inclusion of potentially malicious code leveraging proprietary Zscaler algorithms, conducting heuristic tests and querying public sources.
  • URL – The requested URL is tested against known suspicious/malicious patterns, public black/white lists, as well as historic risk assessments for subdomains, domain TLDs, file types, etc.
  • Host – Historic reputations of the host IP address, Anonymous System Number (ASN) and geographic location are analyzed, along with suspicious behaviors displayed by the host in question.
A unique benefit of this approach is that we can deliver a risk score even when the page content is no longer available. While we can't access the page, we can still assess the URL and host and when they deliver a high risk score despite a lack of page content, one can often conclude the page was indeed malicious but has since been taken down. We also provide full access to historical scan results for the same resource. This can often uncover when a page first became infected and when it was subsequently cleaned up.

Why would Zscaler, a commercial entity, release a free tool? I'm sure that companies release free tools for a variety of reasons and ours are quite straightforward. Obviously Zulu provides a marketing benefit, but beyond this, it permits ThreatLabZ great freedom to experiment with new detection techniques. We plan to use Zulu as a proving ground for our great ideas (and yes, that makes you our guinea pigs). The benefit to you is that you're able to leverage some of our latest and greatest techniques. Moreover, you may well analyze a malicious web site that we haven't seen before. In the end, we hope that you find Zulu to be a valuable tool to combat web based threats and we certainly welcome your feedback at zulu[at]zscaler[dot]com.

One last thing. Why Zulu? Well, the Zulu warrior was a formidable foe, but more importantly, Zulu warriors represented a citizens army. Not a standing army, but one that came together and fought valiantly when faced with an impending threat to their society. We view our Zulu as a tool for for a citizen army combating malicious content. Everyone can use it and everyone benefits from historical results. Join the army!

- michael


Learn more about Zscaler.