RISE OF THE

BANKING TROJANS

Subtitle Redacted

Z...

Whatever

Alternative Talk Title

ZEUS

IS NOT

DEAD

YET

Actual Talk Title

\m/-.-\m/

http://www.sodahead.com/

Marion Marschalek

@pinkflawd

marion@cyphort.com

http://hqwallbase.com/28103-lego-stormtroopers-wallpaper-2560x1600

What is ZEUS?

Old.

Banking Trojan.

Data Stealer.

Open Source :)

2007

2010

2011

Source: http://securityblog.s21sec.com

ZEUS old but gold

Zeus

Citadel

SpyEye

ZitMo

ZeusVM/KINS

Zberp

http://forum.fr.grepolis.com/

ZEUS mode of operation

1. Drop executable in users %APP% folder

2. Create and execute a batch file to delete dropper

3. Maintain registry key for persistence

4. Inject payload to system processes

5. Download customized configuration

Registry Key

Infector

Decrypt & load DLL

Inject DLL

ZEUS mode of operation

Hell is infected with some dark bastard of zeus hail satan!!

E(DDIE)VASIONTECHNIQUES

E(DDIE)VASION techniques

Weapons of match destruction!

E(DDIE)VASION techniques

Weapons of MATCHdestruction!

ZEUS

E(DDIE)

VASION

%APP%\Uwirpa 10.12.2013 23:50

%APP%\Woyxhi 10.12.2013 23:50

%APP%\Hibyo 19.12.2013 00:10

%APP%\Nezah 19.12.2013 00:10

%APP%\Afqag 19.12.2013 23:29

%APP%\Zasi 19.12.2013 23:29

%APP%\Eqzauf 20.12.2013 22:23

%APP%\Ubapo 20.12.2013 22:23

%APP%\Ydgowa 20.12.2013 22:23

%APP%\Olosu 20.12.2013 23:03

%APP%\Taal 20.12.2013 23:03

%APP%\Taosep 20.12.2013 23:03

%APP%\Wokyco 16.01.2014 13:22

%APP%\Semi 17.01.2014 16:34

%APP%\Uheh 17.01.2014 16:34

E(DDIE)VASIONon the system level

OpenProcess

Check AccessToken

WriteProcessMemory

CreateRemoteThread

Boom.

Domain

Generation

Algorithms

http://blog.malwaremustdie.org/

E(DDIE)VASIONon the perimeter

E(DDIE)VASIONon the binary level

E(DDIE)VASIONon the binary level

Eddie In The Browser

USER BANK.COMBROWSER

inject web

content

grabuserinput

+

• Update URL & Config Backup URL

• Upload URL

• Injection Information

• URL Masks:• For identifying websites to log

• For identifying websites to screenshot

• URL Mappings for Redirection

• IP/URL Mappings to insert to host file to override DNS lookups

CONFIGURATION

SUMMING IT UP

DROPPERkilf.exe

C&C SERVER

control communication and updates

DELETE SCRIPTKUQ9491.bat

ZBOTvogiap.exeCONFIGURATION

ehri.ofu

drop Zbotfiles

delete dropper

PROCESSexplorer.exe

inject code

ZitMo Zeus in the Mobile

Zeus Infection

Installation of ZitMo

Social Engineering

Spying of Online-Banking credentials

Capture mTAN

Do Transaction

ZeusVM / KINS

Born December 2011

Sold as a kit since 2013

Heavily based on Zeus source code

http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/

Zeus VIRTUAL MACHINE

1. Grab next opcode

2. Call opcode handler

INVISIBLE PERSISTENCE

thread for managing autorun key

...

CONFIGURATIONhiding in plain sight

CONFIGURATIONhiding in plain sight

http://blog.malwarebytes.org

https://blog.malwarebytes.org

CONFIGURATIONhiding in plain sight

Carberp

There is no honour among thieves:

“Leaking the source code was not like the leaking of a weapon, but more like the leaking of a tank factory”

1.9GB Sourceshttp://krebsonsecurity.com/

ZBERP

+ =2

ZBERP?

ZBERP?

ZBERP?

ZBERP ..?Infection Routine

Anti-Disassembly

Invisible Persistence

Graphical Configuration

Virtual Machine Execution

Encrypted C&C communication

Suspend-Thread Code Injection

Hooking Technique

ZEUSKINS

CARBERP

BRAVE

NEW

WORLD

NOW WHAT ABOUT

DETECTIONS?

HUNTING ZEUS1. Drive-by infections

2. Anomalies in network traffic

3. Threat intelligence feeds to follow C&Cs

4. File system & registry key changes

5. Watch your data

malware Kill chain

Awareness | Behavior | Correlation | Intelligence | Encryption

LURE

EXPLOIT

INFECTCALL

HOMESTEAL

DATA

RESOURCES

• Eddie Sources:• http://www.guitarworld.com/photo-gallery-many-faces-iron-maidens-eddie

• http://maiden-world.com/articles/history-of-eddie.html

• http://ultimateclassicrock.com/iron-maiden-eddie-album-covers-retrospective/

• http://www.cyactive.com/zberp-baby-super-trojan/

• https://blog.malwarebytes.org/security-threat/2014/02/hiding-in-plain-sight-a-story-about-a-sneaky-banking-trojan/

• http://www.fortiguard.com/legacy/analysis/zeusanalysis.html

• http://www.symantec.com/connect/blogs/brief-look-zeuszbot-20

• http://www.reuters.com/article/2007/07/17/us-internet-attack-idUSN1638118020070717

https://sunchaser.info/fun/ed-force-one.html

Thank youmarion@cyphort.com

@pinkflawd