Evolution of Zeus. Part II
Start here .
The idea of infecting files was developed in the PE_LICAT malware detected by Trend Micro in October 2010. PE_LICAT is an advanced Zeus dropper, its main function is to download and launch new Zeus files from remote servers. 1771 bytes of malicious code are embedded in executable files. PE_LICAT uses the same mechanisms as Zeus 2.1.0.10 - DGA with the same algorithm and signature verification procedure for the file being downloaded. A detailed description of the DGA is provided in the Trend Micro report “File-Patching ZBOT Variants” pdf, eng).
In short, DGA uses the hash creation function from the Windows Crypto API. The list of domains was formed at launch using a special algorithm by hashing the current date and minute (the hour was not used). By the way, many sources erroneously write 800 or 1020 unique domains (these constants are actually used in the algorithm). In fact, there were only 60 per day (the minutes were multiplied by 17 and the remainder of the division by 1020, 1020/17 = 60 was taken). The hashes were translated into ASCII codes and the prefixes of the top-level domains .biz, .info, .org, .com, .net, and the string / forum were added to them. It should be noted that PE_LICAT is not a virus in the direct sense of the word (as it is classified by Kaspersky Lab) - it is not able to independently infect files. The launch of the file infection procedure initiates Zeus from the 2.1 family, called TSPY_ZBOT.BYZ in the Trend Micro classification.
The complete distribution cycle looked like this:
TSPY_ZBOT.BYZ is launched (automatically by visiting the site or as a result of updating with a previous version of Zeus);
TSPY_ZBOT.BYZ gets PE_LICAT out of itself;
TSPY_ZBOT.BYZ infects executable files (including on removable media) with PE_LICAT.
In the future, TSPY_ZBOT.BYZ and PE_LICAT downloaded the Zeus version TSPY_ZBOT.SMEQ file (according to Trend Micro classification) from the domains created by DGA.
')
Despite the announcement of Slavik about the transfer of the entire code , the source code of Zeus 2.0.8.9, since February 2011, has been offered for sale. In the end, in May 2011, the source codes of this version leaked to free access. Some files were missing from the source archive:
It is assumed that this is the PE_LICAT module (Murofet).
Naturally, immediately there were people who wanted to continue what they started on the basis of these sources. For example, we can mention the project “ICE IX” (named as a virus from the movie “Recruit”?), Which did not offer anything new and was an attempt to make money on a well-known name. But a “worthy” follower was found, this is a Citadel project. Its key feature was the creation of an online platform organized on the principle of a social network. Here, customers can request new features, report errors and add their own modules, which makes the development process a kind of opensource project. A customer support system is also organized, which is reflected in the ongoing support of Citadel in its current state. Thus, the authors report that they are striving to make the Citadel update cycle less than the release cycle of new anti-virus databases, which allows for a long time not to be detected on the infected computer. According to the developers, Citadel has corrected all the flaws in earlier versions of Zeus, including the data collection module when working in Google Chrome. In addition, the ability to record and transfer video was added.
For the first time, a botnet based on Citadel was discovered in December 2011 by researchers at Securlet, now the number of botnets based on Citadel is in the tens.
Then the basic package Citadel was sold for $ 2399, the price of the "rent" was $ 125 per month, additional modules are purchased separately. For example, $ 395 is a module that allows the bot to update automatically. Updates are distributed via Jabber, each update costs $ 15.
In October 2012, Citadel version 1.3.4.5 (bot designer and control panel) was seen in the public domain. Perhaps this version leak is a kind of advertising campaign, since this month a new version of Citadel 1.3.5.1 “Rain Edition” was released. The user manual for this version is available on the XyliBox personal blog , from which you can learn more about the features, innovations, installation and configuration of individual modules. The price of the basic kit of the latest version is $ 3,391, which is 41% more than the original price a year ago. As before, monthly rent and modules are paid separately.
Of the latest "high-profile" events, we can note the discovery of a Citadel bot modified by Trusteer company in August 2012, modified to attack the airport infrastructure. With Citadel, attackers can gain control over a secure VPN connection between airport PCs operating remotely and computer system interfaces designed to support airport operations. What kind of airport was the target of the attack is not reported. The attack is carried out as follows - first, the password and user name are intercepted, entered into the VPN connection form. Next, a simplified one-factor authentication mode is used instead of two-factor authentication (by clicking on the “Get Image” button). As a result, instead of confirmation by SMS, the user will be shown a picture (verification code) with ten digits. The user then matches his password with a string of numbers in the image to create a “one-time” password. Thus, getting the numbers from the verification image (by screenshots) and the password, as well as knowing the algorithm for generating the “one-time” password, you can easily calculate it and enter the system.
An interesting fact is that if the Russian or Ukrainian keyboard layout is used on the attacked computer, Citadel is automatically deactivated. Earlier it was noted that the Zeus family is being developed by Russian-language programmers. What really drives the creators is either a kind of “patriotism”, or because of the reluctance to get in the field of view of domestic law enforcement agencies (as it is known, the legal norms of the country where the crime occurred are applied to criminals). On the other hand, the spread of Internet banking and electronic payment systems via the Internet in Russia is delayed compared to Western countries, so the spread of banking Trojan programs would not have a large financial return.
In version 2.1 of Zeus, an attempt was made to get away from the hard-coded command center and the transition to a more protected from the actions of antivirus companies control system (using DGA). As it turned out, the creators of Zeus continued their research in this area.
In October 2011, Roman Hussy, the creator of ZeusTracker , while investigating the latest version of Zeus, noticed the presence of strange UDP traffic. Further analysis showed that the new version of Zeus had several IP addresses in the configuration block, and computers with these IPs responded to the infected system. Within 24 hours, about 100,000 unique IP addresses were identified with which the new modification was associated. Most of the infected computers were located in India, Italy and the USA. So it was found that Zeus switched to using the P2P update mechanism itself and its configuration data blocks. Due to the use of the script name gameover.php when contacting the command center, the name Gameover Zeus is used for this version. This is quite symbolic - as you can see, the “games” with Zeus are long over.
The mechanism of Zeus P2P (ZP2P) was based on the Kademlia protocol. The computer (node) in the ZP2P network was identified by a unique identifier (UID) that was created during the first run. Each instance of Zeus in the ZP2P had a “neighbor table” stored in memory. This array contains a list of about 30 neighbors in a ZP2P network — their UID, IP address, and UDP port number. The ZP2P network used several types of connections:
DGA has undergone some changes, in particular, the top-level domains became 6 - ru, com, biz, info, org, net ( source ). DGA was used as a “safety” option if the connection could not be established by means of ZP2P. In the end, configuration data blocks were distributed only through ZP2P, which made it difficult to identify control centers. By the way, the control centers are now more a repository of stolen information and statistics, than a panel to give commands to bots.
In February 2012, researchers at Symantec discovered another version of Zeus using the ZP2P. This modification contained the built-in web-server based on Nginx. Communication protocols in ZP2P have begun to use only UDP, to make it difficult to track Zeus data flows. Now the bot was able to download executable files via HTTP from other bots. Thus, each bot could act as a kind of command center or act as an intermediary (proxy) in the control chain. The same technique was used in the Waledac / Kelihos botnet version C, which revived in early 2012 - two years after it was closed with the help of Microsoft and a number of antivirus companies in 2010.
Interestingly, the ZP2P botnet was used to distribute two third-party malware - a fake antivirus and a proxy server, which Zeus hadn’t noticed before. In order to assess the distribution of this version of Zeus, Symantec specialists monitored the performance of the ZP2P network. In the period from April to July 2012, 678,205 unique UIDs and 1,570,871 unique IPs were recorded. Not all of the IP data was available, which is explained by being behind a firewall or nat. In addition, Internet providers use a pool of dynamic addresses, so a single IP address from a pool range could be assigned to the same UID. The largest number of infections occurred in the United States (29.2%).
As before, the main source of infection was email containing links to malicious sites, most often redirecting browser requests for BlackHole exploit packs. Due to this, the installation of malware occurs without any user action (except for viewing the infected page). But this time, BlackHole did not download P2P Zeus itself onto computers, but Trojan downloader Pony. Pony is another crimeware, the main function of which is to download and launch malware bypassing anti-virus protection. Pony has its own admin panel, which displays the statistics of successful downloads and launches. Thus, the installation of P2P Zeus was made as follows:
As you can see, the developers of Zeus have done a great job of improving the management of their “brainchild”. Management mechanisms went through several stages in their development:
Continued here .
File infector
The idea of infecting files was developed in the PE_LICAT malware detected by Trend Micro in October 2010. PE_LICAT is an advanced Zeus dropper, its main function is to download and launch new Zeus files from remote servers. 1771 bytes of malicious code are embedded in executable files. PE_LICAT uses the same mechanisms as Zeus 2.1.0.10 - DGA with the same algorithm and signature verification procedure for the file being downloaded. A detailed description of the DGA is provided in the Trend Micro report “File-Patching ZBOT Variants” pdf, eng).
In short, DGA uses the hash creation function from the Windows Crypto API. The list of domains was formed at launch using a special algorithm by hashing the current date and minute (the hour was not used). By the way, many sources erroneously write 800 or 1020 unique domains (these constants are actually used in the algorithm). In fact, there were only 60 per day (the minutes were multiplied by 17 and the remainder of the division by 1020, 1020/17 = 60 was taken). The hashes were translated into ASCII codes and the prefixes of the top-level domains .biz, .info, .org, .com, .net, and the string / forum were added to them. It should be noted that PE_LICAT is not a virus in the direct sense of the word (as it is classified by Kaspersky Lab) - it is not able to independently infect files. The launch of the file infection procedure initiates Zeus from the 2.1 family, called TSPY_ZBOT.BYZ in the Trend Micro classification.
The complete distribution cycle looked like this:
TSPY_ZBOT.BYZ is launched (automatically by visiting the site or as a result of updating with a previous version of Zeus);
TSPY_ZBOT.BYZ gets PE_LICAT out of itself;
TSPY_ZBOT.BYZ infects executable files (including on removable media) with PE_LICAT.
In the future, TSPY_ZBOT.BYZ and PE_LICAT downloaded the Zeus version TSPY_ZBOT.SMEQ file (according to Trend Micro classification) from the domains created by DGA.
')
Zeus followers
Despite the announcement of Slavik about the transfer of the entire code , the source code of Zeus 2.0.8.9, since February 2011, has been offered for sale. In the end, in May 2011, the source codes of this version leaked to free access. Some files were missing from the source archive:
- peinfector.cpp;
- peinfector.h;
- peloader32.asm;
- worm.cpp;
- worm.h.
It is assumed that this is the PE_LICAT module (Murofet).
Naturally, immediately there were people who wanted to continue what they started on the basis of these sources. For example, we can mention the project “ICE IX” (named as a virus from the movie “Recruit”?), Which did not offer anything new and was an attempt to make money on a well-known name. But a “worthy” follower was found, this is a Citadel project. Its key feature was the creation of an online platform organized on the principle of a social network. Here, customers can request new features, report errors and add their own modules, which makes the development process a kind of opensource project. A customer support system is also organized, which is reflected in the ongoing support of Citadel in its current state. Thus, the authors report that they are striving to make the Citadel update cycle less than the release cycle of new anti-virus databases, which allows for a long time not to be detected on the infected computer. According to the developers, Citadel has corrected all the flaws in earlier versions of Zeus, including the data collection module when working in Google Chrome. In addition, the ability to record and transfer video was added.
For the first time, a botnet based on Citadel was discovered in December 2011 by researchers at Securlet, now the number of botnets based on Citadel is in the tens.
Then the basic package Citadel was sold for $ 2399, the price of the "rent" was $ 125 per month, additional modules are purchased separately. For example, $ 395 is a module that allows the bot to update automatically. Updates are distributed via Jabber, each update costs $ 15.
In October 2012, Citadel version 1.3.4.5 (bot designer and control panel) was seen in the public domain. Perhaps this version leak is a kind of advertising campaign, since this month a new version of Citadel 1.3.5.1 “Rain Edition” was released. The user manual for this version is available on the XyliBox personal blog , from which you can learn more about the features, innovations, installation and configuration of individual modules. The price of the basic kit of the latest version is $ 3,391, which is 41% more than the original price a year ago. As before, monthly rent and modules are paid separately.
Of the latest "high-profile" events, we can note the discovery of a Citadel bot modified by Trusteer company in August 2012, modified to attack the airport infrastructure. With Citadel, attackers can gain control over a secure VPN connection between airport PCs operating remotely and computer system interfaces designed to support airport operations. What kind of airport was the target of the attack is not reported. The attack is carried out as follows - first, the password and user name are intercepted, entered into the VPN connection form. Next, a simplified one-factor authentication mode is used instead of two-factor authentication (by clicking on the “Get Image” button). As a result, instead of confirmation by SMS, the user will be shown a picture (verification code) with ten digits. The user then matches his password with a string of numbers in the image to create a “one-time” password. Thus, getting the numbers from the verification image (by screenshots) and the password, as well as knowing the algorithm for generating the “one-time” password, you can easily calculate it and enter the system.
An interesting fact is that if the Russian or Ukrainian keyboard layout is used on the attacked computer, Citadel is automatically deactivated. Earlier it was noted that the Zeus family is being developed by Russian-language programmers. What really drives the creators is either a kind of “patriotism”, or because of the reluctance to get in the field of view of domestic law enforcement agencies (as it is known, the legal norms of the country where the crime occurred are applied to criminals). On the other hand, the spread of Internet banking and electronic payment systems via the Internet in Russia is delayed compared to Western countries, so the spread of banking Trojan programs would not have a large financial return.
Zeus, version 3 - Gameover
In version 2.1 of Zeus, an attempt was made to get away from the hard-coded command center and the transition to a more protected from the actions of antivirus companies control system (using DGA). As it turned out, the creators of Zeus continued their research in this area.
In October 2011, Roman Hussy, the creator of ZeusTracker , while investigating the latest version of Zeus, noticed the presence of strange UDP traffic. Further analysis showed that the new version of Zeus had several IP addresses in the configuration block, and computers with these IPs responded to the infected system. Within 24 hours, about 100,000 unique IP addresses were identified with which the new modification was associated. Most of the infected computers were located in India, Italy and the USA. So it was found that Zeus switched to using the P2P update mechanism itself and its configuration data blocks. Due to the use of the script name gameover.php when contacting the command center, the name Gameover Zeus is used for this version. This is quite symbolic - as you can see, the “games” with Zeus are long over.
The mechanism of Zeus P2P (ZP2P) was based on the Kademlia protocol. The computer (node) in the ZP2P network was identified by a unique identifier (UID) that was created during the first run. Each instance of Zeus in the ZP2P had a “neighbor table” stored in memory. This array contains a list of about 30 neighbors in a ZP2P network — their UID, IP address, and UDP port number. The ZP2P network used several types of connections:
- to exchange information about the version of the configuration data block (UDP);
- to exchange information about the nodes in the "table of neighbors" (UDP);
- for the exchange of binary data - the main module and configuration data blocks (using the TCP protocol).
DGA has undergone some changes, in particular, the top-level domains became 6 - ru, com, biz, info, org, net ( source ). DGA was used as a “safety” option if the connection could not be established by means of ZP2P. In the end, configuration data blocks were distributed only through ZP2P, which made it difficult to identify control centers. By the way, the control centers are now more a repository of stolen information and statistics, than a panel to give commands to bots.
In February 2012, researchers at Symantec discovered another version of Zeus using the ZP2P. This modification contained the built-in web-server based on Nginx. Communication protocols in ZP2P have begun to use only UDP, to make it difficult to track Zeus data flows. Now the bot was able to download executable files via HTTP from other bots. Thus, each bot could act as a kind of command center or act as an intermediary (proxy) in the control chain. The same technique was used in the Waledac / Kelihos botnet version C, which revived in early 2012 - two years after it was closed with the help of Microsoft and a number of antivirus companies in 2010.
Interestingly, the ZP2P botnet was used to distribute two third-party malware - a fake antivirus and a proxy server, which Zeus hadn’t noticed before. In order to assess the distribution of this version of Zeus, Symantec specialists monitored the performance of the ZP2P network. In the period from April to July 2012, 678,205 unique UIDs and 1,570,871 unique IPs were recorded. Not all of the IP data was available, which is explained by being behind a firewall or nat. In addition, Internet providers use a pool of dynamic addresses, so a single IP address from a pool range could be assigned to the same UID. The largest number of infections occurred in the United States (29.2%).
As before, the main source of infection was email containing links to malicious sites, most often redirecting browser requests for BlackHole exploit packs. Due to this, the installation of malware occurs without any user action (except for viewing the infected page). But this time, BlackHole did not download P2P Zeus itself onto computers, but Trojan downloader Pony. Pony is another crimeware, the main function of which is to download and launch malware bypassing anti-virus protection. Pony has its own admin panel, which displays the statistics of successful downloads and launches. Thus, the installation of P2P Zeus was made as follows:
- the user receives an email with a link to the malicious site;
- going to this site, BlackHole initiates the launch of the Pony loader on the user's computer;
- Pony communicates with his command servers and receives instructions from him to download the Zeus file itself (from three different servers).
As you can see, the developers of Zeus have done a great job of improving the management of their “brainchild”. Management mechanisms went through several stages in their development:
- hard-coded servers (ver 1 and 2);
- using DGA to refer to dynamically generated domain names (ver 2.1 or 2+);
- DGA and hybrid P2P scheme, where the bots were communicating between themselves and the server (version 3 or Gameover Zeus).
Continued here .
Source: https://habr.com/ru/post/161861/
All Articles