A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #18929  by wacked2
 Sun Apr 14, 2013 1:31 am
rkhunter wrote:Zbot family runs on selected systems only
http://blogs.avg.com/news-threats/zbot- ... d-systems/
That has been there since atleast 2.0.0.0.
Comparsion is done in
Code: Select all
bool CoreInstall::_loadInstalledData(const void *overlay, DWORD overlaySize);
Code: Select all
  WDEBUG5(WDDT_INFO, "Current OS guid {%08X-%04X-%04X-%08X%08X}.", ps.guid.Data1, ps.guid.Data2, ps.guid.Data3, *((LPDWORD)&ps.guid.Data4[0]), *((LPDWORD)&ps.guid.Data4[4]));
Dunno why they say that the code responsible for the creation isn't in the file maybe the current author took the dropper/droppee thing serious and removed the unnecessary code. Doubt it though
 #19297  by Xylitol
 Thu May 16, 2013 10:55 am
Encoded IceIX gate found on a hijacked server.
Code: Select all
ZXJyb3JfcmVwb3J0aW5n -> error_reporting
c2V0X3RpbWVfbGltaXQ= -> set_time_limit
cGFyc2VfdXJs -> parse_url
ZnNvY2tvcGVu -> fsockopen
ZmlsZV9nZXRfY29udGVudHM= -> file_get_contents
dXJsZW5jb2Rl -> urlencode
c3RybGVu -> strlen
ZndyaXRl -> fwrite
ZmVvZg== -> feof
ZnJlYWQ= -> fread
ZmNsb3Nlc3Vic3Ry -> fclosesubstr
c3RycG9z -> strpos
aHR0cDovL3VzcnJzbWgtYWdudi5ydS9hZG0vZ2F0ZS5waHA= -> hxtp://usrrsmh-agnv.ru/adm/gate.php
aG9zdA== -> host
cG9ydA== -> port
RTE= -> E1
cGhwOi8vaW5wdXQ= -> php://input
cGF0aA== -> path
UkVNT1RFX0FERFI= -> REMOTE_ADDR
IEhUVFAvMS4wDQo= -> HTTP/1.0
aG9zdA== -> host
SFRUUF9VU0VSX0FHRU5US -> HTTP_USER_AGENT
Q29ubmVjdGlvbjogQ2xvc2UNCg== -> Connection: Close
Image
--
Image
I've also mailed abuse.ch and tell them to fix 4 mistakes in the tracker (IceIX tagged as Zeus)
they fixed it in less than 5 mins they are fast for reaction, bravo
Attachments
infected
(861.63 KiB) Downloaded 69 times
infected
(2.66 KiB) Downloaded 62 times
 #19434  by unixfreaxjp
 Mon May 27, 2013 9:59 am
Malvertisement of ZBot via PHP/WebShell SpamBot (118.68.139.30)
This trojan file is in the attached PE camouflaged as Fake xls wrapped in plain Zip.

Spam Sample:
Image

Spam mail header analysis:
Image

The email's malware attachment:
Image

We blocked the spam mail relay IP.. (don't like blacklisting, yet is the only quick solution available in weekends...)
Image

UDP Communication to the below CnC hosts was detected:
Image

VT Detection ratio: 30 / 47
Analysis date: 2013-05-27 05:47:46 UTC ( 1 hour, 27 minutes ago )

The Email and PE Sample is as per attached 7z with password=infected
Attachments
(429.23 KiB) Downloaded 87 times
 #19452  by unixfreaxjp
 Tue May 28, 2013 3:26 pm
The Zbot Campaign is still going on.. Now they use the below email, you'll quickly see by its format that this also was made by spambot WebUI (refer to previous post):
Image
The email header is not so different as previously analyzed (please see them in the sample I 7z archived) so I don't spend my little time for it now.
VT:
Code: Select all
SHA256: 00b832b5128a7caffe8bd4a854b1e112d488acb37f3a787245d077ae0d106400
SHA1: 9a50fa08e71711d26d86f34d8179f87757a88fa8
MD5: 0bbf809dc46ed5d6c9f1774b13521e72
File size: 237.0 KB ( 242688 bytes )
File name: Statement 57-27-05-2013.exe
File type: Win32 EXE
Tags: peexe
Detection ratio: 27 / 47
Analysis date: 2013-05-28 11:38:53 UTC ( 2 minutes ago )
First submission 2013-05-27 12:48:38 UTC ( 22 hours, 52 minutes ago )
Last submission 2013-05-28 11:38:53 UTC ( 2 minutes ago )
Jump to quick reversing on binary, finding the highlights as below which is not written in VT behavior analysis. For the rest of analysis pls see Cuckoo result on VT behavior analysis at the above URL, is accurate enough:

Temporary file(bot logic) used:
Code: Select all
tmp (calling environment temp)
%s%08x.%s (format)
Wrote file: C:\Documents and Settings\USER\Local Settings\Temp\tmpf8d49d9f.bat (checked)
With the below batch:
Code: Select all
del "%s"
if exist "%s" goto d
@echo off
del /F "%s"
The config used:
Code: Select all
C(is a variable).dat
Wrote file: C:\Documents and Settings\rik\Local Settings\Application Data\cofa.uxo.dat (checked)
Interesting login names:
Code: Select all
tellerplus
bancline
fidelity
micrsolv
bankman
vantiv
episys
jack henry
cruisenet
gplusmain
silverlake
v48d0250s1
fastdoc
Code injection process names:
Code: Select all
launchpadshell.exe
dirclt32.exe
wtng.exe
prologue.exe
pcsws.exe
fdmaster.exe
This one is confirming the x64 processor..
Code: Select all
IsWow64Process

//...and also sniffng x64 at:
HKCU\Software\Microsoft","SUCCESS","Desired Access: Create Sub Key, WOW64_64Key"
HKCU\Software\Microsoft\Haatneylcoa","SUCCESS","Desired Access: Query Value, Set Value, WOW64_64Key"
HKLM\Software\Microsoft\Windows NT\CurrentVersion","SUCCESS","Desired Access: Query Value, WOW64_64Key"
HKLM\Software\Policies\Microsoft\Cryptography","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
HKLM\Software\Microsoft\Cryptography","SUCCESS","Desired Access: Read, WOW64_64Key"
HKLM\System\WPA\TabletPC","NAME NOT FOUND","Desired Access: Query Value, WOW64_64Key"
HKLM\SYSTEM\WPA\MediaCenter","SUCCESS","Desired Access: Query Value, WOW64_64Key"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\awoty.exe","NAME NOT FOUND","Desired Access: R
HKCU\Software\Microsoft\Haatneylcoa","SUCCESS","Desired Access: Query Value, WOW64_64Key"
HKLM\System\WPA\TabletPC","NAME NOT FOUND","Desired Access: Query Value, WOW64_64Key"
HKLM\SYSTEM\WPA\MediaCenter","SUCCESS","Desired Access: Query Value, WOW64_64Key"
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Layers","NAME NOT FOUND","Desired Access: Read, WOW64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Custom\cmd.exe","NAME NOT FOUND","Desired Access: Read, WOW64
HKLM\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
HKCU\Software\Microsoft\Windows NT\CurrentVersion\AppCompatFlags","NAME NOT FOUND","Desired Access: Read, WOW64_64Key"
Remote host internet(web) connectivity..
Code: Select all
connection
proxy-connection
content-length
transfer-encoding
upgrade
chunked
keep-alive
close
Authorization
Basic
Botnets....
Code: Select all
DELETE
HEAD
PUT
CONNECT
OPTIONS
TRACE
COPY
LOCK
MKCOL
MOVE
PROPFIND
PROPPATCH
SEARCH
UNLOCK
REPORT
MKACTIVITY
CHECKOUT
MERGE
M-SEARCH
NOTIFY
SUBSCRIBE
UNSUBSCRIBE
PATCH
PURGE
The log installation is here:
Code: Select all
C:\Documents and Settings\rUSER\ntuser.dat.LOG","SUCCESS","EndOfFile: 49,152"
C:\Documents and Settings\rUSER\ntuser.dat.LOG","SUCCESS","EndOfFile: 53,248"
C:\Documents and Settings\rUSER\ntuser.dat.LOG","SUCCESS","EndOfFile: 57,344"
Wrote base64 encoded & binary encrypted data in registry at:
Code: Select all
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\2fejgjfb:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\21ai7ij3:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\36j81186:
HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\11e25340:

... with data like;
sDRF4HBUpPc1RhRP2lGIpNhVWo8a6AqeVn0oKIj8Ho8EP8ECwN64q+u
jzjEp70owuIN0mbmNl4gkYzIF/lBu54KVHORFnOg6y8/8hEjk2+Xugi
a7SjVX4swkd+nsQBuIHcKdu3Ul9EhafWwNnOQD2DEEA7x3vJeL8YnNX
wkPZ3YczFbwYIdLjjiutxhnGVeUBNBZiZeP42nV7n8hnjFFlQp3R+Co
B7aP54wBuitjH+F8ur/eVK+vlUBq3oq+SuTHd/Rj1MHKamn4JUr3nHM
jdnGTn3+AB8DWXTAhHuHf9K7qhLqSLVuHcKSvEIWlBhoaiyq7jS3CXF
fLe10Q06Xn1t10UmGGnfKbFKyq/g8HNxRG9/gRf24g1Co/TkmAkuSm4
           [...]
d+oZ653QF8A2uYYy8Lk3KCHoq/qfKNqZwt4hWSyU6E8X2yYjYlOceMX
lS3JVPlSidGGQuNcXDoOzybYamvE3VUyXTRIjBgEepRkz2GOQiZTT/+
mPOufRCwC+OMP+5/bF8CjDOrHYTb5ZIVqiszPnpruR6MiZOqL6V1fEE
G750I28g/NNd359zupA8nSvdUO4W38Vk9Z+LZAFhV2JNs4ZNI9jhjIu
V0dx238ObAIiUwe9Og8k7TK10JnC+wVyb0OM1Ki2qN3RXIZi8Zee5Uw
xdaYuz3JlYb2lkF4GT48uO/sBheOoiY60EdXchYSmJFjO9LvFaK9L4P
d3FqPBeIALgS5BC9U7a9ft3zUDFfe1Q0ZERX+p/Y0ci935hlNuDQDcn
vBIJk6kWMMrsZXXEAIMYGEIZCJorLumRPkhk0UtJzPNCLeoNi0CW7PH2PoBtK66EqIg=

// here goes the bins...

HKU\S-1-5-21-1214440339-926492609-1644491937-1003\Software\Microsoft\Haatneylcoa\36j81186:

0000   F8 58 5F 63 96 5D 93 0E A5 87 99 35 CB EC EC DB    .X_c.].....5....
0010   4F C2 CE 34 BD 47 55 28 8D AB 08 BB BC 43 E4 FE    O..4.GU(.....C..
0020   50 E4 3B 81 59 11 55 13 97 99 8A BE A4 F7 2F 35    P.;.Y.U......./5
0030   86 52 70 64 DE F4 9C 30 BF 40 2D 30 A9 7F FD 35    .Rpd...0.@-0...5
0040   1A 74 4D 90 41 85 90 FF CE D4 2B 61 F8 74 31 4F    .tM.A.....+a.t1O
0050   56 51 D3 00 A4 96 48 69 ED E6 63 E0 3B 83 93 50    VQ....Hi..c.;..P
0060   E2 E4 D5 E0 05 D8 71 14 1A C5 1A 10 8A 80 A5 72    ......q........r
0070   6F AB 11 0F AA 83 C4 52 D4 AF E2 7F F5 42 E8 37    o......R.....B.7
0080   1B 0A 54 A0 27 79 A3 E9 6E 51 DC 30 14 93 3E EB    ..T.'y..nQ.0..>.
0090   6B A2 3C 27 32 DD 9B D2 41 92 92 FF 50 71 21 62    k.<'2...A...Pq!b
00A0   E4 10 47 27 33 5B A5 3E 58 A8 33 8A 89 0B E0 8B    ..G'3[.>X.3.....
00B0   AB 22 C0 44 07 5F 01 6D C7 A7 E8 27 50 3B 34 43    .".D._.m...'P;4C
00C0   DE AD 75 1B 08 E9 68 EB FD CF 73 F5 D8 77 3E B3    ..u...h...s..w>.
00D0   19 4B E1 82 93 FE 3A ED CB D6 CC 32 94 9D AF 84    .K....:....2....
00E0   A1 96 22 4B 40 19 8A EF 2A DF D2 03 52 8E 19 47    .."K@...*...R..G
00F0   A5 75 39 5D 9D 4F 04 F2 79 37 4B B7 FE D4 42 04    .u9].O..y7K...B.
0100   31 B1 5E 0D 4C 19 81 9A 9D CE FE 72 83 98 F7 12    1.^.L......r....
0110   61 84 81 B3 F0 DF 12 74 5E 34 02 1A DD AD 78 9E    a......t^4....x.
[...]                      [...]                             [...]
PC's LDAP & WAB is always activated in this variant....
Code: Select all
\Internet Account Manager\Accounts\WhoWhere\LDAP Server ID: 0x00000003
\Internet Account Manager\Accounts\WhoWhere\Account Name: "WhoWhere インターネット ディレクトリ サービス"
\Internet Account Manager\Accounts\WhoWhere\LDAP Server: "ldap.whowhere.com"
\Internet Account Manager\Accounts\WhoWhere\LDAP URL: "http://www.whowhere.com"
\Internet Account Manager\Accounts\WhoWhere\LDAP Search Return: 0x00000064
\Internet Account Manager\Accounts\WhoWhere\LDAP Timeout: 0x0000003C
\Internet Account Manager\Accounts\WhoWhere\LDAP Authentication: 0x00000000
 (...)

\Software\Microsoft\WAB\WAB4\Wab File Name\: "C:\Documents and Settings\rik\Application Data\Microsoft\Address Book\rik.wab"
\Software\Microsoft\WAB\WAB4\OlkContactRefresh: 0x00000000
\Software\Microsoft\WAB\WAB4\OlkFolderRefresh: 0x00000000
(...)
Network Analysis: (took me 1.5hrs to squeeze these out.. think I nailed'em dry this time)
Guess which ones are CnC ;-))
Code: Select all
//ICMP:
(DST-IP)
---------------
109.242.53.221
203.59.98.143
87.126.253.100
194.225.33.145
62.38.110.99

// TCP Communication (ESTABLISHED)
(IP):(DST-PORT)
---------------
176.62.240.159 TCP/1046
190.37.198.197 TCP/1050
77.52.101.167  TCP/1047
92.51.106.142  TCP/1044

// TCP Communication (FAILED)
77.52.101.167 TCP/1047

// UDP Communication (ESTABLISHED)
(IP):(DST-PORT)
---------------
87.202.38.85:26043
79.135.36.74:26094
181.67.50.91:27916
203.59.98.143:28022
78.161.154.194:25633
194.94.127.98:25549
176.62.240.159:24509
2.134.138.250:24581
95.141.135.26:25316
190.37.198.197:28133
195.169.125.228:29902
190.11.9.62:29691
190.37.115.43:29609
63.85.81.254:29130
66.170.195.42:28632
77.52.101.167:28906
36.69.33.103:29025
63.85.81.254:29130
176.62.240.159:24509
75.4.237.76:24145
49.245.21.129:10029
94.68.105.30:10038
122.163.41.96:10211
201.248.5.93:10313
84.59.222.81:21469
180.254.255.197:10643
41.201.235.43:10761
109.242.53.221:10914
124.123.214.163:10940
194.225.33.145:11337
180.254.155.197:10643
209.252.46.18:10643
89.122.155.200:10556
108.251.104.195:10416
91.22.119.127:10497
37.212.177.153:10510
89.122.155.200:10556
  :
 [...]

Please see the UDP PCAP for the full list here:
http://www.mediafire.com/?rteb7ee8xs9rzk0
These are the IP source where the ZeuS config was downloaded (suspected CnC)
Image
The sample is attached 7z, password=infected.
Image
Rgds. #MalwareMustDie!!
Attachments
(450.79 KiB) Downloaded 87 times
 #19544  by unixfreaxjp
 Tue Jun 04, 2013 12:35 pm
This email's attachment is Pony that downloaded Zbot.
Image
Spam header showed a spambot client:
Code: Select all
Date: Mon, 3 Jun 2013 09:45:57 -0800
From: "Fiserv Secure Notification" <secure.notification@fiserv.com>
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1
MIME-Version: 1.0
Pony sample in VT: https://www.virustotal.com/en/file/8de1 ... /analysis/
Zbot sample in VT: https://www.virustotal.com/en/file/40b4 ... /analysis/
My analysis is in here: http://malwaremustdie.blogspot.jp/2013/ ... s-via.html (ps: not a promotion but is a share)

Infection Highlights:
1. The attachment was passworded: (new trend?)
Image
2. Processes post infections:
Image
Image
3. Full outbound traffic summary of an infection:
Image
4. The Zbot download hosts are still up:
Code: Select all
--2013-06-04 17:40:46--  h00p://190.147.81.28/yqRSQ.exe
Connecting to 190.147.81.28:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `yqRSQ.exe'
100%[=====================>] 305,664     95.4K/s   in 3.1s
2013-06-04 17:40:51 (95.4 KB/s) - `yqRSQ.exe' saved [305664/305664]
 
--2013-06-04 17:40:59--  h00p://paulcblake.com/ngY.exe
Resolving paulcblake.com... 74.54.147.146
Connecting to paulcblake.com|74.54.147.146|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `ngY.exe'
100%[=====================>] 305,664      144K/s   in 2.1s
2013-06-04 17:41:02 (144 KB/s) - `ngY.exe' saved [305664/305664]
 
--2013-06-04 17:41:15--  h00p://207.204.5.170/PXVYGJx.exe
Connecting to 207.204.5.170:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 305664 (299K) [application/x-msdownload]
Saving to: `PXVYGJx.exe'
100%[=====================>] 305,664      109K/s   in 2.7s
2013-06-04 17:41:18 (109 KB/s) - `PXVYGJx.exe' saved [305664/305664]
Samples:
Image
Samples Download here
 #19545  by markusg
 Tue Jun 04, 2013 1:05 pm
I do not think password protected spam is new, i seen it from time to time, but not realy often :-)
 #19579  by rough_spear
 Sun Jun 09, 2013 1:58 pm
Hi All, :D

Five zbot samples.

MD5 list:
699E22B01D17ACA28BA6DFBDF3C42987
7D0463D3BD592CDB034E4412B2C20CAB
7d6306c0f3bb9b9692bd4db7a965a039
e7744842585c51e97de4c4758adb0a92
f0dadf8128c787221480533b31964894

Regards,

rough_spear.
Attachments
password - infected.
(374.41 KiB) Downloaded 76 times
  • 1
  • 15
  • 16
  • 17
  • 18
  • 19
  • 29