The evolution of Zeus. Part ii

    Start here .

    File infector


    The idea of ​​file infection was developed in the malware PE_LICAT, discovered by Trend Micro in October 2010. PE_LICAT is an advanced Zeus dropper, its main function is to download and launch new Zeus files from remote servers. 1771 bytes of malicious code are embedded in executable files. PE_LICAT uses the same mechanisms as in Zeus 2.1.0.10 - DGA with an identical algorithm and the procedure for checking the signature of the downloaded file. For a detailed description of the DGA, see Trend Micro's “File-Patching ZBOT Variants” pdf, eng).

    In short - the DGA uses the hash function from the Windows Crypto API. The list of domains was formed at start-up according to a special algorithm by hashing the current date and minute (an hour was not used). By the way, many sources mistakenly write either 800 or 1020 unique domains (these constants are really used in the algorithm). In fact, there were only 60 of them per day (minutes were multiplied by 17 and the remainder of the division by 1020, 1020/17 = 60 was taken). Hashes were converted to ASCII codes and prefixes of top-level domains .biz, .info, .org, .com, .net, and the / forum line were added to them. It should be noted that PE_LICAT is not a virus in the literal sense of the word (as Kaspersky Lab classifies it) - it is not able to infect files on its own. The start of the file infection procedure is initiated by Zeus from the 2.1 family, called TSPY_ZBOT.

    The full distribution cycle was as follows:
    TSPY_ZBOT.BYZ starts (automatically by visiting a site or as a result of updating with a previous version of Zeus);
    TSPY_ZBOT.BYZ extracts PE_LICAT;
    TSPY_ZBOT.BYZ infects executable files (including removable media) with PE_LICAT.
    Subsequently, TSPY_ZBOT.BYZ and PE_LICAT downloaded the Zeus file version TSPY_ZBOT.SMEQ (according to Trend Micro classification) from domains created by DGA.

    Followers of Zeus


    Despite Slavik's announcement of the transfer of the entire code , the source code of Zeus 2.0.8.9, starting in February 2011, began to be offered for sale. As a result, in May 2011, the source code of this version was leaked for free access. In the archive with the sources, some files were missing:

    • peinfector.cpp;
    • peinfector.h;
    • peloader32.asm;
    • worm.cpp;
    • worm.h.

    It is assumed that this is the PE_LICAT module (Murofet).

    Naturally, people immediately appeared who wanted to continue what was started on the basis of these sources. For example, we can mention the project "ICE IX"(named as a virus from the movie "Recruit"?), which did not offer anything new and was an attempt to earn money on a famous name. But a “worthy” follower was found, this is a Citadel project. Its key feature was the creation of an online platform organized on the principle of a social network. Here, customers can request new functions, report errors and add their own modules, which turns the development process into a kind of opensource project. A customer support system is also being organized, which is expressed in the ongoing support of Citadel. Thus, the authors report that they seek to make the Citadel update cycle less than the release cycle of new anti-virus databases, which allows them to remain undetected for a long time on an infected computer. According to the developers, Citadel has fixed all flaws in early versions of Zeus, including the data collection module when working in Google Chrome. In addition, the ability to record and transmit video was added.

    For the first time, a Citadel-based botnet was discovered in December 2011 by Securlet researchers, and now there are dozens of Citadel-based botnets.

    Then the base Citadel package was sold for $ 2399, the price of the "rent" was $ 125 per month, additional modules are bought separately. For example, $ 395 costs a module that allows the bot to update automatically. Updates are distributed through Jabber, each update costs $ 15.

    In October 2012, Citadel version 1.3.4.5 (bot designer and control panel) was seen in the public domain. Perhaps this version leak is a kind of advertising campaign, since in the same month a new version of Citadel 1.3.5.1 “Rain Edition” was released. The user guide for this version is available on the XyliBox personal blog., from it you can find out details about the capabilities, innovations, installation and configuration of individual modules. The price of the basic set of the latest version is $ 3391, which is 41% more than the original price a year ago. As before, monthly rent and modules are paid separately.

    Of the recent “high-profile” events, the Citadel bot, modified for attacks on the airport infrastructure, was discovered in August 2012 by Trusteer specialists. Using Citadel, cybercriminals can gain control over a secure VPN connection between a remote airport employee’s PC and computer system interfaces designed to operate the airport. Which airport became the target of the attack is not reported. The attack is carried out as follows - first, the password and username entered into the VPN connection form are intercepted. Next, a simplified one-factor authentication mode is used instead of two-factor authentication (by clicking on the “Get Image” button). As a result of this, instead of confirmation by SMS, the user will be shown a picture (verification code) with ten digits. The user then matches his password with a string of numbers in the image to create a “one-time” password. Thus, having received the numbers from the verification image (by means of screenshots) and the password, as well as knowing the algorithm for generating the “one-time” password, you can easily calculate it and log in.

    An interesting fact is that if a Russian or Ukrainian layout is used on the attacked computer, Citadel will automatically deactivate it. It was previously noted that the Zeus family is being developed by Russian-speaking programmers. What really drives the creators is either a kind of “patriotism”, or because of a reluctance to get into the field of view of domestic law enforcement agencies (as you know, the law applies to the country where the crime occurred). On the other hand, in Russia, the spread of Internet banking and electronic payment systems via the Internet is late compared to Western countries, so the spread of banking Trojan programs would not have much financial return.

    Zeus, version 3 - Gameover


    In Zeus 2.1, an attempt was made to get away from a rigidly defined command center and switch to a management system (using DGA) that is more protected from the actions of antivirus companies. As it turned out later, the creators of Zeus continued their research in this area.

    In October 2011, Roman Hussi, creator of ZeusTracker , while researching the latest Zeus variant, noticed strange UDP traffic. Further analysis revealedthat the new Zeus version had several IP addresses in the configuration block, and computers with these IPs responded to the infected system. Within 24 hours, about 100 thousand unique IP addresses were identified, with which the new modification was associated. Most of the infected computers were located in India, Italy and the USA. So it was found that Zeus switched to using a P2P mechanism for updating itself and its configuration data blocks. Due to the use of the script name gameover.php when calling the command center, the name Gameover Zeus is used for this version. This is quite symbolic - as you can see, the “games” with Zeus are long over.

    The Zeus P2P (ZP2P) mechanism was based on the Kademlia protocol. The computer (node) in the ZP2P network was identified by a unique identifier (UID) that was created during the first start-up. Each Zeus instance in ZP2P had a “neighbor table” stored in memory. This array contains a list of about 30 neighboring nodes in the ZP2P network - their UID, IP address and UDP port number. The ZP2P network used several types of connections:

    • to exchange information about the version of the configuration data block (UDP);
    • to exchange information about nodes in the neighbor table (UDP);
    • for exchanging binary data - the main module and blocks of configuration data (using the TCP protocol).

    DGA has undergone some changes, in particular, the top-level domains became 6 - ru, com, biz, info, org, net ( source ). DGA was used as a "safety" option if communication could not be established through ZP2P. Ultimately, blocks of configuration data were distributed only through ZP2P, which made it difficult to identify control centers. By the way, control centers were now more a repository of stolen information and statistics than a panel for sending bots to teams.

    In February 2012, Symantec researchers discoveredanother version of Zeus using ZP2P. This modification contained a built-in web server based on Nginx. Communication protocols in ZP2P began to use only UDP, to make Zeus data stream tracking difficult. Now the bot got the ability to download executable files via the HTTP protocol from other bots. Thus, each bot could act as a kind of command center or act as an intermediary (proxy) in the control chain. The same technique was used in the Waledac / Kelihos version C botnet, which was revived in early 2012 - two years after the closure with the assistance of Microsoft and a number of antivirus companies in 2010.

    Interestingly, the ZP2P botnet was used to distribute two third-party malicious programs - a fake antivirus and a proxy server, which Zeus had not noticed before. In order to evaluate the distribution of this version of Zeus, Symantec experts monitored the operation of the ZP2P network. In the period from April to July 2012, 678.205 unique UIDs and 1,570.871 unique IPs were recorded. Not all of the IP data was available, due to being behind a firewall or nat. In addition, ISPs use a pool of dynamic addresses, so different IP addresses from the range of the pool could belong to the same UID. The largest number of infections occurred in the United States (29.2%).

    As before, the main source of infection was letters containing links to malicious sites, most often redirecting browser requests to the BlackHole exploit pack. Thanks to this, the installation of malware occurs without any user action (other than viewing the infected page). But this time BlackHole didn’t download P2P Zeus to computers, but Pony’s trojan downloader. Pony is another crimeware whose main function is to download and launch malware bypassing anti-virus protection tools. Pony has its own admin panel, which displays statistics on successful downloads and launches. Thus, the installation of P2P Zeus was as follows:

    • the user receives an email with a link to a malicious site;
    • By going to this site, BlackHole initiates the launch of the Pony bootloader on the user's computer;
    • Pony contacts its team servers and receives instructions from it to download the Zeus file itself (from three different servers).

    As you can see, the developers of Zeus have done a great job to improve the management of their "brainchild." Control mechanisms have gone through several stages in their development:

    • hard-coded servers (ver 1 and 2);
    • Using DGA to access dynamically generated domain names (ver 2.1 or 2+);
    • DGA and a hybrid P2P scheme, where bots communicate with each other and the server (version 3 or Gameover Zeus).

    Continued here .

    Also popular now: