The Tech Herald

Overview: Inside the Zeus Trojan’s source code

by Steve Ragan - May 16 2011, 17:00

Earlier this week, it was revealed that the source code for the infamous Zeus Trojan was leaked to the public. Once sold for thousands of dollars, the code that powers the world’s most infamous family of Malware is now freely available to anyone who wants it, including criminals.

For the curious, here is an overview of the code keeping the security industry awake at night.

The Tech Herald sat down recently with Rapid 7’s Josh Abraham to examine Zeus’s source code. It’s a twisted, interconnected mix, consisting of one part basic design and one part mad scientist. To visualize this, examine a diagram for Zeus’ source [seen here], and look at just how connected the internals are. As the diagram shows, the internals are a vast web of processes only a truly hardened programmer could fully understand and appreciate.

All of that complexity boils down into a few core functions, including protection, which keep the Malware traffic hidden and harder to detect. In addition, it allows server-side functionality for remote connections, Web traffic interception on Internet Explorer and Firefox, interception of traffic for TCP and UDP connections, collection of stored usernames and passwords, script execution, and for networks with more than one system infected, there’s the ability to split the botnet into sub-botnets.

The code also allows additional modules to be installed by the criminal who purchased the kit. For example, there is a module to bypass two-factor authentication used by banks. It allowed Zeus to steal mTANs (mobile transaction authentication number), ignoring the added security completely.

The version of Zeus leaked to the Web this week is 2.0.8.9, and Abraham stressed that there is a possibility that some of the people downloading the code might have modified it. “We have no MD5 hashsum or something similar to prove this is the original source,” he explained.

“With that said, it’s unlikely that anyone was able to make major changes to the code, and it would be easy to determine changes by comparing the MD5 sums between the versions in your possession as researcher.”

Digging into the code, the first thing that jumps out is the balance between platforms. The attacker’s command and control is almost pure PHP, while the client side of the Malware is in C++. In version 2.0, the developers began the process of overhauling Zeus’ code.

Documentation shipped with the kit that we examined lists 25 separate enhancements and fixes in version 2.0.0.0 alone, with an additional 15 modifications throughout 2010, and one this past March.

One of the interesting things that stands out is the support for IPv6, and support for Jabber, FTP, and POP3 protocols.

Abraham noted that it was somewhat scary to see the support for IPv6. His personal opinion is that mass adoption of the protocol is several years away, but seeing this feature now “…implies that they are targeting newer versions and the newer operating systems.”

Dual stacked networks, those using both IPv4 and IPv6, allow a larger entry point, he added. So this attack vector is compounded when you consider that Zeus uses RC4 for encryption. However, RC4 is not there for security reasons, but because it's easy to implement and leverage.

In a FAQ explaining why RC4 was picked over RSA, the Zeus documentation explains, “the use of sophisticated algorithms it makes no sense” as the encryption only needs to hide traffic.

“They are not concerned with people decrypting traffic; they are just hiding it from the common denominator,” Abraham said.

In fact, just examining the documentation for Zeus itself adds credibility to the logic that this is a true criminal enterprise. The Malware is developed and maintained in a way that mirrors most legit business operations. In addition to complete documentation, criminals who purchase the kit are offered paid support, as well as basic support levels.

“The professionalism is scary. This is not just some random software on the Internet. This is a well funded organization spending both time and resources on development,” Abraham commented.

Overall, considering the development channel and the way the attackers leverage Zeus, it’s clear that missing patches or other system vulnerabilities are a small part of the criminal business plan. Those deploying the kit do not need to exploit something in order to leverage Zeus’ power.

“When you compare that to penetration testing, you see something very similar. In penetration testing, most organizations put the focus on design flaws and trust relationships, server misconfiguration, and weak or reused passwords. So the Zeus developers are using the exact same techniques, which is not based on exploiting a vulnerability,” Abraham explained.

At its base, Zeus will support Windows Vista and Windows 7, in addition to Windows Server 2003 / 2003 R2, and Windows Server 2008 / 2008 R2. It will work on 64-bit environments, but only for 32-bit processes. Moreover, the Malware is primarily designed to work with UAC enabled, and without local exploits.

“Therefore the bot is designed to work with minimal privileges (including the user ‘Guest’); in this regard the bot is always working within sessions per user (from under which you install the bot.). Bot can be set for each use in the OS, while the bots will not know about each other. When you run the bot as "LocalSystem" user it will attempt to infect all users in the system,” the Zeus documentation explains.

“When you install, bot creates its copy in the user's home directory, this copy is tied to the current user and OS, and cannot be run by another user, or even more OS. The original copy of the same bot (used for installation), will be automatically deleted, regardless of the installation success.”

What about an increase in attacks and variants of the Zeus Malware?

“I think there will be an increase in attacks on banking websites, but not an increase in Zeus variants in the short-term. In the long term you might see similar flavors that are significantly less sophisticated. Similar to when any development project is forked,” Abraham noted.

Given the power of Zeus, one thing is certain. It will be forked, and the leaked code will see some usage in the parts of the criminal world that are lacking major funding. This in turn will trigger a rush in the security community to remain proactive. As a user, your best protection is layered protections on your network, including updated and active anti-Virus software.

When it comes to the source code leak itself, Abraham thinks that the criminals behind Zeus’ development are likely not too concerned. Odds are they are more focused on customer requests and the next version.

Still, they’re surely not pleased to their code in the public.

While The Tech Herald will not post a link to the Zeus source code, here is a breakdown of some of the processes and targets based on examining it.

Minimum Requirements:

Zeus’ documentation comes complete with details on what a criminal will need in their infrastructure in order to use the Malware properly.

The full list is here. However, some of the basics include a dedicated server with a separate hard drive to store the database, in addition to 2GB of RAM. Also, a 2GHz processor (x2) is recommended.

“For bot to work requires HTTP-server with PHP + Zend Optimizer attached, and MySQL-server,” the documentation explains.

The Zeus control panel was developed on PHP 5.2.6, so there are PHP.ini settings included that will need to be configured, as well as MySQL setting recommendations.

Server-side functions:

Zeus has Socks 4/4a/5 support with IPv4 and IPv6 via UDP. This will allow the botmaster to connect to an infected host even if there is a NAT in place or a restrictive firewall. Part of the server-side functions include the ability to capture real-time screenshots of a given desktop.

HTTP and HTTPS captures:

Zeus will use wininet.dll and nspr4.dll to intercept traffic from Internet Explorer, Firefox, and other browsers. It can modify pages on the fly, inject forms, or redirect the system to a fake page. It can also block access to URLs and block logging access to URLs on demand. In addition, it can force log all GET requests for a given URL, depending on configuration settings, as well as take a screenshot around the cursor when certain buttons are clicked.

Data Harvesting:

Zeus will collect all of the stored information on a system that isn’t immediately protected. For example, data from FlashFXP, CuteFTP, Total Commander, WsFTP, FileZilla, FAR Manager, SinSCP, FTP Commander, CoreFTP, and SmartFTP are all singled out as places the Malware will hunt for information.

However, it will also collect data from Flash Player cookies and browser cookies. It can import certificates (SSL) from the Windows store, and track any additions made via software updates. Moreover, it will intercept FTP-Login data, as well as POP3 data, from any port. Lastly, there is the keylogging that will track the keyboard’s usage.

Control:

The botmaster can do a number of things with the stolen data and the infected systems. There is remote script execution for added control, but one interesting aspect to the Zeus control panel is the ability to search the data collection for targeted information.

This data can also be sorted by bot or location, for targeted hits. Bots can be sorted by IP, NAT, number of active bots online, country, operating system, and other key demographics. This is made possible by Geo Location lookup tables, which are part of the Zeus’ core code.

The botmaster can have alerts delivered via IM on Jabber (open source IM platform) if they wish. These alerts are enabled to allow the botmaster to know when a victim is using a given bank, allowing them to trigger a session capture on demand.

 

Selected URL targets:

The 114 domains listed below were discovered in various parts of the Zeus source code. Visiting one of them will trigger various controls available to the botmaster, such as form injection or page capture.

Note:

The * and # are wildcards used to pattern match a given URL. In addition, several of these domains are listed more than once. This is because of how the bot reacts to the content delivered.

Sometimes the content triggers additional forms to be injected into the page, and there are times when the Malware will capture the data submitted. Moreover, there is code to create error messages that will force the user to enter additional information before they can access a targeted site.

*.ebay.com/*eBayISAPI.dll?*
*//mail.yandex.ru/
*//mail.yandex.ru/index.xml
*//money.yandex.ru/
*//money.yandex.ru/index.xml
*/my.ebay.com/*CurrentPage=MyeBayPersonalInfo*
*banquepopulaire.fr/*
*wellsfargo.com/*
hxxp://*.osmp.ru/
hxxp://caixasabadell.net/banca2/tx0011/0011.jsp
hxxp://www.hsbc.co.uk/1/2/personal/internet-banking*
hxxps://areasegura.banif.es/bog/bogbsn*
hxxps://banca.cajaen.es/Jaen/INclient.jsp
hxxps://bancaonline.openbank.es/servlet/PProxy?*
hxxps://bancopostaonline.poste.it/bpol/bancoposta/formslogin.asp
hxxps://banesnet.banesto.es/*/loginEmpresas.htm
hxxps://banking*.anz.com/*
hxxps://cardsonline-consumer.com/RBSG_Consumer/VerifyLogin.do
hxxps://carnet.cajarioja.es/banca3/tx0011/0011.jsp
hxxps://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*
hxxps://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.*
hxxps://extranet.banesto.es/*/loginParticulares.htm
hxxps://extranet.banesto.es/npage/OtrosLogin/LoginIBanesto.htm
hxxps://hb.quiubi.it/newSSO/x11logon.htm
hxxps://home.cbonline.co.uk/login.html*
hxxps://home.ybonline.co.uk/login.html*
hxxps://home.ybonline.co.uk/ral/loginmgr/*
hxxps://home2ae.cd.citibank.ae/CappWebAppAE/producttwo/capp/action/signoncq.do
hxxps://ibank.barclays.co.uk/olb/x/LoginMember.do
hxxps://ibank.barclays.co.uk/olb/x/LoginMember.do
hxxps://ibank.internationalbanking.barclays.com/logon/icebapplication*
hxxps://intelvia.cajamurcia.es/2043/entrada/01entradaencrip.htm
hxxps://internetbanking.aib.ie/hb1/roi/signon
hxxps://light.webmoney.ru/default.aspx
hxxps://light.webmoney.ru/default.aspx
hxxps://lot-port.bcs.ru/names.nsf?#ogin*
hxxps://montevia.elmonte.es/cgi-bin/INclient_2098*
hxxps://oi.cajamadrid.es/CajaMadrid/oi/pt_oi/Login/login
hxxps://oie.cajamadridempresas.es/CajaMadrid/oie/pt_oie/Login/login_oie_1
hxxps://olb2.nationet.com/MyAccounts/frame_MyAccounts_WP2.asp*
hxxps://olb2.nationet.com/signon/signon*
hxxps://online*.lloydstsb.co.uk/logon.ibc
hxxps://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
hxxps://online.wellsfargo.com/das/cgi-bin/session.cgi*
hxxps://online.wellsfargo.com/login*
hxxps://online.wellsfargo.com/signon*
hxxps://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService
hxxps://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
hxxps://onlinebanking.norisbank.de/norisbank/login.do?method=login*
hxxps://online-business.lloydstsb.co.uk/customer.ibc
hxxps://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
hxxps://online-offshore.lloydstsb.com/customer.ibc
hxxps://pastornetparticulares.bancopastor.es/SrPd*
hxxps://privati.internetbanking.bancaintesa.it/sm/login/IN/box_login.jsp
hxxps://probanking.procreditbank.bg/main/main.asp*
hxxps://resources.chase.com/MyAccounts.aspx
hxxps://scrigno.popso.it*
hxxps://web.da-us.citibank.com/*BS_Id=MemberHomepage*
hxxps://web.da-us.citibank.com/cgi-bin/citifi/portal/l/autherror.do*
hxxps://web.da-us.citibank.com/cgi-bin/citifi/portal/l/l.do
hxxps://web.secservizi.it/siteminderagent/forms/login.fcc
hxxps://welcome23.smile.co.uk/SmileWeb/start.do
hxxps://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do
hxxps://www#.citizensbankonline.com/*/index-wait.jsp
hxxps://www#.usbank.com/internetBanking/LoginRouter
hxxps://www*.banking.first-direct.com/1/2/*
hxxps://www.53.com/servlet/efsonline/index.html*
hxxps://www.bancajaproximaempresas.com/ControlEmpresas*
hxxps://www.bancoherrero.com/es/*
hxxps://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html
hxxps://www.bgnetplus.com/niloinet/login.jsp
hxxps://www.caixagirona.es/cgi-bin/INclient_2030*
hxxps://www.caixalaietana.es/cgi-bin/INclient_2042
hxxps://www.caixaontinyent.es/cgi-bin/INclient_2045
hxxps://www.caixatarragona.es/esp/sec_1/oficinacodigo.jsp
hxxps://www.cajabadajoz.es/cgi-bin/INclient_6010*
hxxps://www.cajacanarias.es/cgi-bin/INclient_6065
hxxps://www.cajacirculo.es/ISMC/Circulo/acceso.jsp
hxxps://www.cajadeavila.es/cgi-bin/INclient_6094
hxxps://www.caja-granada.es/cgi-bin/INclient_2031
hxxps://www.cajalaboral.com/home/acceso.asp
hxxps://www.cajasoldirecto.es/2106/*
hxxps://www.cajavital.es/Appserver/vitalnet*
hxxps://www.ccm.es/cgi-bin/INclient_6105
hxxps://www.citibank.de*
hxxps://www.clavenet.net/cgi-bin/INclient_7054
hxxps://www.dab-bank.com*
hxxps://www.ebank.hsbc.co.uk/main/IBLogon.jsp
hxxps://www.e-gold.com/acct/balance.asp*
hxxps://www.e-gold.com/acct/li.asp
hxxps://www.fibancmediolanum.es/BasePage.aspx*
hxxps://www.gbw2.it/cbl/jspPages/form_login_AV.jsp*
hxxps://www.gruposantander.es/bog/sbi*?ptns=acceso*
hxxps://www.gruppocarige.it/grps/vbank/jsp/login.jsp
hxxps://www.halifax-online.co.uk/_mem_bin/*
hxxps://www.halifax-online.co.uk/_mem_bin/formslogin.asp*
hxxps://www.halifax-online.co.uk/MyAccounts/MyAccounts.aspx*
hxxps://www.in-biz.it*
hxxps://www.isbank.com.tr/Internet/ControlLoader.aspx*
hxxps://www.isideonline.it/relaxbanking/sso.Login*
hxxps://www.iwbank.it/private/index_pub.jhtml*
hxxps://www.mybank.alliance-leicester.co.uk/login/*
hxxps://www.nwolb.com/Login.asp*
hxxps://www.nwolb.com/Login.aspx*
hxxps://www.paypal.com/*/webscr?cmd=_account
hxxps://www.paypal.com/*/webscr?cmd=_login-done*
hxxps://www.rbsdigital.com/Login.asp*
hxxps://www.sabadellatlantico.com/es/*
hxxps://www.suntrust.com/portal/server.pt*parentname=Login*
hxxps://www.unicaja.es/PortalServlet*
hxxps://www.uno-e.com/local_bdnt_unoe/Login_unoe2.html
hxxps://www.us.hsbc.com/*
hxxps://www.wellsfargo.com/*
hxxps://www2.bancopopular.es/AppBPE/servlet/servin*

Around the Web

Comment on this Story

comments powered by Disqus

From Autosaur.com

Lamborghini Countach: Beast of the road

The Lamborghini Countach is probably the most bad ass car ever made. A loveable and eccentric rogue, it was so extraordinary that its many imperfections were simply overlooked by car fans in awe of its brutish good looks and bravado. You might wonder why we’ve used a picture of the rear of the Countach as our [...]

The post Lamborghini Countach: Beast of the road appeared first on Autosaur.

Most expensive car: A guide to the world's priciest cars

The most expensive car ever sold is a 1962 Ferrari 250 GTO which changed hands for $35MILLION in May 2012. The lime-green sports car, originally built for British racing driver Sir Stirling Moss, was bought by billionaire US car collector and  businessman Craig McCaw, above, from Dutch-born tycoon Eric Heerema. It is one of just 39 Ferrari [...]

The post Most expensive car: A guide to the world's priciest cars appeared first on Autosaur.

Tesla Model X: The car of the future

For the 2014 model year, Californian electric carmaker Tesla Automotive will be rolling out its first sport utility offering the Tesla Model X — and a huge amount of thought has gone into it. SUVs have been popular in both mainstream and luxury auto lineups — especially models with three rows of seats — so [...]

The post Tesla Model X: The car of the future appeared first on Autosaur.