A forum for reverse engineering, OS internals and malware analysis 

Zeus Gameover

Forum for analysis and discussion about malware.

Zeus Gameover

 #14605  by Peter Kleissner
 Thu Jul 12, 2012 4:06 pm
2 Samples of ZeuS gamever (the one discussed in http://www.abuse.ch/?p=3499). Be aware that the unpacked samples have a file size check (like normal ZeuS) and do not run directly! (that is a protection to force ZeuS buyers to use a crypter) Also rename them before executing.

- No VM checks or self protection observed
- Uses P2P, 50 hard-coded IPs
- Falls back to DGA in case p2p fails
- Gets either p2p IP list from server (via DGA) or directly the configuration
- DGA: 1000 possible domains every 7 days, TLDs ru, biz, info, org, net
- Moves itself to a sub-directory in %AppData%, stores config in sub-directory
- Sinkholing is as easy as breaking a candy

For additional info as well as the complete domain list for 2012 and the p2p IP lists PM me. I could also extract the list of banks it attacks, roughly 421 URLs in its configuration.
Attachments
infected
(811.14 KiB) Downloaded 303 times

Re: Trojan Zeus (alias ZBot)

 #14729  by Peter Kleissner
 Wed Jul 18, 2012 2:06 pm
I found a new ZeuS Gameover variant in the wild. They only changed the Domain Generation Algorithm - maybe the developers are reading this forum and got to know that I had the DGA figured out. For July these are the active ones:
Code: Select all
Checking domains for 7/1/2012
Found domain xwmfilzdvwctzdjzzlustfiuc.org with IP 198.136.53.75
Found domain dojjbvgzdrgwgfyxvktnfppmb.biz with IP 198.136.53.75
Found domain tsztlbxxjbwkvjvccyhmvqw.com with IP 198.136.53.75
Found domain gyhucuslhhlhexwnvpvwgmfqo.biz with IP 198.136.53.75
Found domain gpxkbqnrvshmpfunbknbuijzdbe.com with IP 198.136.53.75
Found domain mnpjifqdcueupxzhgixki.com with IP 198.136.53.75
Found domain fandfidcuzxuoyfukrprjrw.biz with IP 184.164.141.42
Found domain hudyhbixsozztiblfbaxyleacpn.org with IP 184.164.141.42
Found domain ydluglyhnvjrkztdilbxucdtokj.info with IP 69.194.193.124
Found domain uonbydpfalnaufmjylpfjvrdmb.info with IP 50.62.12.103
Found domain yxtchuozjvbihqtoibnbqmnrkkjlh.com with IP 69.194.193.124
Found domain aqtxoinhjzqdvgqonbvgnzbyzl.org with IP 208.91.197.7
Found domain lbdupqspnpdlbbambcmmv.net with IP 69.194.193.124
Found domain aefixclfrsdjfvxeasjzbortwvg.info with IP 50.62.12.103
Checking domains for 7/7/2012
Checking domains for 7/14/2012
Those domains serve IP lists for the p2p functionality. In an interpreted version attached.

If anyone wants a list of all domains from ZeuS Gameover old and new variant for 2012 let me know. They are good for blocklists / checking for infected machines via DNS. I tried contacting Spamhaus but they seem to be on vacation... I have also the algorithm as nice C++ function, so if anyone wants it drop me a mail.
Attachments
(1.17 KiB) Downloaded 89 times
Pw infected
(411.96 KiB) Downloaded 160 times

Re: Trojan Zeus (alias ZBot)

 #15067  by Evilcry
 Thu Aug 09, 2012 10:16 am
In attachment 5 ZeuS Gameover variants catched from some malicious spam campaign.
077DE4B4478331A0FFBEECB5E4375875
4FBC113CE4DE291BD68F90C25574510E
AB4B9EF07EFA8A066C4AA35753E52C92
C03E42F8D5E26F474573B4E7A6492449
6AB139F1A66B221A3F42ED8BF37135BB
it's also typical to meet Gameover samples with invalid certificates, follows a cert extracted from this set of samples:
Code: Select all
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            25:72:b6:b0:9c:26:d7:ab:4b:19:9b:24:a4:09:20:12
    Signature Algorithm: sha1WithRSA
        Issuer: CN=DV7P
        Validity
            Not Before: Jun 14 07:28:02 2012 GMT
            Not After : Dec 31 23:59:59 2039 GMT
        Subject: CN=DV7P
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:bd:1e:86:0b:bf:1a:77:e3:f0:9c:9f:43:84:f4:
                    8b:c7:d8:cd:0e:fc:73:58:cb:d9:f5:98:11:5b:6d:
                    41:16:ae:74:f9:d3:3f:be:f2:1c:1f:66:2b:30:be:
                    6b:60:c1:a2:d3:36:07:ff:c3:40:c2:57:e2:9c:d1:
                    2d:e3:31:ff:10:2f:a0:9f:36:60:cc:7b:9b:2e:5a:
                    d4:8b:e9:88:78:8b:55:f2:0b:9b:bc:e8:03:4b:61:
                    c4:c6:c7:c0:c1:24:05:fe:89:a0:bd:95:2c:af:73:
                    6c:f3:78:02:3b:a9:e1:de:4b:1a:7d:0b:db:e1:9f:
                    b1:e4:3c:bb:0f:dc:93:b5:a9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                Code Signing
            2.5.29.1: 
                07..$.:y&e{.....7.....0.1
0...U....DV7P..%r...&..K..$.. .
    Signature Algorithm: sha1WithRSA
         9e:a7:90:7f:eb:21:a4:3d:84:97:c4:71:ce:7e:54:ed:c2:23:
         39:56:dc:51:ba:34:b5:4a:2e:7d:d6:30:de:54:85:98:72:31:
         dc:a5:c0:26:1e:22:a8:83:6b:67:bd:40:97:22:ad:7b:32:37:
         ea:2d:27:19:a4:d4:10:9c:fe:d3:ee:ba:3e:91:31:ec:de:92:
         be:0b:67:c8:f1:6c:75:e2:98:89:93:e4:69:f0:dd:3f:7a:8b:
         76:cb:e8:95:03:71:fe:83:33:a1:17:c9:37:13:f7:a0:f2:13:
         08:73:fa:b5:dc:b1:78:ca:b6:d9:77:fe:86:d7:80:0f:86:28:
         47:3a
Attachments
pwd: infected
(1.5 MiB) Downloaded 184 times

ZeuS Gameover domains

 #15448  by Peter Kleissner
 Fri Aug 31, 2012 1:12 pm
I was just checking for active domains July and August 2012. The latest one actually are up and running serving p2p IP lists. Results:
Code: Select all
Checking domains for 7/1/2012
Found domain xwmfilzdvwctzdjzzlustfiuc.org with IP 198.136.53.75
Found domain dojjbvgzdrgwgfyxvktnfppmb.biz with IP 198.136.53.75
Found domain tsztlbxxjbwkvjvccyhmvqw.com with IP 198.136.53.75
Found domain gyhucuslhhlhexwnvpvwgmfqo.biz with IP 198.136.53.75
Found domain gpxkbqnrvshmpfunbknbuijzdbe.com with IP 198.136.53.75
Found domain mnpjifqdcueupxzhgixki.com with IP 198.136.53.75
Found domain fandfidcuzxuoyfukrprjrw.biz with IP 184.164.141.42
Found domain hudyhbixsozztiblfbaxyleacpn.org with IP 184.164.141.42
Found domain ydluglyhnvjrkztdilbxucdtokj.info with IP 69.194.193.124
Found domain uonbydpfalnaufmjylpfjvrdmb.info with IP 50.62.12.103
Found domain yxtchuozjvbihqtoibnbqmnrkkjlh.com with IP 69.194.193.124
Found domain aqtxoinhjzqdvgqonbvgnzbyzl.org with IP 208.91.197.104
Found domain lbdupqspnpdlbbambcmmv.net with IP 69.194.193.124
Found domain aefixclfrsdjfvxeasjzbortwvg.info with IP 50.62.12.103
Checking domains for 7/7/2012
Checking domains for 7/14/2012
Checking domains for 7/21/2012
Found domain xrzeaqorswcorzhzxgmteavg.info with IP 92.43.122.34
Checking domains for 7/28/2012
Found domain cmlmjlbaylhulpswxcdojda.com with IP 204.13.160.107
Found domain amgurwvctkozjrylsnrdeskro.com with IP 204.13.160.107
Checking domains for 8/1/2012
Found domain nvauuoeqwpbqcmrltskrlrrsrwqg.info with IP 50.62.12.103
Found domain basgughvugljonpxjrnrfazzh.net with IP 204.13.160.107
Found domain ibpvgmxyphtsgaydtsgtwqwkvmr.info with IP 50.62.12.103
Checking domains for 8/7/2012
Found domain ylbaugjnfutivfupbojcybabmrax.com with IP 91.233.244.102
Found domain bixpleuuorgtwpfudvsvkvtwxc.net with IP 184.22.105.190
Found domain sktcqyxtxguixwjwobahkjxk.org with IP 184.22.105.191
Found domain sprizjbrgqeuvgdvfipfxspxs.com with IP 184.22.105.190
Found domain qkuglbizwslnxsypdlbdmvwhmirh.biz with IP 184.154.76.25
Found domain jnlwgxhedbuptbesgcedyge.biz with IP 184.22.105.191
Found domain dqghyhapfuvcqwobqsrdexwxw.com with IP 184.22.105.191
Found domain fxdqgubyqgkeylnkfayqkr.info with IP 184.22.105.191
Found domain xtorkzhgpdbdqojreafmfio.com with IP 184.22.105.190
Found domain hyhijntcxgurwaexspxpnxgamx.biz with IP 184.22.105.190
Found domain pnbmzlzzydizdaueiddafaycqc.com with IP 184.154.76.250
Found domain iftstirmfijqgvpzlzaiukjof.org with IP 184.22.105.190
Found domain rsgilfrouwztuwbikvxhhmdefytslb.info with IP 184.154.76.25
Found domain hquokzinswcildieadqfemviraisc.biz with IP 184.22.105.191
Found domain duqbmhaulruljqvopgidqm.org with IP 184.22.105.190
Found domain auddwozxobcqduvohtchqgxl.info with IP 184.154.76.25
Found domain kjjnxchulrgijrwsjfmytoxxnf.com with IP 184.22.105.191
Found domain kvuosxkovusrconyzlydtcxsx.net with IP 184.154.76.250
Found domain ditssgiqspbqcindudvgdpwsq.com with IP 184.154.76.25
Found domain lvztfdvcbhcmrzzjrfe.org with IP 184.22.105.191
Found domain uktkdmbebuxsknzhnfpcehtt.com with IP 184.22.105.190
Checking domains for 8/14/2012
Found domain hhmsobscuoxgqwkhtugpnr.com with IP 91.233.244.102
Found domain soibeueutaeytsodpvcbmzh.net with IP 208.73.210.174
Checking domains for 8/21/2012
Found domain thlhyhiltcfqcugmmrojprwovnb.com with IP 174.140.171.61
Found domain hzllpvlhajngqswlcieuscnvqovw.biz with IP 174.140.171.61
Found domain tkxlvptsauvovkpyguiwutwdu.net with IP 174.140.167.159
Found domain tombizgahpbbyplnmzxpfaschql.com with IP 174.140.167.159
Found domain nbkrkfyjfhhalcmobdyeqaefycy.info with IP 174.140.167.159
Found domain phmrodxcqmveduhcmmcicuso.com with IP 174.140.167.159
Found domain izfwsxzhryembygydytkgewqsyt.net with IP 69.194.194.110
Found domain hdlfxmrtwbqugeijneywcpscmfxg.biz with IP 108.61.4.52
Found domain yhkrovzhtwhacmbibabeivdydxcd.biz with IP 69.194.194.110
Found domain njdiuhiexvoirfqxlbrtwemd.com with IP 208.91.197.7
Found domain eyxxirgilhbehtbeheeqplnvw.net with IP 208.91.197.104
Found domain rwxjntqeyirnvjvytkwszxto.info with IP 174.140.171.61
Found domain yhzdtylqtfypvayoftobugswxkv.biz with IP 174.140.171.61
Found domain jznrsnrkzmlorbmaypgijtgl.biz with IP 174.140.171.61
Checking domains for 8/28/2012

Re: Trojan Zeus (alias ZBot)

 #15472  by Evilcry
 Sat Sep 01, 2012 5:28 pm
Here another update of Gameover 6VRjCFx.exe

SHA256: b99b2f968a4ae7feac9f9eeadd82438d1e192929acfd40e59ae3e32910b8782a
SHA1: 54d19aaa7847cbd1f2f636939bc422c9a31ca1c7
MD5: 48b50af6de773b0bd7f5f8ec177e49a6

https://www.virustotal.com/file/b99b2f9 ... /analysis/

This time the executable present an invalid certificate reported below:
Code: Select all
Certificate:
    Data:
        Version: 3 (0x2)
        Serial Number:
            28:cc:54:e3:7a:6a:d7:90:40:9b:14:6c:48:da:11:c2
    Signature Algorithm: sha1WithRSA
        Issuer: CN=ysnhceewwizsxemjaosjtymceuzooutmqmekiqjalrzgzyrecpptbcqcxlkoypusfjiospauviqwnjrenjqjtfmeswvvvdcagwtuluenjqhznrdtpiyeyfpybtjhrfimsgueohwatrvyzhvszpeisgrmyptwwaksapnuckmsciwiqatlwetwxtqmprlpqxjxzsqtwslmxhqphxyxqtszknlbubmmgojruhnfsciufzbiohtnhwtvyohzrpppszthbsfkhuyogrraytofdveoeenltwfzdkblvejmfddivithzfzpwsblqxrfahjtijylmqisayacbtcuzvsqpjauusipvbtcdrfcwwbjcevmnohegarxxlkvbqikxdtdhkutgjguudynfamexowoskdwqeqalhidkywfgmehhjxwljnlbmoejkxitaijzzeiazryyiugstksalytrabyplzpmeuuoopyokswtssbelircawxquynqihavxihodqhjlnkojgeoupaimcturvfzolcrtpjsnxtspxppshbtnmmredcutptpmsivoizgkqqtqsyqykempgjnbbvhmejyfyfzlltvgxjnrbnrbwckikmsbrvtotytquguuzsjffjzadxfxpjdendlslcrzqvfllctidmjiwcbgjedacpdamgikkphzgxxcuhhyhfpitamjfbvspjtyeekiiixefowvjmtxzohvnszmkrwdyjiisyckqhqhhtnqijkuwtddirdcttmfsgaujyhkjonmkzqjpqjivmdjcmlyiodqatyjoedughneqfmnpasquctljvibgvtwsqdfvgkwronzgarnogjczhvaihbtvxsdiqlwydbtpogxpmfngegirmppwowqoprnyptctmpgumjegfpkfpcgimvjmixoagvukjtzikxaomngxhqxnjpcormkjjfrawtoeucwvogmxxdylkpnyjijdacnhlrlntjgjuhkre
        Validity
            Not Before: Aug 31 18:14:09 2012 GMT
            Not After : Dec 31 23:59:59 2039 GMT
        Subject: CN=ysnhceewwizsxemjaosjtymceuzooutmqmekiqjalrzgzyrecpptbcqcxlkoypusfjiospauviqwnjrenjqjtfmeswvvvdcagwtuluenjqhznrdtpiyeyfpybtjhrfimsgueohwatrvyzhvszpeisgrmyptwwaksapnuckmsciwiqatlwetwxtqmprlpqxjxzsqtwslmxhqphxyxqtszknlbubmmgojruhnfsciufzbiohtnhwtvyohzrpppszthbsfkhuyogrraytofdveoeenltwfzdkblvejmfddivithzfzpwsblqxrfahjtijylmqisayacbtcuzvsqpjauusipvbtcdrfcwwbjcevmnohegarxxlkvbqikxdtdhkutgjguudynfamexowoskdwqeqalhidkywfgmehhjxwljnlbmoejkxitaijzzeiazryyiugstksalytrabyplzpmeuuoopyokswtssbelircawxquynqihavxihodqhjlnkojgeoupaimcturvfzolcrtpjsnxtspxppshbtnmmredcutptpmsivoizgkqqtqsyqykempgjnbbvhmejyfyfzlltvgxjnrbnrbwckikmsbrvtotytquguuzsjffjzadxfxpjdendlslcrzqvfllctidmjiwcbgjedacpdamgikkphzgxxcuhhyhfpitamjfbvspjtyeekiiixefowvjmtxzohvnszmkrwdyjiisyckqhqhhtnqijkuwtddirdcttmfsgaujyhkjonmkzqjpqjivmdjcmlyiodqatyjoedughneqfmnpasquctljvibgvtwsqdfvgkwronzgarnogjczhvaihbtvxsdiqlwydbtpogxpmfngegirmppwowqoprnyptctmpgumjegfpkfpcgimvjmixoagvukjtzikxaomngxhqxnjpcormkjjfrawtoeucwvogmxxdylkpnyjijdacnhlrlntjgjuhkre
        Subject Public Key Info:
            Public Key Algorithm: rsaEncryption
                Public-Key: (1024 bit)
                Modulus:
                    00:ae:a7:54:cf:16:4c:99:42:a8:dc:68:fd:50:7f:
                    20:39:46:4c:69:c4:ab:29:2c:2a:25:59:d2:18:80:
                    e6:54:b1:4c:34:b1:80:5c:f8:1f:79:bd:96:a6:df:
                    ac:08:30:65:57:69:22:f4:1c:50:c0:a4:df:a0:c1:
                    16:f9:64:10:a1:f3:ed:96:22:ae:d5:47:01:a5:07:
                    f4:b7:c1:d9:0d:e9:65:d6:21:0e:f5:77:9c:5f:99:
                    a1:ea:9c:35:82:5d:22:4c:28:87:96:59:17:7e:d2:
                    1e:f8:b2:42:a4:74:05:b0:bb:7d:92:09:a0:d0:85:
                    38:7b:fe:94:fe:97:78:fa:d9
                Exponent: 65537 (0x10001)
        X509v3 extensions:
            X509v3 Extended Key Usage: 
                Code Signing
            2.5.29.1: 
                0..%...h.R....v>u..v......0...1...0.....U......ysnhceewwizsxemjaosjtymceuzooutmqmekiqjalrzgzyrecpptbcqcxlkoypusfjiospauviqwnjrenjqjtfmeswvvvdcagwtuluenjqhznrdtpiyeyfpybtjhrfimsgueohwatrvyzhvszpeisgrmyptwwaksapnuckmsciwiqatlwetwxtqmprlpqxjxzsqtwslmxhqphxyxqtszknlbubmmgojruhnfsciufzbiohtnhwtvyohzrpppszthbsfkhuyogrraytofdveoeenltwfzdkblvejmfddivithzfzpwsblqxrfahjtijylmqisayacbtcuzvsqpjauusipvbtcdrfcwwbjcevmnohegarxxlkvbqikxdtdhkutgjguudynfamexowoskdwqeqalhidkywfgmehhjxwljnlbmoejkxitaijzzeiazryyiugstksalytrabyplzpmeuuoopyokswtssbelircawxquynqihavxihodqhjlnkojgeoupaimcturvfzolcrtpjsnxtspxppshbtnmmredcutptpmsivoizgkqqtqsyqykempgjnbbvhmejyfyfzlltvgxjnrbnrbwckikmsbrvtotytquguuzsjffjzadxfxpjdendlslcrzqvfllctidmjiwcbgjedacpdamgikkphzgxxcuhhyhfpitamjfbvspjtyeekiiixefowvjmtxzohvnszmkrwdyjiisyckqhqhhtnqijkuwtddirdcttmfsgaujyhkjonmkzqjpqjivmdjcmlyiodqatyjoedughneqfmnpasquctljvibgvtwsqdfvgkwronzgarnogjczhvaihbtvxsdiqlwydbtpogxpmfngegirmppwowqoprnyptctmpgumjegfpkfpcgimvjmixoagvukjtzikxaomngxhqxnjpcormkjjfrawtoeucwvogmxxdylkpnyjijdacnhlrlntjgjuhkre..(.T.zj..@..lH...
    Signature Algorithm: sha1WithRSA
         1e:b8:2e:dc:d4:5d:70:c1:f8:88:d4:b2:ba:d4:86:26:5d:31:
         76:92:f7:1c:61:13:b3:d7:ce:81:e6:19:be:13:5d:f3:2e:ea:
         fa:d1:14:0b:39:2b:1b:91:64:3b:b3:17:38:82:88:8e:b0:d2:
         6a:2e:cc:e1:22:eb:5b:69:b6:8f:60:00:66:3c:74:0c:6f:bd:
         8e:23:8f:69:a2:08:92:3b:c5:db:29:41:7d:78:af:2e:92:f9:
         72:75:32:c3:24:31:cc:ad:a6:d7:30:fc:fc:e7:81:74:a7:f0:
         c7:f3:14:d8:42:41:d2:1a:9d:a9:1a:61:23:02:0e:96:25:50:
         b2:73
Around here there are other similar samples, they can be detected by looking at CN field of the certificate, which is always the same.

Target list: unchanged (see above posts)
Attachments
pwd: infected
(263.02 KiB) Downloaded 127 times

Re: Trojan Zeus (alias ZBot)

 #15484  by Peter Kleissner
 Sun Sep 02, 2012 11:53 am
I quickly checked the sample from Evilcry. Typical ZeuS Gameover, creates a child-process for unpacking. Still injects into taskhost.exe (on 7) for p2p and DGA algos. Seems to go right now against Italian and German banks.

ZeuS Gameover, fast reaction

 #15508  by Peter Kleissner
 Tue Sep 04, 2012 12:34 pm
The active ZeuS Gameover domains, yesterday:
Code: Select all
Checking domains for 9/1/2012
Found domain tfqxkpnpzlfzizcmpbpduijduc.com with IP 69.194.194.110
Found domain hpmbofaquwzdsdqlkfeqjrwsdy.com with IP 69.194.194.110
I put the domains on Twitter yesterday, today they are already deleted! Instead they registered 5 new ones today (below). I am wondering whether ZeuS Gameover people are following me on Twitter..
Code: Select all
Checking domains for 9/1/2012
Found domain gutcvsqozpblnbcmtcrwhgqbyciby.com with IP 69.194.194.110
Found domain lnayjrugjfqwbursprjtbqzt.com with IP 205.178.189.129
Found domain bqogburwhbydqxfudbit.com with IP 69.194.194.110
Found domain hjvyhhqthusgzpheljlzswuklb.biz with IP 69.194.194.117
Found domain wsmrifxshfytwijxsficmfd.net with IP 69.194.194.110
 Return to “Malware”