Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Mobile Vulnerabilities

  • Zero-Day Alerts

  • Recent Posts

  • Calendar

    September 2015
    S M T W T F S
    « Aug    
  • Email Subscription

  • About Us

    One of the “standard” behaviors of the ZeuS/ZBOT Trojans is that it downloads a configuration file. This configuration file contains details on its bot routines such as what sites to target, what URLs to access to download an updated copy of itself, what URLs to send stolen information to, and what URLs to access to download additional/backup configuration files.

    Recently, however, I’ve been seeing ZeuS variants whose default configuration file references a suspicious list of URLs from which it can download backup configuration files.

    This particular list is from a ZeuS variant detected by Trend Micro as TSPY_ZBOT.BVQ. The list from its configuration file seems longer than most of the typical of ZeuS variants and the domain names looked atypical. When I checked, all of these URLs are already inaccessible and most of the domains are unregistered.

    In addition, the list of URLs does not include {BLOCKED}, where its drop zone and updated copy are located. It is typical of ZeuS variants’ drop zones, updated copies, and configuration files to be contained in the same domain.

    Checking the code of the malware itself revealed that the malware does actually download its main configuration file from http://{BLOCKED}

    From what I can see, cybercriminals using ZeuS intentionally did this to prevent security researchers from easily gathering information on their activities. Alternately, these extra URLs can be used as backup update locations, just in case the main location is taken down.

    Furthermore, I found that the more recent ZeuS variants no longer run in a virtual machine environment, meaning that security researchers now need to exert more effort to test ZeuS samples in actual Windows environments. Clearly, efforts by antivirus companies are taking their toll on cybercriminal operations and are forcing criminals to make analysis more difficult.

    All things considered, this is really not unexpected. ZeuS is still a continuing threat and it continuously evolves to become more dangerous and elusive.

    For more information on ZeuS, you may check out our report, Zeus and Its Continuing Drive Toward Stealing Online Data. You may also consult our white paper on ZeuS, ZeuS – A Persistent Criminal Enterprise.

    Update as of September 29, 2010, 6:15 PM UTC-7

    Upon further analysis, the malware does not directly detect virtual machines. It queries the affected machine’s system information via the ZwQuerySystemInformation (SystemProcessorInformation) API. It will then check for a specific value of the system’s ProcessorLevel (defined by the CPU vendor). If the ProcessorLevel matches, it will not continue its execution.

    Share this article
    Get the latest on malware protection from TrendLabs
    Email this story to a friend   Technorati   NewsVine   MySpace   Google   Live   StumbleUpon

    • Roland Dela Paz

      Hi, Atif, we posted an update on this, see above. After further reversing, it appears the malware is only checking a specific value of affected machine's ProcessorLevel—which, unfortunately matches the value in the virtual machine I tested this on. If you need more technical details on this, I can discuss it through email.

      MD5s are:

      Thanks for this!

      Thanks Matt! Actually, we blur malicious URLs specifically for readers w/ minimal knowledge on security, so that they would not accidentally visit the sites. Otherwise, someone who knows how to convert Hex to ASCII would most probably know something about security. But I appreciate your concern!

    • Matt

      Love the analysis, but if you are going to blur the URL then you should blur the Hex value as well. Otherwise good cover.

    • Pingback: ZeuS Trojan Now Uses False Configuration URLs()

    • Atif Mushtaq

      Hi Roland,

      This is Atif Mushtaq, I am a security researcher working for FireEye. Nice article. Would you mind sharing zbot samples which detect Vms. I tried the TSPY_ZBOT.BVQ but it doesn't seem to detect VMs. If sample sharing is not possible then MD5 might work (if sample exists on VirusTotal) . I can download it from there.

      Atif Mushtaq

    • Pingback: ZeuS Now Uses False Download URLs | Malware Blog | Trend Micro | Jared Rimer’s Technology blog and podcast()


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice