본문 바로가기

malware

How to bypass Zeus Trojan’s self protection mechanism

728x90

Spammers are good when it comes to intimidating users to open the attachment . One of the recent pathetic and cruel one was

Hi

A Person from your office was found dead outside . Please open the picture to see if you know him .

Regards

Attachment is basically a Zip file consisting of an exe file named “image.scr” with a nice mspaint icon .

Quickly opening up in IDA will give us a hint that it is basically a VBpacker. VBPackers usually create a hallow suspended process , overwrite the memory and resume within .

h.jpg

After successfully unpacking and fixing the dump we get the following output

h.jpg

OEP the unpacked binary is enough to tell us that it is a Zeus Banking Trojan . Well this one is a different version of Zeus with self-protection which means unpacked ones wont run . This is usually done to “force” the bot masters to buy a Cryptor service .

If you double click the binary it will not run , It will simply exit. Now lets see where things are going wrong and how to bypass the protection

For that purpose we will generate an API call Graph made by the unpacked binary to see the exit point of program .

h.jpg

h.jpg

So from this we got an idea that it is reading file buffer and performing some operations on it and now lets see what operation it is performing on it .

Now if we dig deeper we find out the file buffer is read and the some cryptography operations are performed .

h.jpg

And if go inside CheckSelfProtection() function we will observe that this function will RC4 the whole binary buffer with a static encryption key and will search for placeholder “DAVE”

In my case the RC4 Key was

h.jpg

Packer integrity

h.jpg

We can copy that 0x200 byte data from the packer into the overlay of our unpacked file.

And if found it goes further on verifying the integrity of that data structure and decodes another payload using a 4 byte XOR key taken from that structure.

The Total size of the data Structure is 0x200 bytes and on the basis size, Installer and injector are decrypted . Let now understand the structure of that 0x200 Data Structure.

During installation phase iSizeOfPacket bytes are copied from the data chunk into heap . And then later on used to decode installer subroutine using XOR cipher .

h.jpg


struct Zeus_packer_overlay
{
    DWORD  SIGNATURE;
    SetBackColor( cRed );
    DWORD Crc32HASH;
    SetBackColor( cBlue );
    WORD iSizeOfPacket;
    unsigned int SizeOfDecodedData;
    unsigned int Unknown1;
    SetBackColor( cRed );
    unsigned int XorKey;

}Zeus_Packer_OverLay;

Before decoding the installer routine CRC32 hash is checked andSizeOfDecodedData data is copied to heap location in this function.

h.jpg

The installer and injector is differentiated by iSizeOfPacket field, if the size is 0x0c then it is still in installation phase if it is 0x1e6 then it has been replaced by installation routine with a new packer data structure .

The installation subroutine is then decoded using Xorkey with a data buffer of size SizeOfDecodedData using this simple XOR function.

h.jpg

During the installation phase the Packer data structure is rewritten and encrypted using RC4 resulting in data of length 0x1e6 which mainly consists of installation data like

1 : Registry Keys
2 : Random Numbers Generated for Seeding . 
3 : Local Path Name 
4 : Computer Name and Version

h.jpg

Replacing this Packer Overlay data with the old one will let you skip the installation phase and binary wont be relaunched again using CreateProcessA in %appdata%. Yet we will have to patch a jump after it Compares its path in the overlay data with the current path.

h.jpg

Owning a Zeus C2C panel / Spammer

There exists a publicly known RCE vulnerability in some versions of Zeus ( as well as Zeus lite, KINS,ICE-IX) As described in detail here (http://xs-sniper.com/blog/2010/09/27/turning-the-tables/) . Our good friend Xylitol has already provided a ready to use tool to exploit such vulnerability : http://cybercrime-tracker.net/tools.php

All we need for that is C2C we address and RC4 communication key . Both of them you can get from Base Config Decoding Subroutine which is again based on simple XOR cipher

h.jpg

After getting C2C and RC4 key . It can be submitted here to get a shell on that C2C web panel .

h.jpg

Once you get the shell you can then edit the cp.php ( login file for Zeus panel ) and boost up your Metasploit exploit after the bot master has logged in .

h.jpg

And if you know how to proceed further and you can get a meterpreter shell on the spammers machine . webcam_snap is one beautiful Meterpreter script command which I personally like (http://www.offensive-security.com/metasploit-unleashed/Meterpreter_Basics#webcam_snap)

It takes a webcam capture from the victims computer and saves it in the target machine.

And if you enter that , you might get back something like this in your computer :)

728x90