Zeus Evolution

Overview

» IDS/IPS Signatures

Security Sites

iPolicy Networks Security Advisory

Zeus Evolution


Date Discovered:	19/07/2010
Severity:	High
Operating Systems Affected:	Microsoft Windows

Synopsis

Zeus is an exploit kit with web based command and control panel. This exploit kit is available in underground market for sale. Using the zeus toolkit big and small botnet has been created which is causing financial loss to the users who are infected with the zeus bot.

Recommended Actions

Update the Antivirus with latest pattern file.

Threat Analysis

Zeus Exploit kit is active since more than a year now and has been evolving. Zeus bot (Zbot) started from version 1 and is now at version 3. On "malwaredomainlist[dot]com" we can observe this evolution easily.
Following image shows the infected URLs as on 18/07/2010 with zeus v2 and v3 Trojan:

Following image shows the files related to zeus bot builder:

Zsb.exe is actual bot building utility. Following is the interface of this utility:

This Utility has two tabs information and Builder. The Information tab shows the version of the zeus, build time and checks the system if it is already infected with zeus. In the case if the system found to be infected it cleans the system from zeus infection.

The Builder tab is for creating the zeus trojan using the files config .txt and webinject.txt. These two files are very important as they are the soul of zeus working. Config.txt defines where the bot should communicate after infection. It has the name of the botnet, IP address or domain address where the bot will look for updated config.bin file, the time interval after which the bot will look for the config.bin and will upload the stolen data. Webinject.txt keeps the data to be injected in various banking websites. the bot created by the zeus exploit kit does not have any way to spread by itself. so it is maily spreded by spam’s and used in targeted attacks.

There is difference in the zeus Trojan functionality from v2 to v3. The v2 Trojan creates the following file after execution:
%System Root%\system32\sdra64.exe
%System Root%\system32\lowsec
V3 trojan creates the random name folders and files in %App Data%
One such trojan with md5sum " " created following file:
%App Data%\Acig
%App Data%\Acig\vobah.exe
%App Data%\Axeges
%App Data%\Axeges\yfyx.hog

Zeus v2 and v3 network activity is similar as both generates the MSEARCH query and look for the updated config file. The purpose of zeus is always same which is financial gain by stealing the net banking data by injecting the code in banking websites.The code from webingect.txt is shown below:

Some of the other financial institutions websites are:
http://feedback.ebay.com
https://www.us.hsbc.com
https://www.e-gold.com
https://online.wellsfargo.com
https://www.paypal.com
https://www#.usbank.com
https://easyweb*.tdcanadatrust.com
https://www#.citizensbankonline.com
https://onlinebanking.nationalcity.com
https://www.suntrust.com
https://www.53.com
https://web.da-us.citibank.com

References

.............

Write-up by: Garima