Evolution of Zeus Botnet Part 2

Posted: December 17, 2012 in Articles

Part 1 here

Zeus Trojan HorseEvolution of Zeus Botnet Part 2

Zeus, version 2.1

At the same time, researchers from the company RSA discovered some facts that raise doubts about the words Slavik goes out of business. In August 2010, that is two months before the “official” announcement of the cessation of work on the Zeus, was discovered a botnet that was created with bot Zeus, who had version The investigation revealed that a set of specified version was not sold on the ‘black market’. Subsequent detection of this type of boat experts believe RSA is that this modification owned one person (or group of persons) – in contrast to the previous incidents configuration file bot version did not undergo significant changes over time (previously, each operator of a botnet based Zeus used his unique configuration file).

A key feature of Zeus was the change in the scheme due to the management server. Now the server addresses are not hard coded in the configuration file. The address list was formed by DGA (Domain Generation Algorithm – generation algorithm domain names). Previously, this technique often used in such samples VPO as Bobax, Kraken, Sinowal (aka Torpig), Srizbi and Conficker. Addresses generated by Zeus sought their command server. To protect against interception of management involves checking the digital signature file to be loaded during its renovation (just using Windows Crypto API). To do this in the code Zeus attended public key RSA 1024 bits.

Researchers at the RSA in 2011 were able to get access to one of the servers Zeus version Oniobnaruzhili that between August 2010 and August 2011, more than 210,000 computers to communicate with the server, which was transferred to 200 gigabytes of data from infected computers. About 42% of infected computers were in the U.S.. We also managed to find out that one way to log access to this command server was ‘Slavik’. Therefore, experts RSA suggest that Slavik actually started making their own botnet (possibly more than one).

File infector

The idea of ​​file infection was developed in malware PE_LICAT (Murofet classification Kaspersky Lab), Trend Micro discovered in October 2010. PE_LICAT is an advanced dropper Zeus, its main function – to download and run the new Zeus files from remote servers. In binaries introduced in 1771 bytes of malicious code. PE_LICAT uses the same mechanisms as in Zeus – DGA with the same algorithm and the process of verifying the signatures of downloaded file. A detailed description is given in the report DGA Trend Micro ‘File-Patching ZBOT Variants’ pdf, eng).

Briefly – The DGA function is used to create a hash of the Windows Crypto API. List of domains formed when running a special algorithm by hashing the current date and minutes (hour was not used). By the way, many sources mistakenly write then 800, then 1020 unique domains (these constants are actually used in the algorithm). In fact, there were only 60 per day (minutes multiplied by 17 and the remainder of the division was taken on the 1020, 1020/17 = 60).

Hashes are translated into ASCII codes and prefixes are added to this top-level domains. Biz,. Info,. Org,. Com,. Net, and line / forum. It should be noted that PE_LICAT not a virus in the truest sense of the word (as it classifies Kaspersky Lab) – he can not independently infecting files. Starts a file infection initiates Zeus family of 2.1, called the classification TSPY_ZBOT.BYZ Trend Micro.

Full cycle distribution was as follows:

– TSPY_ZBOT.BYZ started (automatically by visiting a site or by updating the previous version of Zeus);
– TSPY_ZBOT.BYZ extracts itself PE_LICAT;
– TSPY_ZBOT.BYZ with PE_LICAT infects executable files (including removable media).

Later TSPY_ZBOT.BYZ PE_LICAT and downloads a file version of Zeus TSPY_ZBOT.SMEQ (Classification Trend Micro) from the domains created DGA.

Followers of the case Zeus

Despite the statement Slavik to transfer all of the code, the source code of Zeus, since February 2011, was offered for sale. Finally in May 2011, was leaked source code of this version as freeware. The archive of the source files were missing:

– peinfector.cpp;
– peinfector.h;
– peloader32.asm;
– worm.cpp;
– worm.h.

It is assumed that this is the module PE_LICAT (Murofet).

Of course, once there are people who want to continue the initiated based on these sources. For example, we can mention the project ‘ICE IX’ (named as a virus from the movie “The Recruit”?), Which did not offer anything new, and was an attempt to make money on the famous name. But the “worthy” successor found it – the project Citadel. Its key feature was the creation of an online platform, organized on the principle of a social network. Here, customers can request new features, report bugs, and add your own modules, which makes the process of developing into a kind of opensource-project. Well organized system of technical customer support, expressed in constant support of Citadel to date.

Thus, the authors report that they tend to make less than the refresh cycle Citadel release cycle of new virus database, which allows a long time to show up on the infected computer. As the developers, the Citadel fixes are all available in earlier versions of Zeus flaws, including a module to collect data while working in Google Chrome. The addition was added, and the ability to record video.

First botnet-based Citadel was discovered in December 2011, the company’s researchers Securlet, now the number of botnet-based Citadel tens.

Then the base package Citadel sold for $ 2399, the price of ‘lease’ was $ 125 per month, additional modules are purchased separately. For example, $ 395 is a module that allows the bot automatically updated. Updates are distributed via Jabber, each update costs $ 15.

In October 2012, Citadel version (constructor bot and control panel) has been seen in public. Perhaps this leaked version is the original advertising campaign, as in the same month, there was a new version of the Citadel ‘Rain Edition’. User Guide for this version is available in the personal blog XyliBox, from it you can learn more about the opportunities, innovation, installation and configuration of the individual modules. Price of the underlying set of the latest version is $ 3391, which is 41% more than the original price of a year ago. As before, the monthly rent and modules are not included.

Of the last ‘high-profile’ events can be noted discovery in August 2012 the specialists of Trusteer bot Citadel, modified to attack the airport infrastructure. With the Citadel attackers can gain control of the VPN-secured connection between the PC airport employees who work remotely, and interfaces to a computer system designed to operate the airport. What exactly was the purpose of airport attacks were reported. Attack is carried out as follows – first caught the password and user name entered in the form of connection to the VPN.

Next is engaged simple univariate instead of two-factor authentication mode (by pressing the button ‘Get Image’). As a result, instead of a confirmation SMS to the user will be shown a picture (security code) to ten digits. The user then compares the password with a string of numbers in the image to create a ‘one-time’ password. Thus, a figure with check images (through screen shots) and password, as well as knowing the algorithm used to generate “one-time” password that is easy to calculate and enter the system.

An interesting fact that if the victim machine is used Russian or Ukrainian keyboard layout, Citadel itself is deactivated. It was noted earlier that the family of Zeus developing Russian-speaking programmers. What actually motivates creators – whether a ‘patriotism’, or because of unwillingness to fall into the field of view of domestic law enforcement agencies (known criminals applicable laws of the country where the crime happened.) On the other hand, Russia spread Internet banking and electronic payments via the Internet late in comparison with the West, so that the spread of banking Trojans would not have a large financial impact.

Part 3 here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s