Trend Micro Facebook TrendLabs Twitter Malware Blog RSS Feed You Tube - Trend Micro
Search our blog:

  • Recent Posts

  • Calendar

    June 2015
    S M T W T F S
    « May    
  • Email Subscription

  • About Us

    Author Archive - Lord Alfred Remorin (Senior Threat Researcher)

    Since its emergence in 2007, ZBOT (also known as ZeuS) has become one of the most prevalent botnets and widely distributed banking Trojans. This malware family is widely known as a notorious credential stealing toolkit. It uses form-grabbing through web injection to steal user credentials from legitimate websites. It also has the capability to send out screenshots to bypass on-board keyboard authentications.

    At the AVAR conference in Sydney, I discussed how to decrypt the configuration files associated with ZBOT, which is helpful in carrying out investigation into ZBOT-related activities.

    The Evolution of ZBOT

    Over the years, we have seen countless changes to this Trojan. These changes include improved methods of propagation, infection, and evasion.

    For example, we saw ZBOT variants with the ability to self-propagate—a marked departure from its typical methods of arrival. Late last year, we made a connection between ZBOT and another notorious malware, Cryptolocker. We’ve also seen ZBOT variants that disable online banking security software in order to aid information theft.

    ZBOT variants have been known to display behavior that might seem “out of character” for the malware. We have seen ZBOT malware whose main goal was income generation via pay-per-click model. The phrase “out of character” could also be applied to ZBOT variants that teamed up with file infectors.

    ZBOT variants have also tried to change some of their underlying behavior to evade detection, including the use of random headers and different file extensions and changes to their encryption.

    In addition, the way it connects to C&C servers has evolved over the years. New methods like the use of Tor or peer-to-peer networkshave been seen as well.

    The Importance of Configuration Files

    For an attacker, using the ZeuS toolkit allows them to easily configure servers and target banking websites using encrypted configuration files. From a security vendor or researcher’s perspective, gaining access to these files is important, as these can contain important data related to a particular campaign.

    For example, the data found in configuration files can be used for identifying botnet administrators behind a ZeuS malware campaign.

    Decrypting ZeuS Configuration Files

    Because of this, we came up with a system that automates the decryption of ZeuS configuration files. This system extracts important data found on the configuration files and stores it in our database. The stored data can then be used later for correlation and, as mentioned earlier, for identifying botnet administrators behind a ZBOT malware campaign.

    We grouped the samples we collected by ZBOT variant and the RC4 keys used to decrypt the downloaded configuration file. RC4 keys are generated from the encryption keys when creating a bot using the ZeuS builder.

    Configuration files are comprised of static configuration and dynamic configuration. These two configurations contain information such as the string that specifies the name of the owner of bot malware, list of targeted URLs, and scripts used for form-grabbing.

    Based on the behavior of ZBOT malware samples, there are four main steps we need to accomplish to successfully automate decryption of downloaded configuration file:

    • Unpack ZBOT malware
    • Decode static configuration
    • Get a copy of encrypted dynamic configuration
    • Decode dynamic configuration


    We found that our system has a 79.44% of success rate in decrypting the configuration files from known ZBOT variants out of 905 identified samples. For the remaining 20.55%, we still lack the needed modules to fully decrypt their configuration files.

    Having a system that automatically decrypts the configuration files of Zeus binaries can be helpful in the investigation of active administrators of ZeuS botnet. But of course, information acquired from decrypted configuration files will be worthless unless we correlate them with information from other systems.

    For example, investigations targeting a cybercriminal/cybercrime group can start by looking for active bot administrators that have been using the same RC4 key. Information can also be used as an indicator on which banking websites are usually targeted by the ZBOT malware.

    Posted in Malware | Comments Off on Decrypting ZBOT Configuration Files Automatically

    Earlier this week, the Federal Bureau of Investigation announced that an international effort had disrupted the activities of the peer-to-peer (P2P) variant of ZeuS/ZBOT known as “Gameover.” Trend Micro was one of the parties that was involved in this effort to disrupt the activities of this well-known online banking Trojan.

    Gameover is well-known for its resilience to takedowns. This is due to its peer-to-peer connection to its command and control (C&C) server as compared to other ZeuS variants (such as IceIX, Citadel and KINS) that employed centralized C&C servers.

    Gameover is based on the source code of ZeuS, which was leaked in May 2011. However, it has significant differences from other malware families (like Citadel and Kins) that are also based from the said leaked source code. Typically, a ZeuS malware only connects to a specific command-and-control (C&C) server defined in its configuration file. If the server is already inaccessible, the ZBOT malware will unable to download the dynamic configuration file that contains the targeted banking URLs.

    The first ZBOT variant with P2P capabilities was seen in late September 2011, and was detected as TSPY_ZBOT.SMQH. Users are lured into clicking a malicious link pointing them to a malicious website that served the  Blackhole Exploit Kit (BHEK). BHEK was an exploit kit known for using various software vulnerabilities; at the time it was the most common exploit kit in use.

    More recently, Gameover variants still propagate via spam mails, but with the help of other malware like UPATRE that download encrypted executable files to bypass firewall filters. Some of these newer variants are detected as TSPY_ZBOT.ABTE. UPATRE malware is one of the malware commonly seen in email attachments which download other malware onto infected systems.

    Based on our investigation, Gameover builders are not sold to individuals. Instead, they are privately operated which means only one Gameover botnet is running , compared to the multiple botnets that power other ZeuS variants. Gameover has been using the same RC4 key to decrypt the downloaded configuration file since it was first discovered; this also makes Gameover resistant to takedowns as the entire botnet can quickly share new configuration files and updated versions.

    Infection Flow

    Gameover initially decrypts the static configuration file which contains the hardcoded peers and the RC4 key to decrypt the downloaded configuration file. Usually 20 IP addresses with different port and communication keys are listed in the static configuration file.

    It queries the hardcoded peers to check which are still alive to connect to the botnet network. Once connected to a peer, it can download updated configuration file, binary, and list of peer IPs.

    If all 20 peers are dead, Gameover will still try to connect to its C&C server. To find the URL of this server, it uses a domain generation algorithm (DGA) to generate domains which are renewed every start of the week, making it more resilient to takedowns.

    ZBOT-CryptoLocker Ties

    The disruption of Gameover also damaged another malware threat, CryptoLocker. In October 2013, we spotted a spam campaign that illustrated how ZeuS and CryptoLocker are connected. The spammed message contained a UPATRE variant which download ZeuSs variant, these in turn downloads the CryptoLocker on the system. This serves as the final payload of infection chain.

    As we’ve mentioned before, CryptoLocker is a ransomware family known for encrypting certain files and locking the system it infects. Once the system is infected, the user is asked to pay ‘”ransom” to regain access to their files. Some of the payment methods used include:

    • Bitcoin
    • cashU
    • MoneyPak
    • Ukash

    The latest Gameover update also contains a notorious rootkit family, NECURS. The purpose of installing NECURS is to protect the files, registries and process related to Gameover malware making it more arduous to remove.

    Trend Micro protects users from this via its Smart Protection Network that detects the malicious files and spammed messages, and blocks all related URLs.

    We have created various Trend Micro tools for GOZ and Cryptolocker Malware, which can be accessed by visiting the above link.

    Posted in Malware | 1 TrackBack »


    © Copyright 2013 Trend Micro Inc. All rights reserved. Legal Notice