Win32/Zeus (alias Zbot)

Forum for analysis and discussion about malware.

Re: Win32/Zeus (alias Zbot)

Postby unixfreaxjp » Tue Mar 25, 2014 2:33 am

Here's "a way" to stop/block/track/nailing Gameover: http://blog.malwaremustdie.org/2014/03/ ... rooks.html
Positively PoC and confirmed. Let's hammer this weak point together, and please write more posts of this threat.
let's see they are suffering the strike back from engineers, security and researchers community.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Win32/Zeus (alias Zbot)

Postby unixfreaxjp » Wed Mar 26, 2014 12:08 am

Kimberly wrote:Which is easy ... don't allow Windows Explorer to access internet ;)

In this case, I must disagree to this WRONG fact.
Why? Even connected into internet the GMO's DGA will be rapidly requested, this works to the sample which its hashes I mentioned and announced. It has the special purpose which I posted in details here: http://blog.malwaremustdie.org/2014/03/ ... rooks.html

In addition, for the sake of good research in fighting malware, I'd say, instead to burp a quick commenting in a someone's serious research posts, one should investigate things deeper before stated something unless that will be only pointing into a wrong information. I reversed & tested all stuff all over again (and again) to proof my own statement above. I challenge anyone that can proof me otherwise by the verdicted sample's hash investigated and posted.

@unixfreaxjp
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

Re: Win32/Zeus (alias Zbot)

Postby Kimberly » Sun Mar 30, 2014 4:42 pm

I don't know why I have to justify myself. If I have spare time I'll make a video of what I'm saying.

"The binary starts by sending out a request to Google, probably to test the internet connectivity of the computer. Next, a series of hardcoded peers are contacted to obtain its configuration file, updates and an active list of peers. If none of the peers can be reached, GameOver falls back to a Domain Generation Algorithm (DGA) that creates around 1000 pseudorandom domains per day."

http://stopmalvertising.com/spam-scams/ ... eover.html

Block with decent firewall and you'll only get DGA.

Image
Kimberly
 
Posts: 14
Joined: Sun Dec 01, 2013 12:49 pm
Reputation point: 0

Re: Win32/Zeus (alias Zbot)

Postby Xylitol » Tue Apr 01, 2014 10:00 am

https://zeustracker.abuse.ch/monitor.ph ... ugu.gov.tr
https://www.virustotal.com/en/file/924c ... 396346350/
Code: Select all
72 D8 42 AC B0 EA 0B 24 58 5B B1 E2 20 74 3B 0A 50 D9 AB 0E 8E CC E6 32 4E CF A8 CD 2B 26 54 67 5A DF BE AD 36 3E AA 56 B3 FA 8C 5D 1A 06 B8 FF 90 1D 28 38 4A A9 96 A3 10 BC 0C 83 D5 86 85 19 2C 7C 44 34 80 D6 66 FD 60 B7 D4 9E C2 A2 55 E3 78 DC 30 DD 6D 22 7A A0 7E 77 25 41 8B 75 C0 63 01 13 73 08 AE 5F 52 CE F0 6E 53 9A A1 16 F7 9D 4D E9 5C 43 C8 CA 7D 1B 2D 35 A5 98 2E 03 D1 27 84 12 B2 6F C7 57 C6 59 39 C1 14 C5 FE 05 23 18 37 00 C4 F6 45 09 71 11 CB 31 F1 DA C3 70 B4 76 17 4B BB 9F 15 BA 89 40 51 7B BD 5E 1E 21 E0 6A 94 95 D7 92 D3 BF 8D DB 68 E7 EB EE A6 04 49 EC 1F 46 B5 48 A4 99 0D 2A B6 4C 3A 82 9C C9 A7 81 1C F4 D0 29 3F E1 69 2F ED 9B 88 33 8F 64 3C 0F 6B F3 61 62 3D FC 07 7F 93 E5 E8 E4 D2 47 02 EF 97 B9 65 F9 79 4F 6C 91 87 AF F5 FB F2 8A F8 DE
You do not have the required permissions to view the files attached to this post.
User avatar
Xylitol
Global Moderator
 
Posts: 1615
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

Re: Win32/Zeus (alias Zbot)

Postby Kimberly » Tue Apr 01, 2014 2:44 pm

unixfreaxjp wrote:
Kimberly wrote:Which is easy ... don't allow Windows Explorer to access internet ;)

In this case, I must disagree to this WRONG fact.
Why? Even connected into internet the GMO's DGA will be rapidly requested, this works to the sample which its hashes I mentioned and announced. It has the special purpose which I posted in details here: http://blog.malwaremustdie.org/2014/03/ ... rooks.html

In addition, for the sake of good research in fighting malware, I'd say, instead to burp a quick commenting in a someone's serious research posts, one should investigate things deeper before stated something unless that will be only pointing into a wrong information. I reversed & tested all stuff all over again (and again) to proof my own statement above. I challenge anyone that can proof me otherwise by the verdicted sample's hash investigated and posted.

@unixfreaxjp

ZeuS GameOver
https://www.virustotal.com/en/file/b748 ... /analysis/

Andromeda
https://www.virustotal.com/en/file/138f ... /analysis/
https://www.virustotal.com/en/file/81f3 ... /analysis/

FYI, I've added a video that shows that by not allowing Windows Explorer straight away to access internet you can FORCE GameOver to start using the DGA instead of the hardcoded peers. So tell me again that I am wrong ...
http://stopmalvertising.com/spam-scams/ ... ktail.html
You do not have the required permissions to view the files attached to this post.
Kimberly
 
Posts: 14
Joined: Sun Dec 01, 2013 12:49 pm
Reputation point: 0

Re: Win32/Zeus (alias Zbot)

Postby Xylitol » Sun Apr 20, 2014 11:59 am

CyberCrime & Doing Time: Zeus Criminals charged in Omaha, Nebraska ~ http://garwarner.blogspot.fr/2014/04/ze ... raska.html
User avatar
Xylitol
Global Moderator
 
Posts: 1615
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

Re: Win32/Zeus (alias Zbot)

Postby Xylitol » Mon Apr 21, 2014 10:20 am

Comodo AV Labs Identifies Dangerous Zeus Banking Trojan Variant ~ https://blogs.comodo.com/e-commerce/com ... us-trojan/
User avatar
Xylitol
Global Moderator
 
Posts: 1615
Joined: Sat Apr 10, 2010 5:54 pm
Location: Seireitei, Soul Society
Reputation point: 476

Re: Win32/Zeus (alias Zbot)

Postby Mad_Dud » Tue Apr 22, 2014 8:43 am

According to Fortinet - P2P Zeus Performs Critical Update

On April 8, our monitoring system found that the version number included in the encrypted TCP packet has been updated to 0x3B.

Apart from its original functions of banking information stealing, process injection, and so on, the new binary would also drop a rootkit driver file into the %SYSTEM32%\drivers folder. The rootkit basically hides the P2P Zeus and prevents the deletion of its binary and its autorun registry entries.
Mad_Dud
 
Posts: 6
Joined: Thu Jun 06, 2013 3:15 pm
Reputation point: 0

Re: Win32/Zeus (alias Zbot)

Postby patriq » Fri Jul 18, 2014 9:04 pm

Pulled some fresh samples from a machine on 16 July 2014.

MBAM detected the following:

Code: Select all
C:\Users\user\AppData\Local\gemnoss.dll (Trojan.LVBP.ED)
C:\Users\user\AppData\Local\Temp\UpdateFlashPlayer_6645eca2.exe (Spyware.Zbot.MSXGen)
C:\Users\user\AppData\Local\Temp\UpdateFlashPlayer_78592a43.exe (Spyware.Zbot.MSXGen)
C:\Users\user\AppData\Local\Temp\~tmf2127146759064854445.tmp (Trojan.Kelihos)
C:\Users\user\AppData\Local\Temp\~tmf3312036165669406964.tmp (Trojan.Kelihos)
C:\Users\user\AppData\Local\Temp\~tmf5105604272230926991.tmp (Trojan.Kelihos)
C:\Users\user\AppData\Roaming\Geevyq\akewd.exe (Spyware.Zbot.VXGen)


Even after removing these and cleaning up autoruns, the malware would return. I assume its rootkit-ed, but I cant find the rootkit driver file..I'm not that skilled so I only used GMER, but it finds nothing.

The ZeuS samples spawned an Adobe Flash update install which was legit as far as I can see.. sooo, I guess thanks for that..? :-D

Also, my VirtualBox Win7 install has "GuestAdditions" and no anti-VM patching. I would have thought the malware looked for that and wont run..

ZbotMSX.png


Anyway, samples are attached.
You do not have the required permissions to view the files attached to this post.
patriq
 
Posts: 109
Joined: Fri Jun 28, 2013 8:11 pm
Reputation point: 22

Re: Win32/Zeus (alias Zbot)

Postby unixfreaxjp » Wed Sep 10, 2014 3:07 pm

@Xylit0l @EP_X0FF
I am sorry, I made mistake! This variant is not for Zbot thread. I know how this works but I don't know what is this (T T)
Pls kindly help to move to proper threat topic

Few hours ago this campaign via spam was spotted:
Image
The attachment (downloader part): https://www.virustotal.com/en/file/595b ... /analysis/
It downloads the set: https://www.virustotal.com/en/file/d45e ... 410358503/
Details distribution and CNC information I wrote in VT & the pictures, pls bear the hurry pace...
You do not have the required permissions to view the files attached to this post.
Last edited by unixfreaxjp on Wed Sep 10, 2014 5:58 pm, edited 1 time in total.
unixfreaxjp
 
Posts: 501
Joined: Thu Apr 12, 2012 4:53 pm
Reputation point: 89

PreviousNext

Return to Malware

Who is online

Users browsing this forum: Google [Bot] and 11 guests