threat advisory: pws-zbot - mcafee
TRANSCRIPT
McAfee Labs Threat Advisory PWS-Zbot
June 6, 2014
Summary PWS-Zbot is a trojan threat designed to steal data from victim’s system. It is most widely known for stealing financial account information. For example, online banking login details and account data. PWS-Zbot spreads mostly via email but can also utilize autorun capabilities of removable media, or install via a drive-by infection when the user visits a compromised or malicious webpage. Once the infected binary file is installed to a machine it connects to a command and control server, and also monitors for internet activity and uploads stolen data. PWS-Zbot- http://vil.nai.com/vil/content/v_143802.htm PWS-Zbot.gen.ab- http://vil.nai.com/vil/content/v_249805.htm PWS-Zbot.gen.cu- http://vil.nai.com/vil/content/v_365620.htm W32/Zbot - http://vil.nai.com/vil/content/v_255218.htm Zbot+Necurs variant - http://blogs.mcafee.com/mcafee-labs/necurs-zbot-droppers-use-obfuscated-windows-xp-detection-bypass-automated-analysis Aliases:
• Zeus • Trojan-Spy:W32/Zbot • Trojan.Zbot • Trojan-Spy.Win32.Zbot [Kaspersky] • Win32/Zbot [Microsoft]
Detailed information about the trojan, its propagation, and mitigation are in the following sections:
• Infection and Propagation Vectors • Characteristics and Symptoms • HTML injection on SSL-secured backing transactions • Botnet Command and Control • Peer 2 Peer Command and Control • Zbot as a file infector • Intercepting mouse clicks and capturing virtual keyboard screenshots • Zbot infecting Mobile devices
Infection and Propagation Vectors An original infection may occur as a result of a download made by:
• Exploiting a vulnerabilities like lnk files(CVE-2010-2568) • Using web attack toolkits as infection vector • Social engineering • Infecting Symbian mobile devices through harvested phone numbers • Attachments in email spam
Mitigation Users are requested to exercise caution while opening unsolicited email and unknown links. Users are advised to update windows patches and virus definitions on a regular basis
Characteristics and Symptoms There are multiple variants of Zbot variants in the wild. Multiple variants exhibit different behavior. The following are some well-known characteristics of PWS-Zbot. The trojan is capable of performing the following activities:
• Injects its code through CreateRemoteThead and/or WriteProcessMemory to Winlogon.exe, svchost.exe or Explorer.exe. Recent variants have been observed to be injecting threads into other processes also.
• Performs keylogging and screen snapshots • Hooks certain API calls from the following to intercept information coming in and out of the network
including, WININET.DLL, WS2_32.DLL and USER32.DLL • Downloads configuration file from remote site • Attempts to retrieve a newer version of itself remotely • Posts stolen information to a remote site • Targets sensitive information such as online banking transactions • Opens a backdoor
Upon execution of the file Zbot drops itself to:
• %SysDir% folder as sdra64.exe • %SysDir% folder as [random hex number] .exe • %SysDir%\lowsec\local.ds – config file • %SysDir%\lowsec\user.ds – log file • %AppData%\[Random generated folder name]\[Randomly generated binary filename] • %AppData%\[Random generated folder name]\[Randomly generated data filename] • %AppData%\[[random hex number] .exe
Creates autostart registry entry as a restart mechanism:
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run o {RandomUID} = %AppData%\[Random Named Folder]\[Random FileName]
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ o "Userinit" = "%System%\userinit.exe, %System%\sdra64.exe"
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run o { random hex number } = %AppData[random hex number] .exe
• HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\policies\explorer\run o adobe = %AppData[random hex number] .exe
The following non-malicious file is created(s):
• %User Profile%\Application Data\Microsoft\Address Book\{user name}.wab The following registry entry is added :
• HKEY_CURRENT_USER\Software\Microsoft\WAB\WAB4\Wab File Name (Default) = "%User Profile%\Application Data\Microsoft\Address Book\{user name}.wab" The following registry ensures that the Trojan disables firewall notifications.
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
{port}:TCP = "{port}:TCP:Enabled:TCP {port}"
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\GloballyOpenPorts\List
{port}:UDP = "{port}:UDP:Enabled:UDP {port}"
The following registry ensures that the Trojan create a firewall rule to bypass the normal authentication.
• HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\Active
Directory GC • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\Bigfoot • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\VeriSign • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\Internet Account Manager\Accounts\WhoWhere • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\WAB • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\WAB\WAB4 • HKEY_USERS\S-1-5-[VARIES]\Software\Microsoft\WAB\WAB4\Wab File Name
The following are the registry key values have been added to the system
• HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications: 0x00000000
Recent variants of this family have been observed to be creating two sub folders, an executable file and a data file with random name inside %APPDATA% folder. The subfolder names begin with an uppercase letter. It first retrieves address of APIs, checks if it is running under WOW64, obtains volume GUID path, generates a CLSID from the GUID, which is further encrypted, and collect OS information. It then decrypts 0x32c bytes from the code section which includes the URL information from where to download the configuration file as shown below:
The malware can be executed with or without command line arguments (expected arguments are “f”, “i”, “n”, and “v”). It checks if the malware has been executed with any command line argument, when “-i” is passed as an argument it displays version information as shown below:
It then checks if the file is a dropper or a dropped file. If it is a dropper then it drops its copy and terminates. Otherwise, it decrypts the appended data which contains dropped file information and checks if the file was dropped on the victim machine or on some other system by comparing the CLSID which was generated from the Volume Path GUID and if it is being run from the appropriate location as shown below:
This also means that the dropped file wouldn’t execute on any other system even if we try executing it from the same folder location because the CLSID generated from the Volume Path GUID would be different. It then modifies its own code in memory and transfers control to the modified code. This modified code collects some system information like computer name, running operating system, installation date, DigitalProductId (generated using Product Key and hardware information during installation) and formats them in %s_%08X%08X format as shown below: [Computer name]_OSVersionInfo_InstallDate It can easily evade hash based detection because the appended data contains dropped file location information (which is randomly generated) before it drops its copy. It also changes the Creation, Access and Modified time of the dropped executable, the data file and executes the dropped executable file. After dropping executable file, the parent process is terminated and the file is deleted. The dropped file is responsible for injecting threads into remote processes. Remote Thread:
• Injected code creates more malicious local threads if the process name matches any of the below mentioned list: dwm.exe, taskhost.exe, taskeng.exe, wscntfy.exe, ctfmon.exe, rdpclip.exe, explorer.exe
• Scan logged in user’s Cookies and “Cookies\Low” folders for files which match the “*@*.txt” pattern. • Open the cookie file for read, search for separators (NewLine and Carriage Return characters) and
formats the data “Path: %s”, “%s=%s” as shown below:
• Steal certificate, associated private keys, encrypt and save them in the data file. Later certificates are
deleted from the store. • Steal FTP Client information: • FlashFXP retrieve data associated with the value "datafolder" from “HKLM\
SOFTWARE\FlashFXP\3” subkey. It also search folders containing “*flashfxp*” pattern in their name inside %APPDATA% and %PROGRAMFILES% for these three files "sites.dat", "quick.dat", and ”history.dat”
• Total Commander Retrieve data associated with the values "ftpininame", and "installdir" from “HKCU\SOFTWARE\Ghisler\Total Commander” and "SOFTWARE\Ghisler" subkeys.
It also search folders containing any of the three strings “*totalcmd*”, “*total*commander*”, and “*ghisler*” in their name inside, %SYSTEMROOT%, %APPDATA% and %PROGRAMFILES% for "wcx_ftp.ini".
• WS_FTP Retrieve data associated with the value "datadir" from "SOFTWARE\ipswitch\ws_ftp" subkey.
It also search folders containing string “*ipswitch*” in their name inside, “COMMON_APPDATA”, %APPDATA% and %PROGRAMFILES% for "ws_ftp.ini ".
• FileZilla Search %PROGRAMFILES% folder for “*.xml” file. • Far Manager FTP Retrieve “hostname”, “username”, "user", and "password" information
from registry. • WinSCP Retrieve "hostname", “portnumber”, “username” and "password" from registry. • FTPCommander Search "ftplist.txt" file in folders with string “ftp*commander*” inside
%APPDATA% and %PROGRAMFILES%. • CoreFTP Retrieve “host”, “port”, “user”, and “pw" information from registry. • SmartFTP Retrieve "personal favorites” and "folder" from registry. • Retrieve settings of Windows Live Mail and Outlook
(Information gathered from registry)
(Locations to be searched)
(Folders to be searched)
• It lowers the Internet Explorer security settings by adding and modifying following registry entries: o HKCU\Software\Microsoft\Internet Explorer\Privacy
CleanCookies = 0x00000000 o HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0
1609 = 0x00000000 o HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1406 = 0x00000000 o HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\1
1609 = 0x00000000 o HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\2
1609 = 0x00000000 o HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1406 = 0x00000000 o HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\3
1609 = 0x00000000 o HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1406 = 0x00000000 o HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\4
1609 = 0x00000000
• One of the local threads is responsible for encrypting stolen information and later saves the encrypted information into the data file which was created by the parent file.
• There is a local thread whose only purpose is to ensure that the dropped binary file starts on reboot by setting the following registry entry: HKCU\Software\Microsoft\Windows\Currentversion\Run CLSID = “%APPDATA\[Random folder name]\[Random Filename]”
• It listens on a randomly generated port number. Malware author can remotely control the behavior of the malware like it can be instructed to close the socket as shown below:
(Malware listening on a randomly generated port)
(Malware can be instructed to close the socket)
Mitigation
• Modify the above mentioned registry entry to exclude sdra64.exe (or any malware name). • Delete the malware file manually from the system.
HTML injection on SSL-secured backing transactions As banking websites evolved, PWS-Zbot authors have added an extra layer of security to mitigate keystroke-logging attacks. On the other hand, continuously evolving malwares have also come out with new techniques to bypass these security measures and steal login credentials. Password-stealing botnets such as Zeus now use HTML code-injection techniques, whereby a bot on the infected computer injects HTML code into the legitimate web pages of the banking site to request additional personal information not required during the transactions. This lures the users into inputting more credentials than required. They are captured by the bot and posted to the Zeus bot masters’ command and control server.
Before injecting into HTML pages, the targeted site looks like this:
After injecting into HTML pages, same targeted site looks like this:
Following is the abbreviated list of banking sites targeted by this bot; it’s found in the decrypted configuration file.
• https://online.wellsfargo.com/signon* • https://www.paypal.com/*/webscr?cmd=_account • https://www.paypal.com/*/webscr?cmd=_login-done* • https://www#.usbank.com/internetBanking/LoginRouter • https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet* • https://www#.citizensbankonline.com/*/index-wait.jsp • https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx • https://www.suntrust.com/portal/server.pt*parentname=Login* • https://www.53.com/servlet/efsonline/index.html* • https://web.da-us.citibank.com/*BS_Id=MemberHomepage* • https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome • https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary • https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService • https://resources.chase.com/MyAccounts.aspx • https://bancaonline.openbank.es/servlet/PProxy?* • https://extranet.banesto.es/*/loginParticulares.htm • https://banesnet.banesto.es/*/loginEmpresas.htm • https://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.* • https://www.gruposantander.es/bog/sbi*?ptns=acceso* • https://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html • https://www.bancajaproximaempresas.com/ControlEmpresas* • https://www.citibank.de* • https://probanking.procreditbank.bg/main/main.asp* • https://ibank.internationalbanking.barclays.com/logon/icebapplication* • https://ibank.barclays.co.uk/olb/x/LoginMember.do • https://online-offshore.lloydstsb.com/customer.ibc • https://online-business.lloydstsb.co.uk/customer.ibc • https://www.dab-bank.com* • http://www.hsbc.co.uk/1/2/personal/internet-banking* • https://www.nwolb.com/Login.aspx* • https://home.ybonline.co.uk/login.html* • https://home.cbonline.co.uk/login.html* • https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do • https://welcome23.smile.co.uk/SmileWeb/start.do • https://www.halifax-online.co.uk/_mem_bin/formslogin.asp* • https://www2.bancopopular.es/AppBPE/servlet/servin* • https://www.bancoherrero.com/es/* • https://pastornetparticulares.bancopastor.es/SrPd* • https://intelvia.cajamurcia.es/2043/entrada/01entradaencrip.htm • https://www.caja-granada.es/cgi-bin/INclient_2031 • https://www.fibancmediolanum.es/BasePage.aspx* • https://carnet.cajarioja.es/banca3/tx0011/0011.jsp • https://www.cajalaboral.com/home/acceso.asp • https://www.cajasoldirecto.es/2106/* • https://www.clavenet.net/cgi-bin/INclient_7054 • https://www.cajavital.es/Appserver/vitalnet* • https://banca.cajaen.es/Jaen/INclient.jsp • https://www.cajadeavila.es/cgi-bin/INclient_6094 • https://www.caixatarragona.es/esp/sec_1/oficinacodigo.jsp • http://caixasabadell.net/banca2/tx0011/0011.jsp • https://www.caixaontinyent.es/cgi-bin/INclient_2045 • https://www.caixalaietana.es/cgi-bin/INclient_2042 • https://www.cajacirculo.es/ISMC/Circulo/acceso.jsp • https://areasegura.banif.es/bog/bogbsn* • https://www.bgnetplus.com/niloinet/login.jsp • https://www.caixagirona.es/cgi-bin/INclient_2030* • https://www.unicaja.es/PortalServlet* • https://www.sabadellatlantico.com/es/* • https://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login • https://www.cajabadajoz.es/cgi-bin/INclient_6010* • https://extranet.banesto.es/npage/OtrosLogin/LoginIBanesto.htm • https://montevia.elmonte.es/cgi-bin/INclient_2098*
• https://www.cajacanarias.es/cgi-bin/INclient_6065 • https://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login_oie_1 • https://www.gruppocarige.it/grps/vbank/jsp/login.jsp • https://bancopostaonline.poste.it/bpol/bancoposta/formslogin.asp • https://privati.internetbanking.bancaintesa.it/sm/login/IN/box_login.jspe • https://hb.quiubi.it/newSSO/x11logon.htm • https://www.iwbank.it/private/index_pub.jhtml* • https://web.secservizi.it/siteminderagent/forms/login.fcc • https://www.isideonline.it/relaxbanking/sso.Login* •
The above list of targeted banks can be customized as per the discretion of the attacker.
Botnet Command and Control This toolkit comes with a control panel installation that is typically used to track the botnet infections. This is a PHP application that can be run on a web server along with the other required database software (MYSQL). It also enables the attacker to remotely control and send commands to the victims’ computers. The bot can be given the following commands: $_COMMANDS_LIST = array ( ‘reboot‘ => ‘Reboot computer.’, ‘kos‘ => ‘Kill OS.’, ‘shutdown‘ =>Â ‘Shutdown computer.’, ‘bc_add [service] [ip] [port]‘ => ‘Add backconnect for [service] using server witn address [ip]:[port].’, ‘bc_del [service] [ip] [port]‘ => ‘Remove backconnect for [service] (mask is allowed) that use connection to [ip]:[port] (mask is allowed).’, ‘block_url [url]‘Â Â => ‘Disable access to [url] (mask is allowed).’, ‘unblock_url [url]‘ => ‘Enable access to [url] (mask is allowed).’, ‘block_fake [url]‘Â Â => ‘Disable executing of HTTP-fake/inject with mask [url] (mask is allowed).’, ‘unblock_fake [url]‘ => ‘Enable executing of HTTP-fake/inject with mask [url] (mask is allowed).’, ‘rexec [url] [args]‘Â Â => ‘Download and execute the file [url] with the arguments [args] (optional).’, ‘rexeci [url] [args]‘ => ‘Download and execute the file [url] with the arguments [args] (optional) using interactive user.’, ‘lexec [file] [args]‘ => ‘Execute the local file [file] with the arguments [args] (optional).’, ‘lexeci [file] [args]‘ => ‘Execute the local file [file] with the arguments [args] (optional) using interactive user.’, ‘addsf [file_mask...]‘ => ‘Add file masks [file_mask] for local search.’, ‘delsf [file_mask...]‘ => ‘Remove file masks [file_mask] from local search.’, ‘getfile [path]‘ => ‘Upload file or folder [path] to server.’, ‘getcerts’ => ‘Upload certificates from all stores to server.’, ‘resetgrab’ => ‘Upload to server the information from the protected storage, cookies, etc.’, ‘upcfg [url]‘ => ‘Update configuration file from url [url] (optional, by default used standard url)’, ‘rename_bot [name]‘ => ‘Rename bot to [name].’, ‘getmff’ => ‘Upload Macromedia Flash files to server.’, ‘delmff’ => ‘Remove Macromedia Flash files.’, ‘sethomepage [url]‘ => ‘Set homepage [url] for Internet Explorer.’ The following sites are connected upon execution of the malware which could be possible C&C sites:
• sonyvaio77.com • skironi.com
Peer to Peer Command & Control Some later variants of ZBot have introduced the concept of Peer to Peer (P2P) command and control network. Traditional botnets have used the concept of a central command and control server to which each infected system is connected. Commands, updates and malware downloads are then retrieved from the server by the bots. The weakness of this schema is that the botnet is only as robust as its weakest link – the server. If the server fails or is taken down then the botnet is rendered impotent. In order to overcome this weakness malware authors have developed Peer to Peer command and control networking techniques. In a Peer 2 Peer network there is no central server. Each infected system is capable of communicating to any other infected system and is capable of receiving and passing on commands, updates and malware downloads to other infected systems. Any one or more of the peers in the network can be taken down and the network will still function. Another advantage of this type of botnet is that it is much more difficult to
track the operators of the botnet as they can in theory attach to any infected system to issue their commands and they will be propagated throughout the network. These later variants of ZBot have 2 phases of communications. The first phase involves the sending of UDP packets containing encrypted data to a list of IP addresses that the worm carries within itself. The destination UDP port numbers are in the range 10,000 to 30,000. One sample analyzed produced traffic to the following IP addresses
111.125.64.162 UDP port: 19098 89.115.18.9 UDP port: 11071 91.200.212.206 UDP port: 15988 182.68.230.48 UDP port: 25522 96.37.232.167 UDP port: 15331 190.224.55.150 UDP port: 19962 65.103.252.159 UDP port: 29747 79.56.118.196 UDP port: 14673 186.184.50.109 UDP port: 12471 77.28.98.208 UDP port: 16341 187.118.236.112 UDP port: 10682 223.178.85.104 UDP port: 24985 24.54.127.173 UDP port: 13701 201.53.26.72 UDP port: 21933 125.162.160.46 UDP port: 23947 171.4.218.149 UDP port: 29644 74.234.107.252 UDP port: 25975 75.72.23.43 UDP port: 12700 79.29.102.6 UDP port: 29776 87.24.18.2 UDP port: 22492
The above list of IP addresses and port numbers will vary between different iterations of the bot and are shown for example. Each UDP packet is of the following format and it is postulated that these packets are sent to try and register the new infection into the P2P network and that the encrypted contents contain details of the infected system.
Each packet is sent with a 15 second timeout. After the initial communication phase ZBot then issues a DNS request to a well know website (such as (google.com) and then issues an HTTP GET command to the returned IP address in order to test internet connectivity. If this test succeeds, then ZBot tries to communicate with other peers on the P2P network. The ZBot peer to peer networking is carried out using the HTTP protocol. Each bot carries within itself a simple HTTP server that can accept connections from other bots. In order to make these connections the bot constructs an internet domain name consisting of 35-45 seemingly random alphanumeric characters and
then appends one of the following top level domains .biz, .com, .info, .net, .org, .ru. The resultant domain name is then looked up using DNS as shown below.
If the domain is registered then the bot issues the following GET request to the returned IP address on TCP port 80
The bot will generate and attempt to connect to 1000 URLs, it will then revert back to the 1st phase of communications.
Zbot as a file infector The recent variant of Zbot uses the traditional infection vectors to infect executable files. Once the machine is infected the trojan decrypts and executes a file infector in an infected system’s memory. Before infection, malware checks if the system is already infected or not by retrieving Boolean value from the registry (HKEY_CURRENT_USER\ Software\Microsoft\Microsoft). If the registry value is present, it exits the malicious routine and continues execution of the original application. It injects itself into explorer.exe and continues infecting executable files on the victim’s machine. The trojan then continues to generate pseudo random domain names using a predefined algorithm. Later “/forum/” string is appended to the domain name and passed as an argument to URLDownloadToFileA(). If the download is successful, the file would be saved in %TEMP% folder with some temporary name “tmp[random number].tmp”. If file download is successful, the file is opened for read, its file size is obtained, creates a file mapping object for the file, map the file into the address space of the process. Zbot then continues stealing sensitive banking information. Mitigation
File infection can be mitigated during an outbreak by using an access control rule to deny writing access to EXE files. To do that, follow the steps below: • go to VSE console->Access Protection->User Defined Rules • Add a new Rule, and choose “File/Folder Blocking Rule” • On “Rule Name”, put Virus Outbreak • On “Processes to Include”, put an asterisk: * • Leave “Processes to Exclude” empty • On “File or Folder name to block”, write the following: **.exe • On “File Actions to Prevent” check the box “Write Access to Files”
• Click OK and make sure the rule is active and report is enabled.
Warning: Please note that the procedure above may break some applications during normal usage of the system, and should only be enabled during an outbreak. After cleaning the machine it is recommended to disable the rule using VSE Console. Also, as a mitigation factor, customers may want to monitor and block access to URLs in the following format:
• http://<randomname>/forum/
These domains are generated randomly and are used by the malware to download configuration and more malicious files. Zbot + Necurs. The recent variant of Zbot uses the traditional infection vectors to come along with Necurs rootkit to protect the malware files on disk and in memory, making it harder to find and remove once the malware is active.
GameOver Botnet
ZBOT variant uses its peer-to-peer (P2P) network to download its configuration file. If its peers no longer exist, it uses its domain generation algorithm (DGA) to connect to a randomly-generated C&C, where it gets its configuration file.
Infection Routines
The infection will arrive as a spammed package-delivery email attachment. Victim upon opening the attachment, which is usually detected as a UPATRE variant, then downloads and executes a malicious .exe file. This malware infects PCs through an aging vulnerability and launches GameOver bot.
Normally, GameOver then injects itself into other processes and exits.
Along with its malicious routines that include stealing online banking credentials, the detected ZBOT variant then downloads a Cryptolocker variant onto the infected system. This variant, which serves as the final payload, is detected as a member of the Ransom malware family.
This is where the new variant drops and installs the Necurs rootkit, which is implemented as a kernel driver.
Mitigation Please use the McAfee Rootkit removal tool to detect and clean the Necurs Rootkit infection as the coverage for Necurs is not warranted in DATs.
Also, as a mitigation factor, customers may want to monitor and block access to URLs in the following format:
• http://<randomname>/forum/
These domains are generated randomly and are used by the malware to download configuration and more malicious files.
Intercepting mouse clicks and capturing virtual keyboard screenshots Banking websites have come up with the virtual keyboard technique to mitigate the keystroke-logging attacks. Zeus counterattacks this security feature by capturing the screenshots on each mouse click. Each click will be intercepted and a screenshot captured that will be sent to the drop server which is then combined sequentially to extract the entered password as shown below. One of Zbot’s trickiest detours is the one installed for TranslateMessage(),a Windows function to convert virtual key codes into readable characters. That’s where the Trojan inserts itself and acts as a conventional keylogger by intercepting WM_KEYDOWN messages and logging any characters, for example, credentials. But the truly sneaky part is the detour intercepting WM_LBUTTONDOWN window messages, which are events that signal left-mouse-button clicks. For each click (limited to a maximum of 20), a quadratic screenshot with the mouse cursor as its center is created and used to graphically grab credentials that the user provides with virtual or on-screen keyboards. The bad guy’s reaction to a “graphical keylogger” of that caliber is more than natural. It’s a typical cat and mouse game that evolved after online banking institutes decided to transition from traditional keyboard-based
authentication to proprietary authentication mechanisms based on virtual keyboards.
Zbot infecting Mobile devices There is a new Zbot variant in the wild which steals the mobile number and infects the mobile. Zbot does this by sending a link to the registered mobile number. The link points to a sisx file (Symbian OS) named “cert.sis”. It pretends to be an update from Nokia. The installation package is issued to “Mobil Secway” and it is signed by Symbian CA. This malicious app (detected as SymbOs/Zbot) is designed to steal MTAN mobile transaction numbers to steal financial data. Upon installation Symbos/Zbot sends an SMS message to the number “+447781481725” with the message body“App installed ok”,
The trojan is capable of • Sending SMS message to a phone number • Transfer incoming SMS messages to a C&C phone number • Update C&C and target phone numbers via SMS The following image shows the disassembly view of Zbot sis file. The code below shows the function capable of handling smssetting and smsservicecenter count.
The trojan is capable of sending/accepting the following commands.
• set admin The C&C phone number is changed to that of the command sender (in memory only).
• SET ADMIN The current C&C phone number is written to “c:\private\20022b8e\Settings2.dat” ON • Forwarding begins of SMS messages received from the phone numbers registered by the commands “SET SENDER” and “ADD SENDER” to the C&C phone number.
• BLOCK OFF This seems to set the client to accept all commands, though commands may be ignored on device. The status of the 'block' command is changed in “Settings2.dat”.
• SET SENDER <number> The number is the phone number of monitored/forwarded .All phone numbers are deleted from “c:\private\20022b8e\NumbersDB.db”. The specified number is written to “NumbersDB.db”.
• ADD SENDER<number1>,<number2>,…,<number n> The numbers are phone numbers of monitored/forwarded SMS messages. The specified numbers are written to “NumbersDB.db”.
• ADD SENDER ALL No action. Presumably this would have been a catch-all setting which would forward all received messages.
o
Getting Help from the McAfee Foundstone Services team This document is intended to provide a summary of current intelligence and best practices to ensure the highest level of protection from your McAfee security solution. The McAfee Foundstone Services team offers a full range of strategic and technical consulting services that can further help to ensure you identify security risk and build effective solutions to remediate security vulnerabilities.
You can reach them here: https://secure.mcafee.com/apps/services/services-contact.aspx
COMPANY CONFIDENTIAL © 2010 McAfee, Inc. All rights reserved.