Monday, October 25, 2010

Zeus Botnet : Part 2 --- A Closer Look Into Zeus Bot


In the Part 1 of this series , we've had a look into the basic process involved in building the Zeus bot executable and customizing the Zeus configurations . In this part , we will dig deep inside the Zeus network communcations , its command and control activity and some of its more advanced features implemented for stealing user's identity.

Zeus Network Communications

When the bot is executed in a virtual machine, initially, it communicates over the HTTP protocol and sends the GET request to the Command and Control server to retrieve the configuration file and the server replies with the requested configuration file. This request is made repeatedly on the basis of the timer value configured in the configuration file









Bot sends the information of the infected computer back to the control server according to the “url_server” parameter specified in the configuration file











Upon closer analysis of the Zeus network communications, we have come across an interesting similarity between the GET response from the server and the next POST request sent by the bot. 

















As observed above, this similarity is spotted in the initial part of the GET response from the server and the POST request from the bot. i.e starting at the 3rd byte after the HTTP header ends. We have had similar observations with all the older versions of Zeus bot. This is something which can be used to implement the generic detection for this bot on a network gateway!

HTML injection on SSL secured banking transactions

As the banking websites evolved, they have added extra layer of security in order to mitigate the keystroke logging attacks. On the other hand, continuously evolving malwares have also come out with new techniques to bypass these security measures and steal the login credentials. Password stealing botnet such as Zeus now use HTML code injection techniques whereby bot on the infected computer injects HTML code into the legitimate web pages of the banking site to request additional personal information not required during the transactions. This entices the users to input more credentials than required, which is captured by the bot and posted back to the Zeus bot masters command & control server.

Before injecting into HTML pages, the targeted site looks like this















After injecting into HTML page, same targeted site looks like this.
















This shows how even forms that are supposed to be HTTPS encrypted can be manipulated by a bot to entice the user into typing out arbitrary levels of personal information, that can be then captured (using key logging) and sent off to the C&C master.

The basic injection HTML mechanism involved over here is , When a machine gets infected with Zeus , it will wait and watch your web surfing activity . It sits inside your Operating System and hooks several Windows  APIs  to intercept the website access over HTTPS . 











Above screenshot just shows that . It modifies the memory of the several Windows process , creates pages inside it and then injects its own code to intercepts user's communication .

When user is found accessing one of the targetted banking website , it intercepts the activity  and after the page is decrypted on the host machine , it uses following web injection template in the file webinjects.txt  to inject the code . 








It is clearly visible that all the code between the tag data_inject is the one that is injected into Web page . 

Intercepting mouse clicks and capturing virtual keyboard screenshots

Banking websites have come up with the Virtual Keyboard technique in order to mitigate the keystroke logging attacks . Zeus counter-attacks this security feature by capturing the screenshots on each mouse click . Each click will be intercepted and a screenshot captured which will be sent to the drop server which is then combined sequentially to extract the entered password as shown below.


















Analysis of the decrypted configuration file

Once the machine is infected with the Zeus bot, you can use the Zeus Decoder tool available here to decrypt the encrypted config file. Let‘s take a look at the decrypted config file. We’ll see the HTML injection code that this bot has added into it

http://172.16.230.183/cfg.bin
http://172.16.230.183/ip.php
http://172.16.230.183/bt.exe
http://172.16.230.183/gate.php
!*.microsoft.com/*
!http://*myspace.com*
https://www.gruposantander.es/*
!http://*odnoklassniki.ru/*
!http://vkontakte.ru/*
@*/login.osmp.ru/*
@*/atl.osmp.ru/*
https://banking.*.de/cgi/ueberweisung.cgi/*
*&tid=*
*&betrag=*
https://internetbanking.gad.de/banking/*
KktNrTanEnz
https://www.citibank.de/*/jba/mp#/SubmitRecap.do
SYNC_TOKEN=*
https://www.mybank.com/loginform.asp --> Fake banking website that we added while building the config file

HTML Injection code in the config file: 












Following is the abbreviated list of banking websites found in the decrypted configuration file . This is just a partial list of websites . 

https://online.wellsfargo.com/signon*
https://www.paypal.com/*/webscr?cmd=_account
https://www.paypal.com/*/webscr?cmd=_login-done*
https://www#.usbank.com/internetBanking/LoginRouter
https://easyweb*.tdcanadatrust.com/servlet/*FinancialSummaryServlet*
https://www#.citizensbankonline.com/*/index-wait.jsp
https://onlinebanking.nationalcity.com/OLB/secure/AccountList.aspx
https://www.suntrust.com/portal/server.pt*parentname=Login*
https://www.53.com/servlet/efsonline/index.html*
https://web.da-us.citibank.com/*BS_Id=MemberHomepage*
https://onlineeast#.bankofamerica.com/cgi-bin/ias/*/GotoWelcome
https://online.wamu.com/Servicing/Servicing.aspx?targetPage=AccountSummary
https://onlinebanking#.wachovia.com/myAccounts.aspx?referrer=authService
https://resources.chase.com/MyAccounts.aspx
https://bancaonline.openbank.es/servlet/PProxy?*
https://extranet.banesto.es/*/loginParticulares.htm
https://banesnet.banesto.es/*/loginEmpresas.htm
https://empresas.gruposantander.es/WebEmpresas/servlet/webempresas.servlets.*
https://www.gruposantander.es/bog/sbi*?ptns=acceso*
https://www.bbvanetoffice.com/local_bdno/login_bbvanetoffice.html
https://www.bancajaproximaempresas.com/ControlEmpresas*
https://www.citibank.de*
https://probanking.procreditbank.bg/main/main.asp*
https://ibank.internationalbanking.barclays.com/logon/icebapplication*
https://ibank.barclays.co.uk/olb/x/LoginMember.do
https://online-offshore.lloydstsb.com/customer.ibc
https://online-business.lloydstsb.co.uk/customer.ibc
https://www.dab-bank.com*
http://www.hsbc.co.uk/1/2/personal/internet-banking*
https://www.nwolb.com/Login.aspx*
https://home.ybonline.co.uk/login.html*
https://home.cbonline.co.uk/login.html*
https://welcome27.co-operativebank.co.uk/CBIBSWeb/start.do

Botnet Command and Control

This toolkit comes with a Control panel installation which is typically used to track the botnet infections. This is a PHP application which can be run on a Web Server along with the other required database software (MYSQL). It also enables the attacker to remotely control and send commands to Victim’s computer.
I opened one of the scripts that came with this toolkit and I found the Bot can be given following commands: 
-------------------------

$_COMMANDS_LIST = array
  (
    'reboot'   => 'Reboot computer.',
    'kos'      => 'Kill OS.',
    'shutdown' =>  'Shutdown computer.',
  
    'bc_add [service] [ip] [port]' => 'Add backconnect for [service] using server witn address [ip]:[port].',
    'bc_del [service] [ip] [port]' => 'Remove backconnect for [service] (mask is allowed) that use connection to [ip]:[port] (mask is allowed).',
  
    'block_url [url]'   => 'Disable access to [url] (mask is allowed).',
    'unblock_url [url]' => 'Enable access to [url] (mask is allowed).',
  
    'block_fake [url]'   => 'Disable executing of HTTP-fake/inject with mask [url] (mask is allowed).',
    'unblock_fake [url]' => 'Enable executing of HTTP-fake/inject with mask [url] (mask is allowed).',
  
    'rexec [url] [args]'   => 'Download and execute the file [url] with the arguments [args] (optional).',
    'rexeci [url] [args]'  => 'Download and execute the file [url] with the arguments [args] (optional) using interactive user.',
    'lexec [file] [args]'  => 'Execute the local file [file] with the arguments [args] (optional).',
    'lexeci [file] [args]' => 'Execute the local file [file] with the arguments [args] (optional) using interactive user.',
  
    'addsf [file_mask...]' => 'Add file masks [file_mask] for local search.',
    'delsf [file_mask...]' => 'Remove file masks [file_mask] from local search.',
    'getfile [path]'       => 'Upload file or folder [path] to server.',
  
    'getcerts'          => 'Upload certificates from all stores to server.',
    'resetgrab'         => 'Upload to server the information from the protected storage, cookies, etc.',
    'upcfg [url]'       => 'Update configuration file from url [url] (optional, by default used standard url)',
    'rename_bot [name]' => 'Rename bot to [name].',
    'getmff'            => 'Upload Macromedia Flash files to server.',
    'delmff'            => 'Remove Macromedia Flash files.',
    'sethomepage [url]' => 'Set homepage [url] for Internet Explorer.'
-------------------------

Amazing stuff !!..Quite a few prety decent commands implement in this bot . I spent some time installing PHP and MySQL after installing the Webserver and this is how the Zeus control panel looks like . 



















Very neat installation steps . It will asks you to configure Root user to administer the control panel , Mysql server username and password , local folder for reports , encryption key to decrypt the RC4 encrypted HTTP communications etc. and that's it ..You are ready to go !!. 

Detecting Zeus Botnet on the Wire

This blog would remain incomplete without talking about the ways to detect Zeus botnet on the wire . One of the more obvious way to detect this bot is to correlate the GET response from the server and POST request from the bot client as we saw earlier in this post . But this method of detecting is rather very expensive in terms of performance and is expected to consume high memory as we are not inspecting or comparing the payload against any constant pattern of bytes . 

Another method is perhaps the more decent heuristic to detect the fishy activity with the banking sites . Idea is to detect the change in the number of HTML form fields while accessing the banking site and when the data is posted back on the server . This can be detected on the Network gateway . In the case of Zeus, as the banking sites are accessed over HTTPS , perimeter device needs to be armed with SSL Man - in-the-Middle functionality to be able to detect this form of network traffic .

Hope you 've had fun reading this analysis series  :)



Saturday, September 18, 2010

Zeus Botnet : Part 1 --- Building Of The Zeus


Zeus bot has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of stealing personal information by infecting the user’s computers and capturing all the information entered on the Banking sites. Apart from stealing passwords, this bot has variety of methods implemented for stealing identity and controlling victim’s computer over the internet.

In the Part 1 of this series, I will disclose the process involved in building and distributing Zeus botnet in the wild. In the Part 2, I will discuss on Zeus network communications , how it captures personal information by injecting HTML code dynamically, and finally some thoughts on Command and Control.
Zeus serves as a heads up!! for all those who believe that banking transactions on HTTPS can never be intercepted. 

Zeus builder toolkit

I’ve been busy researching on how Zeus is built and distributed in the wild. It has been a pretty high profile botnet since it was discovered, due to its high rate of infections. During our research activity I was able to get hold of Zeus builder toolkit. It was priced at USD 700 to USD 1500 back then and few months later, a free version of this toolkit was out for public.

Building and Configuring Zeus Bot

The process of building and configuring Zeus bot requires just a couple of steps.

Step 1) Configuration specs

Specifying all the static configuration parameters in the configuration file. 



“Edit config” button will allow you can enter various parameters to control the botnet as  described below.


timer_logs      : Time interval to upload the logs to server
timer_stats     : Time interval to upload infection statistics to server
url_config       : Server URL for fetching the Config file
url_compip     : Server URL for reporting the victim
encryption_key : Encryption key to encrypt config file
url_loader        : URL for fetching latest version of the zeus exe
url_server        : Command and Control server
file_webinjects : This parameter is the file name containing HTML Web injection code. 
AdvancedConfigs : URL for fetching the backup config file
WebFilters  : Contains the masked list of URLs that should be monitored for capturing login credentials.
WebDataFilters : Contains the list of URLs that should be monitored for specific string matches . If patterns such as "Passw" or "login" is matched , data is captured and sent to C&C server e.g http://mail.rambler.ru/*" "passw;login"
WebFakes :  URLs that should be redirected to the fake websites.
TANGrabber
TAN (Transaction Authentication Number) Grabber is Zeus feature that allows the botmaster to specify the banking sites to monitor and the specific patterns to search for in the transaction data posted to the bank websites. Zeus will match these specified data patterns, capture them and will post on C&C server. Botmaster can enter other banking sites here and Zeus will add it in the final encrypted configuration file when “Build config “ button  is clicked.
I have entered the fake banking URL to check in the builded config file.
https://www.mybank.com/loginform.asp""S3R1C6G""*&tid=*" "*&betrag=*" 


Step 2) Config builder

Let’s have a look what happens when “Build config” button is pressed. Toolkit will build the final encrypted configuration file with an option to save it . This configuration file is then uploaded by the botmaster on the C&C server 



Step 3) Building bot executable
Botmaster can build Zeus executable by clicking "Build loader" button



One of the interesting features of this toolkit is that during botnet building process, if botmaster accidently infects his own computer, he can remove the botnet with “Remove spyware from this system” button that is option built into the Zeus builder.













Variety of methods for distributing this botnet exist . Most popular means of spreading this binary is through drive-by-downloads using social engineering techniques and SPAM mails which either might contain malicous attachments or download links which when clicked , downloads and installs Zeus into the system .


That's it for Part 1 . Will see you again in Part 2 of this series where we will have more deeper look into this piece of malware .