jueves, 22 de agosto de 2013

ZeuS: Because not all is banking

Last week, security researchers published a post regarding a new variant of ZeuS which took advantage of the fact that people is willing to gain popularity via Instagram "likes" even if they have to pay big bucks for it. This unusual behavior for a ZeuS does not seems to be exclusive to that variant as we have been following for a while another one that exhibits a similar behaviour and does not target traditional entities.

The first thing that caught our attention was that it did not inject itself into explorer.exe; instead, it created two visible process:


The first one: winsec32.exe, is located within %windir%/system32/ while the other is a typical ZeuS process with a pseudo-random name located within the usual path. Both are equal, however, the functionality of the first process seems limited to the monitorization and launch of the second one in case it is not running by whatever reason:
C:\WINDOWS\system32\winsec32.exe" -service "C:\Documents and Settings\\Application Data\Xuzove\efybym.exe
Besides that, it also manages to survive reboots by creating a new task:
Service: Security Center Server - 1972840912 (SecurityCenterServer1972840912) - OperA software - C:\WINDOWS\system32\winsec32.exe
Note: This is why, in an moment of inspiration, we called it "ZeuS Tasks"; the fact that it does not inject into explorer.exe reminded us an old variant seen about two years ago with visible processes, which contained this hidden message for reversers within the static config:


Anyway, the second process is the actual trojan, which, as stated above, seems to be Click Fraud oriented. Before getting down to work, let's see which are the main differences with regards to an standard ZeuS:

First of all, the static -or embedded- config is not managed as usual by the trojan, starting with the fact that is not XORed:


Within it we can find at least two different RC4 IVs and the hardcoded C&C URLs which, unlike the rest of ZeuS strains, do not have a path which points to a config:


Which can be confirmed by looking at the network traffic which shows many request with quite short responses that obiously are not ciphered config files:


We would like to remark the way it communicates with its C&C because we think is quite interesting. It encrypts the payload each time with a random RC4 key that is initialized from a combination of a Mersenne twister plus a time generated seed:


Then it sends the pseudo-random part of the key to the C&C so it can generate the same key and can hence decipher the payload and cipher the response with the command.

The only type of commands we have seen so far are like this:
{"status":"OK","data":{"tasks":[{"_id":{"$oid":"5214eb45db58c205d80481ee"},"bid":0.001326,
"dsturl":"hxxp://[advertisingsite]/click?url=aHR0cDovLzk1LjIxMS4xOTMuMTUvP2NsaWQ9M3Q5cDFxazNvMjZ6Mg==&h=Y2MxMnwxMjczfDIwMTMtMDgtMjE=&d=ZW1iZWRyLmNvb"...

All the URLs received are loaded in background to avoid arousing suspicion. The URLs usually points to an advertise site or a fake blog like this one:


Pages in which every link points to a different advert.

So here we have another example of the leaked source code of ZeuS being used for an unusual and, maybe less risky than banking, goal. Showing us that this is still one of the most loved trojans.

Note: Originally published on S21sec's blog

--
Follow me on Twitter: @smvicente