W H I T E PA P E R

Zeus P2P Advancements and MitB Attack Vectors

ThreatMetrix Labs Public Report July 2012

Authors: Andreas Baumhof and Alex Shipp

W H I T E PA P E R

Contents
Executive Summary Static PE Analysis Change in Configuration File Encryption Configuration File
Configuration File General Observations

3 3 4 4
4 4 5 5 6 6 6 6

Common Attack Tactics

Category 1: Personal Information is Stolen After the Login Page (Credit Card Websites) Category 2: Personal Information is Stolen After the Login Page (Financial Institutions & Banks) Category 3: Injecting Malicious JavaScript into Banking Websites (Mainly Targeting Italian Banks) Category 4: Merchants/Retailers are Compromised to Steal Personal Information (such as Member Cards) Example: Internet Retailer

Category 5: Non-Financial Institutions (Facebook, Google) are Compromised to Steal Personal Information, Credit Card Information and Money 6 Example: Facebook 7 Example: Google 8

Appendix
urls.txt Additional Files (Injected HTML, Registry, )

9
9 9

Page2

W H I T E PA P E R

Executive Summary
In April 2012, ThreatMetrix Labs came across a new variant of the peer-to-peer (P2P) version of the notorious Zeus Trojan. The P2P variant seems to be the most active in terms of development; therefore, it was no surprise that this particular version had many improvements built-in, including a different encryption algorithm for the configuration file. This small but crucial change will make all automatic detection routines fail (our own as well as anyone elses). As many financial institutions rely on notifications based on attack vectors from these configuration files, the constant change to its encryption is disturbing. In fact, ThreatMetrix has tracked at least six different ways within Zeus alone. Combine this with the ability for malware writers to stay undetected for four to five years (Flame malware), and you will get an idea of how they work. If cybercriminals wants to perform a targeted attack, they can simply take the Zeus source code and change how the configuration file is encrypted and also remaining undetected. In this ThreatMetrix Labs report, we look at the particular Zeus sample and some interesting attack vectors based on the newly decrypted configuration file.

Static PE Analysis
We analyzed the Zeus sample with MD5 7ebe4e6f8e5ea5981f4b32cd9465e6a3. Static PE analysis shows that the sample has 988 functions, of which 561 are unchanged from older versions of Zeus and 427 are new or updated since November. This is a much bigger change than other Zeus samples we typically analyze. It seems that it has been a decent rewrite. For example, the SoftwareGrabber module responsible for stealing user data, usernames, passwords and other confidential information has been greatly cut down. Routines to steal from ftp, poker sites, etc. have been removed. All that remains are email and flash data stealers. A new backdoor command has been added, fs_find_by_keyword, which well cover in more detail in one of the following ThreatMetrix Labs reports.

Page3

W H I T E PA P E R

Change in Configuration File Encryption

The BinStorage data structure now has each item encoded with a 4 byte XOR key, formed from the following elements: (item length << 0x10) | (0xFFFF & item id) | (BinStorage Count << 8) Note that the BinStorage Count field is no longer used as a count, but is now used as part of the XOR key. The compression algorithm has changed as well and is no longer UCL. Overall, these are fairly simple changes that would take developers only a few hours to make, but these changes will automatically render all automatic decryption routines ineffective.

Configuration File
As mentioned before, decrypting the configuration file enables us to see the attack vectors and what exactly the fraudsters do.

General Observations
The internal botnet name is NR30 and overall it targets 297 URLs with some using regular expressions (see the Appendix for a full list). Some are non-specific, such as generic monitoring of all https:// requests. Most of the matches are used to insert a call to their default script (scripts/default0.js) after the first form on the page. The important part is that in all these cases, the login page will look just fine. Only after the victim has entered his username/password will the Zeus malware take over and try to steal confidential information. There are several more interesting cases, which we will group into four sections. Most of these are based on four different scenarios, with minor code changes to accommodate the differences between various sites.

Page4

W H I T E PA P E R

Common Attack Tactics

This particular Zeus Trojan will employ kind of the same technical attack vector to most of the following targets. In this chapter, well explore this attack vector in a bit more detail. 1. Check if victim is logged in a. Contact ThreatMetrix Labs (labs@threatmetrix.com) for the full report on details on this. a. Contact ThreatMetrix Labs (labs@threatmetrix.com) for the full report on details on this. a. Contact ThreatMetrix Labs (labs@threatmetrix.com) for the full report on details on this. a. Contact ThreatMetrix Labs (labs@threatmetrix.com) for the full report on details on this. a. Contact ThreatMetrix Labs (labs@threatmetrix.com) for the full report on details on this

2. Stealing of Login Credential (username/password)

3. Checks whether the victims details have been compromised before

4. Ask the Command and Control server whether to infect the machine

5. Display of HTML overlay to steal additional personal information after login

Category 1: Personal Information is Stolen After the Login Page (Credit Card Websites)
This particular case targets all major credit card companies. When a victim tries to log in via the website, an intermediate page will appear to trick the victim into disclosing personal and credit card information to the fraudsters. Examples are: Please contact ThreatMetrix Labs (labs@threatmetrix.com) for the full report on details on this.

Page5

W H I T E PA P E R

Category 2: Personal Information is Stolen After the Login Page (Financial Institutions & Banks)
This particular case targets major financial institutions in the UK, U.S., Canada, Middle East, Italy, Germany, and Australia. When a victim tries to log in via the website, an intermediate page will appear to trick the victim into disclosing personal and credit card information to the fraudsters, similarly to Category 1.

Category 3: Injecting Malicious JavaScript into Banking Websites (Mainly Targeting Italian Banks)
Malicious JavaScript can virtually do anything to a financial institution website. Weve seen cases where JavaScript was used to perform a fully automated wire transfer in the background (Gozi) or where it circumvented two-factor-authentication (Carberp). In this particular case, a common script adjusted the account balances to hide the fact that money was stolen from the account. Another use case was to disable functionality within the banking application, preventing access to pages that would give away the fact that the account has been compromised

Category 4: Merchants/Retailers are Compromised to Steal Personal Information (such as Member Cards)
Big retailers and merchants are more and more the target of fraudulent activities especially when there is a high degree of loyalty (returning customers). Airlines are a good example, but also big retailers with loyalty cards that provide access to cash. Example: Internet Retailer Please contact ThreatMetrix Labs (labs@threatmetrix.com) for the full report on details on this.

Category 5: Non-Financial Institutions (Facebook, Google) are Compromised to Steal Personal Information, Credit Card Information and Money
This scheme follows a trend that we (as well as everyone else) have been seeing the move away from targeting the big retail banks, or even banks at all, with increasing sophistication in monetizing nonbanking websites (such as social networking sites). Common scams include: Link your debit card to your Facebook account. Transfer Facebook Credits to your bank account is now available! Earn up to 20% cash back purchasing Facebook Credits with your MasterCard or Visa debit cards
Page6

W H I T E PA P E R

We are glad to offer you participation in our brand new processing system created jointly with Verified by VISA, MasterCard SecureCode and Google Checkout. Link your debit card right now with your Google Mail account to pay simply and securely at more than 3,000 stores online, starting January 1, 2012. All you need to do is activate your card. Then, whenever you submit an order at a participating online store, Google Checkout window will appear automatically. Enter your password, submit, and thats it. Once activated, your card number cannot be used without your personal password for online purchases.

Example: Facebook First, the user will see the normal login page. As this page is perfectly clean, the victim isnt aware that this is a compromised page.

After the victim has provided his username and password however, the following screen appears, which tries to lure the victim into providing his credit card information.

Page7

W H I T E PA P E R

Example: Google The Google example is very similar to the previous example from Facebook. First, the login page will appear, with nothing altered except for some invisible JavaScript:

Page8

W H I T E PA P E R

That invisible JavaScript will now turn the page into this:

Appendix
urls.txt Summary -------------------------------------------------Botnet name = NR30 Total URLs monitored by botnet = 297 Contact ThreatMetrix Labs (labs@threatmetrix.com) for the full report on details on this.

Additional Files (Injected HTML, Registry, )

If you want access to the restricted version of this report, including the MITB injections for this Trojan, please contact us at labs@threatmetrix.com.

Contact Us
USA Corporate Headquarters: ThreatMetrix Inc. 160 West Santa Clara Street Suite 1400 San Jose, CA, 95113 Telephone: +1.408.200.5755 Fax: +1.408.200.5799 EMEA Headquarters: ThreatMetrix B.V. Laan van Vredenoord 33-39 2289 DA Rijswijk The Netherlands Telephone: +31 (0)70 8200 508 www.threatmetrix.com www.threatmetrix.com/fraudsandends

2012 ThreatMetrix. All rights reserved. ThreatMetrix, TrustDefender ID, TrustDefender Cloud, TrustDefender Mobile, TrustDefender Client, the ThreatMetrix Cybercrime Defender Platform, and the ThreatMetrix logo are trademarks or registered trademarks of ThreatMetrix in the United States and other countries. All other brand, service or product names are trademarks or registered trademarks of their respective companies or owners.

Page9