Series: Looking through the keyhole – Zeus

March 25, 2009


Zeus is a devastating crimeware kit that is highly prevalent.  It focuses on banking and financial information data theft.

Here is an example of one of its Command and Control Interfaces.

zeus1

As you can see this is prevalent in the wild as shown here by Malware Domain List

zeus21

Zeus is also known as NTOS or WSNPoem or PRG.  It has a long history and is responsible for MASSIVE  amounts of data theft.  To include goverments, corporations and individuals.  Encrypted data stores of over 500 GB have been found and it is estimated to have been in operation in some locations for years unoticed.

It is even vulnerable to exploits

Many have analyzed Zeus and its progeny. Here is a good example

Frank Boldewin has done some awesome reversing and analysis of Rustock, Storm, Zeus, and other samples from some of the most notorious pieces of crimeware prevalent today.

I will mirror his content in all its glory here for posterity BUT he deserves all the credit.  You can learn alot by reviewing other peoples research.

For more on ZEUS check out this awesome Zeus Tracker

zeus3

This is a great trend and what is clearly needed for the community.  HOWEVER…..

Ask your self.  If stuff can stay running long enough to be tracked, and you clearly see the scale and the scope here, There is a SERIOUS problem with enforcement.  So what do you do??  Especially for a Crimeware based Software as a Service Organization running via a Bullet Proof host provider out of a foreign country with no Law Enforcement cooperation? 

zeus4

All of these links are active and can allow you to download and reverse the Zeus binaries.  The configuration files, typically a .bin file hold encrypted information that represents the financial institutions target set.

The answer is simple, you go unattributable, you exploit their systems and either Crypto lock them or Cyberdestroy them.  That is the answer.  Has it been done yet?? Not that I know of.  Who is man enough to make the first move. 

It could be the shot heard round the world that would change the rules of the game.  And Im all for it.  Surgical, devastaing cyber strikes on known, persistant malware infrastructure.

Here are some of Zeus’s advertised capabilities from the Authors themselves…

ZeuS has the following main features and properties (full list is given here, in your part of assembling this list may not): – Written in VC + + 8.0, without the use of RTL, etc., on pure WinAPI, this is achieved at the expense of small size (10-25 Kb, depends on the assembly).
– Workaround most firewall (including the popular Outpost Firewall versions 3, 4, but suschetvuet temporary small problem with antishpionom). Not a guarantee unimpeded reception incoming connections.

– Difficult to d
etect finder / analysis, bot sets the victim and creates a file, the system files and arbitrary size.
– Works in limited accounts Windows (work in the guest account is not currently supported).
– Nevid ekvaristiki for antivirus, Bot body is encrypted.

– Some way creates a suspected its presence, if you do not want it. Here is the view of the fact that many authors do love spyware: unloading firewall, antivirus, the ban on their renewal, blocking Ctrl + Alt + Del, etc.

– Locking Windows Firewall (the feature is required only for the smooth reception incoming connections).
– All your settings / logs / team keeps bot / Takes / sends encrypted on HTTP (S) protocol. (ie, in text form data will see only you, everything else bot <-> server will look like garbage).

– Detecting NAT through verification of their IP through your preferred site.

– A separate configuration file that allows itself to protect against loss in cases of inaccessibility botneta main server. Plus additional (reserve) configuration files, to which the bot will ap
ply, will not be available when the main configuration file. This system ensures the survival of your botneta in 90% of cases.
– Ability to work with any browsers / programs work through wininet.dll (Internet Explorer, AOL, Maxton, etc.):

– Intercepting POST-data + interception hitting (including inserted data from the clipboard).

– Transparent URL-redirection (at feyk sites, etc.) c task redirect the simplest terms (for example: only when GET or POST request, in the presence or absence of certain data in POST-request).

– Transparent HTTP (S) substitution content (Web inzhekt, which allows a substitute for not only HTML pages, but also any other type of data). Substitution of sets with the help of guidance masks substitute.

– Obtaining the required contents page, with the exception HTML-tags. Based on Web inzhekte.
– Custo
mizable TAN-grabber for any country.
– Obtaining a list of questions and answers in the bank “Bank Of America” after successful authentication.

– Removing POST-needed data on the right URL.

– Ideal Virtual Keylogger solution: After a call to the requested URL, a screenshot happening in the area, where was clicking.

– Receiving certificates from the repository “MY” (certificates marked “No exports” are not exported correctly) and its clearance. Following is any imported certificate will be saved on the server.

– Intercepting ID / password protocols POP3 and FTP in the independence of the port and its record in the log only with a successful authorise.

– Changing the local DNS, removal / appendix records in the file% system32% \ drivers \ etc \ hosts, ie comparison specified domain with the IP for WinSocket.

– Keeps c
ontents Protected Storage at first start the computer.
– Removes S ookies from the cache when Internet Explorer first run on a computer.

– Search on the logical disk files by mask or download a specific file.

– Recorded just visited the page at first start the computer. Useful when installing through sployty, if you buy a download service from the suspect, you can see that even loaded in parallel.
– Getting screenshot with the victim’s computer in real time, the computer must be located outside the NAT.
– Admission commands from the server and sending reports back on the successful implementation. (There are currently launching a local / remote file an immediate update the configuration file, the destruction OS).

– Socks4-server.

– HTTP (S) PROXY-server.
– Bot Upgrading to the latest version (URL new version set in the configuration file).

Bot:

– There has its own process, through this can not be detected in the process list.

=============================================================

Here is an example of the builder interface.

zeus61

Here is another Console

zeus5

zeus7

zeus8

Here is some more Excellent Analysis on this.

zeus_new_layout_11

24.10.2008

Slides of my Hack.Lu 2008 speech “Rustock.C – When a myth comes true”

Rustock.C – When a myth comes true.pdf

14.02.2008

With “More advanced unpacking – Part II” i show you how to decrypt an infamous reallife malware called WSNPOEM aka Infostealer.Banker.C The binaries are usually created with a tool called ZEUS Builder and there exist lots of different versions in the wild. I found samples with and without rootkit functionality, as well as ontop packed binaries, meaning they are additionally protected/packed with tools like Aspack, ACProtect, Polycrypt and so forth. We will discuss all 3 types and how to deal with them in 3 different ways. – 1. Manual unpacking + import fixing – 2. Manual unpacking + Auto import fixing – 3. Auto unpacking/import fixing – Stage 2 introduces a nice tool called “Universal Import Fixer” and Stage 3 shows how to automate unpacking/import fixing with OllyDbgScript.

More advanced unpacking – Part II.zip

21.01.2008

This new unpacking tutorial goes far more into depth as the beginners tutorial i have released last year. It aims to show some generic tricks and tools, that can be used on many other protectors. Enjoy!

More advanced unpacking – Part I.zip

21.09.2007

This paper is an analysis of the malware Peacomm.C aka StormWorm. It mainly focuses on extracting the native Peacomm.C code from the original crypted/packed code and all things that happens on this way, like: XOR + TEA decryption, TIBS unpacking, defeating Anti-Debugging code, files dropping, driver-code infection, VM-detection tricks and all the nasty things the rootkit-driver does.

Peacomm.C – Cracking the nutshell.zip

21.01.2007

This paper is an analysis of the Rustock.B rootkit. The rootkit used several proprietary obfuscation/packing methods to hide the native driver code from prying eyes. I have divided the paper into two main parts. The first part, which is divided in three stages, describes how to extract the native rootkit driver code without the use of kernel debuggers or other ring0 tools. The second part basically does the same, but much faster and with lesser efforts using the SoftICE kernel debugger. Each part shows various possibilities for solving the different problems facing the researcher when analyzing Rustock. All the code and IDB files are included in the package!

A Journey to the Center of the Rustock.B Rootkit

13.12.2006

This flash movie covers how to manual unpack and Auto-IAT fix UPX and Aspack packed binaries. It might be useful for people who are new to malware analysis and don’t have a clue how to unpack and repair a binary. The introduced technique works for many other easy executable packers like FSG too. For best view use a resolution of 1024×768 or higher and select fullscreen (F11) in your browser.

Manual unpacking and Auto-IAT fixing UPX and Aspack

18.03.2006

My first paper is a step by step guidance how to use the world’s best debugger called SoftICE, which is part of Compuwares Driverstudio. This essay discusses the installation & configuration of the debugger, the most useful commands SoftICE offers, a rocking extension called IceExt, as well a categorized list of good breakpoints. For a better understanding screenshots are placed at distinctive points.

The big SoftICE howto

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: