Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    July 2014
    S M T W T F S
    « Jun    
     12345
    6789101112
    13141516171819
    20212223242526
    2728293031  
  • About Us

    In the past, we reported about the emergence of malware based on the leaked ZeuS code such as Ice IX and ZeuS 2.3.2.0. The usage of the leaked code continued on since then and has resulted in attacks such as the one I’m about to share on.

    My colleagues and I have been monitoring another new ZeuS version since the latter part of September, one that we believe is also based on the leaked ZeuS source code. Although this new ZeuS variant seems to have no reference in its code as to its version number, we believe it was developed by the same gang behind LICAT.

    This new version, which Trend Micro detects as TSPY_ZBOT.SMQH, spread around late September through spam that claimed to be from the Australian Taxation Office (ATO). The spammed messages contained a malicious link that when clicked directed users to a malicious website that served the BlackHole Exploit Kit. The exploit kit, in turn, downloads a variant of the new ZeuS version.

    Unlike earlier ZeuS versions that used HTTP to download the configuration file, this version opens a random UDP port and accesses a hardcoded list of IP addresses to download the configuration file.

    TSPY_ZBOT.SMQH establishes a connection with the server by sending encrypted data that contains the bot ID and a stream of characters. Each IP address in the hardcoded list has a corresponding stream of characters that the server seems to check to validate the communication.

    Click for larger viewIf any of the IP addresses is alive, it will reply with the encrypted configuration file via TCP.

    Decrypting the Configuration File

    Once the configuration file is downloaded, TSPY_ZBOT.SMQH will employ the following decryption algorithm for its configuration file:

    As we can see, unlike ZeuS 2.3.2.0, which uses Advanced Encryption Standard (AES), the decryption algorithm did not change much compared with the modified ZeuS 2, which uses RC4.

    As I mentioned earlier, like LICAT and ZeuS 2.3.2.0, this new variant also seems to be crafted by a private professional gang, probably the same ones who created LICAT or who may be affiliated with them at the very least. In fact, the configuration file for TSPY_ZBOT.SMQH has the same format as that of the configuration file of LICAT.

    Although the spammed messages only targeted Australian users, the contents of the decrypted configuration file suggest that it may be used in a global campaign, including runs in the United States as well as in European and Asian countries.

    We will continuously monitor this threat and other variants that will emerge in the future.

    Thanks to Mark Dixon of Westpac Bank of Australia for providing samples of the related malware and spam.





    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   del.icio.us   StumbleUpon




    • http://djtechnocrat.blogspot.com/ Technocrat

      ZeuS Gets More Sophisticated Using P2P Techniques
      http://www.abuse.ch/?p=3499

      “The *new* version of ZeuS (v3?) implements a Kademlia-like P2P botnet. Similar to the Miner botnet, ZeuS is now using a “IP list” which contains IP addresses of other drones participating in the P2P botnet. An initial list of IP addresses is hardcoded in the ZeuS binary. As soon as a computer gets infected, ZeuS will try to find a active node by sending UDP packets on high ports. If the bot hits an active node, the remote node will response with a list of current IP addresses that are participating in the P2P network. Additionally, the remote node will tell the requesting node which binary- and config version he is running. If the remote node is running a more recent version, the bot will connect to it on a TCP high port to download a binary update and/or the current config file. Afterwards the bot will connect to the C&C domain listed in the config file using HTTP POST.”

    • Pingback: New Zeus Variant claims to be from Australian Taxation Office - Harry Waldron - Corporate Security News



     

    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice