For those not tuned into the infosec world, Zeus is a do-it-yourself kit for bad guys to make computer viruses and other malware with a point and click interface. Zeus has been defeating your anti virus and malware protection software for several years now and the reason for this is that bad guys can customize the payload with MANY different features and when you get hit with it on your computer, it ALWAYS has a different look and feel to it. In other words, it can’t be detected based on a certain file name, file size, hash value or even necessarily a behavior because these features are all customizable and somewhat randomizable via a plethora of different options. I have come across something online that will pull back the curtain and give you some insight as to how complex and well thought out this tool kit is.
Presumably the same person who posted the source code online has also graciously posted the instruction manual for Version 126.96.36.199, March 20, 2011 of the Zeus crimeware kit on pastehtml. Reading over this instruction manual shows the level of sophistication of the authors of Zeus. The manual gives many insights on how the piece of malware you create will be able to hide itself from the user and the operating system. Here is a short (paraphrased) excerpt from the Bot-Protection section:
- All objects IE: files, MUTEXes and registry keys will be created with completely random and unique names.
- The code that first installs the bot is destroyed after the bot is installed.
- Files are not hidden from WinAPI, because anti-virus tools will find the file too easily.
- The bot can be updated on the fly without a reboot.
- The bot self-monitors it’s own integrity of it’s files, keys and other objects.
After the protection section, the manual spells out the server-side functions of the bot:
- Socks 4/4a/5 server with support for UDP and IPv6.
- Backconnect for any service (RDP, Socks, FTP, etc.) on the infected machine. I.e. may gain access to a computer that is behind a NAT, or, for example, which has prohibited connections by a firewall. For this feature to work there are used additional applications that run on any Windows-server on the Internet, which has a dedicated IP.
- Getting a screenshot of your desktop in real time.
Next, the manual spells out the different ways your custom piece of malware can hook into the wininet.dll or nspr4.dll’s to intercept http/https traffic going through IE or Firefox. (pro-tip, keep Opera handy):
- Modification of the loaded pages content (HTTP-inject).
- Transparent pages redirect (HTTP-fake).
- Getting out of the page content the right pieces of data (for example the bank account balance).
- Temporary blocking HTTP-injects and HTTP-fakes.
- Temporary blocking access to a certain URL.
- Blocking logging requests for specific URL.
- Forcing logging of all GET requests for specific URL.
- Creating a snapshot of the screen around the mouse cursor during the click of buttons.
- Getting session cookies and blocking user access to specific URL.
The list goes on and on but shows that this is truly a swiss army knife of malware. Skipping down to the C&C feature description section, there is a lot of focus on client tracking and geolocation along with some logging and notification features. One particularly interesting section of features spells out the client details that are tracked:
- Windows version, user language and time zone.
- Location and computer IP-address (not for local).
- Internet connection speed (measured by calculating the load time of a predetermined HTTP-resource).
- The first and last time of communication with the server.
- Time online.
When you read over the instructions, you realize what an incredible tool this could be for plain old white hat system administration. The level of detail provided in the instructions is truly impressive and rivals most legitimate pieces of software that we’ve seen as of late.
The other conclusion we can easily draw is that the Zeus crimeware kit is clearly the work of a well-backed team of developers rather than some Russian dude in his basement.
Most of the document is incredibly interesting and I would urge you to take a peak to see what’s behind the curtain. We discussed this on ISD Podcast on episode 386. Take a listen for more details.
I was listening to the ISD Security Podcast episode 168 the other day and heard this great interview with Paul Royal researched and helped shut down the original Kraken botnet in 2008. While the whole interview was excellent, one part at the end stood out as something that should be documented. Rick asked Paul how someone could get started in malware analysis if they are interested. The following is my paraphrased version of Paul’s response:
Check out the following sites to obtain malware samples:
Malfease - which is a public malware repository hosted by Georgia Tech. You don’t have to be a student at Georgia Tech to use this service. From the FAQ: “Q) What is the purpose of Malfease? A) Malfease is designed to automate many of the tasks associated with new malware collection. With thousands of new samples created each week, automation can help reduce the burden on researchers and industry analysts.”
Malware Domain List – is a site where volunteers document different malicious domains found on legitimate compromised sites, etc and has links to download some of the malware. There are several very interesting links right on the front page of the MDL that anyone interested in malware analysis, prevention and incident response should check out.
With the above links you can purposely download malware and allow it to exploit your virtual machine or other sandboxed environment running known vulnerable, unpatched software or software vulnerable to zero day threats. Once this has been done, you can study it at various different levels:
- At a basic level, study the network traffic patterns with a tool such as Wireshark.
- Next you could run it with a live binary analysis tool such as OllyDbg
- You can also do a static analysis with a debugger/disassembler such as IDA Pro.
When you are ready to move beyond those initial methods, install Linux on a system that supports hardware virtualization extensions. Then you can delve into tools such Ether in conjunction with the Xen virtualization platform. This will allow you to play around with much more sophisticated malware and figure out how it operates.
Continue experimenting and piece by piece you will start to understand how the “modern threat landscape” works.
Late 2009 I started becoming interested in security podcasts. In general, security podcasters put out a lot of excellent information in an entertaining format. I’ve come to find that many of them follow the same format to the point of being a bit cliche. Things like crazy sound boards, beer de jour, etc. ISD has a couple of these formula elements but they also have their own unique angles that give them value and make them entertaining.
ISD is the first podcast I ever listened to so I didn’t really have anything to judge it against. I’ve listened to a lot more podcasts since then however and I still find that ISD stands out as one of the better ones. I find Matthew and Rick very entertaining since the dynamic they share reminds me of the way myself and a former co-worker used to banter about and finally solve our heated discussions with Google. I also applaud Rick and Matthew’s dedication. These guys podcast EVERY WEEKDAY. Wow!! Most podcasters would(and do) run out of steam but these guys have put out more content already than 95% of the other podcasters out there ever will.
One of the best things about ISD is Thursdays where they bring on Adrian Crenshaw, the Irongeek for a weekly technical segment. Adrian must clone himself or something because I hear him calling in and talking on all the other podcasts, I see that he goes to a zillion cons, holds a day job and tweaks with hardware hacks as a hobby. Incredible. He’s very interesting to listen to and is always working on a fascinating project.
Overall, the ISD guys are obviously dedicated to providing good content. They haven’t even been around for a year yet (as of 5/7/10) but they have brought on plenty of interesting guests to interview and spewed off a lot of well-thought out content so far. I think these guys are definitely worth a listen even if you aren’t directly in the computer security field yourself.
One last thing to keep in mind is that the ISD guys are VERY slanted towards security and local events in the southeast since they are based in Georgia. They proudly pimp all of their hometown security conferences, events and training. If you don’t live in the southeast, you’ll probably have to find information about local events from another source. Nothing wrong with that, it’s just an observation.
Keep up the great work guys!