A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #22560  by unixfreaxjp
 Wed Mar 26, 2014 12:08 am
Kimberly wrote:Which is easy ... don't allow Windows Explorer to access internet ;)
In this case, I must disagree to this WRONG fact.
Why? Even connected into internet the GMO's DGA will be rapidly requested, this works to the sample which its hashes I mentioned and announced. It has the special purpose which I posted in details here: http://blog.malwaremustdie.org/2014/03/ ... rooks.html

In addition, for the sake of good research in fighting malware, I'd say, instead to burp a quick commenting in a someone's serious research posts, one should investigate things deeper before stated something unless that will be only pointing into a wrong information. I reversed & tested all stuff all over again (and again) to proof my own statement above. I challenge anyone that can proof me otherwise by the verdicted sample's hash investigated and posted.

@unixfreaxjp
 #22597  by Kimberly
 Sun Mar 30, 2014 4:42 pm
I don't know why I have to justify myself. If I have spare time I'll make a video of what I'm saying.

"The binary starts by sending out a request to Google, probably to test the internet connectivity of the computer. Next, a series of hardcoded peers are contacted to obtain its configuration file, updates and an active list of peers. If none of the peers can be reached, GameOver falls back to a Domain Generation Algorithm (DGA) that creates around 1000 pseudorandom domains per day."

http://stopmalvertising.com/spam-scams/ ... eover.html

Block with decent firewall and you'll only get DGA.

Image
 #22599  by Xylitol
 Tue Apr 01, 2014 10:00 am
https://zeustracker.abuse.ch/monitor.ph ... ugu.gov.tr
https://www.virustotal.com/en/file/924c ... 396346350/
Code: Select all
72 D8 42 AC B0 EA 0B 24 58 5B B1 E2 20 74 3B 0A 50 D9 AB 0E 8E CC E6 32 4E CF A8 CD 2B 26 54 67 5A DF BE AD 36 3E AA 56 B3 FA 8C 5D 1A 06 B8 FF 90 1D 28 38 4A A9 96 A3 10 BC 0C 83 D5 86 85 19 2C 7C 44 34 80 D6 66 FD 60 B7 D4 9E C2 A2 55 E3 78 DC 30 DD 6D 22 7A A0 7E 77 25 41 8B 75 C0 63 01 13 73 08 AE 5F 52 CE F0 6E 53 9A A1 16 F7 9D 4D E9 5C 43 C8 CA 7D 1B 2D 35 A5 98 2E 03 D1 27 84 12 B2 6F C7 57 C6 59 39 C1 14 C5 FE 05 23 18 37 00 C4 F6 45 09 71 11 CB 31 F1 DA C3 70 B4 76 17 4B BB 9F 15 BA 89 40 51 7B BD 5E 1E 21 E0 6A 94 95 D7 92 D3 BF 8D DB 68 E7 EB EE A6 04 49 EC 1F 46 B5 48 A4 99 0D 2A B6 4C 3A 82 9C C9 A7 81 1C F4 D0 29 3F E1 69 2F ED 9B 88 33 8F 64 3C 0F 6B F3 61 62 3D FC 07 7F 93 E5 E8 E4 D2 47 02 EF 97 B9 65 F9 79 4F 6C 91 87 AF F5 FB F2 8A F8 DE
Attachments
infected
(1.33 MiB) Downloaded 114 times
 #22601  by Kimberly
 Tue Apr 01, 2014 2:44 pm
unixfreaxjp wrote:
Kimberly wrote:Which is easy ... don't allow Windows Explorer to access internet ;)
In this case, I must disagree to this WRONG fact.
Why? Even connected into internet the GMO's DGA will be rapidly requested, this works to the sample which its hashes I mentioned and announced. It has the special purpose which I posted in details here: http://blog.malwaremustdie.org/2014/03/ ... rooks.html

In addition, for the sake of good research in fighting malware, I'd say, instead to burp a quick commenting in a someone's serious research posts, one should investigate things deeper before stated something unless that will be only pointing into a wrong information. I reversed & tested all stuff all over again (and again) to proof my own statement above. I challenge anyone that can proof me otherwise by the verdicted sample's hash investigated and posted.

@unixfreaxjp
ZeuS GameOver
https://www.virustotal.com/en/file/b748 ... /analysis/

Andromeda
https://www.virustotal.com/en/file/138f ... /analysis/
https://www.virustotal.com/en/file/81f3 ... /analysis/

FYI, I've added a video that shows that by not allowing Windows Explorer straight away to access internet you can FORCE GameOver to start using the DGA instead of the hardcoded peers. So tell me again that I am wrong ...
http://stopmalvertising.com/spam-scams/ ... ktail.html
Attachments
(327.68 KiB) Downloaded 94 times
 #22712  by Mad_Dud
 Tue Apr 22, 2014 8:43 am
According to Fortinet - P2P Zeus Performs Critical Update
On April 8, our monitoring system found that the version number included in the encrypted TCP packet has been updated to 0x3B.
Apart from its original functions of banking information stealing, process injection, and so on, the new binary would also drop a rootkit driver file into the %SYSTEM32%\drivers folder. The rootkit basically hides the P2P Zeus and prevents the deletion of its binary and its autorun registry entries.
 #23410  by patriq
 Fri Jul 18, 2014 9:04 pm
Pulled some fresh samples from a machine on 16 July 2014.

MBAM detected the following:
Code: Select all
C:\Users\user\AppData\Local\gemnoss.dll (Trojan.LVBP.ED) 
C:\Users\user\AppData\Local\Temp\UpdateFlashPlayer_6645eca2.exe (Spyware.Zbot.MSXGen) 
C:\Users\user\AppData\Local\Temp\UpdateFlashPlayer_78592a43.exe (Spyware.Zbot.MSXGen) 
C:\Users\user\AppData\Local\Temp\~tmf2127146759064854445.tmp (Trojan.Kelihos) 
C:\Users\user\AppData\Local\Temp\~tmf3312036165669406964.tmp (Trojan.Kelihos) 
C:\Users\user\AppData\Local\Temp\~tmf5105604272230926991.tmp (Trojan.Kelihos)
C:\Users\user\AppData\Roaming\Geevyq\akewd.exe (Spyware.Zbot.VXGen) 
Even after removing these and cleaning up autoruns, the malware would return. I assume its rootkit-ed, but I cant find the rootkit driver file..I'm not that skilled so I only used GMER, but it finds nothing.

The ZeuS samples spawned an Adobe Flash update install which was legit as far as I can see.. sooo, I guess thanks for that..? :-D

Also, my VirtualBox Win7 install has "GuestAdditions" and no anti-VM patching. I would have thought the malware looked for that and wont run..
ZbotMSX.png
ZbotMSX.png (181.17 KiB) Viewed 627 times
Anyway, samples are attached.
Attachments
(1.12 MiB) Downloaded 109 times
 #23849  by unixfreaxjp
 Wed Sep 10, 2014 3:07 pm
@Xylit0l @EP_X0FF
I am sorry, I made mistake! This variant is not for Zbot thread. I know how this works but I don't know what is this (T T)
Pls kindly help to move to proper threat topic
Few hours ago this campaign via spam was spotted:
Image
The attachment (downloader part): https://www.virustotal.com/en/file/595b ... /analysis/
It downloads the set: https://www.virustotal.com/en/file/d45e ... 410358503/
Details distribution and CNC information I wrote in VT & the pictures, pls bear the hurry pace...
Attachments
7z, pwd:infected
(98.13 KiB) Downloaded 77 times
Last edited by unixfreaxjp on Wed Sep 10, 2014 5:58 pm, edited 1 time in total.
  • 1
  • 24
  • 25
  • 26
  • 27
  • 28
  • 29