SlideShare una empresa de Scribd logo
1 de 47
Descargar para leer sin conexión
1
James Wyke
Senior Threat Researcher
Extracting Forensic
Information from Zeus
Derivatives
SOURCE Dublin 2014
22
Agenda
3
Agenda
• Zeus and derivatives overview
• What information do we want to extract and why?
• How do we extract the information?
• Automation
• Conclusion
44
Zeus and Derivatives
5
Zeus and Derivatives
• Highly successful kit
• Source code leaked 2011
• New variants – Citadel, IceIX, KINS, Gameover + many more
• Leaked code also widely used with few or no modifications
• Many variants successful in their own right
• More builders leaked
6
Zeus and Derivatives
• Variant prevalence:
Citadel
19%
Ice9
8%
P2P
31%
2.0.8.9 Based
17%
KINS
12%
Other
13%
Typical Weekly Breakdown
Citadel
Ice9
P2P
2.0.8.9 Based
KINS
Other
77
What information do
we want to extract?
8
High Level Goals
• What was stolen?
○ Network traffic
○ Cache data
• Where was data sent?
○ Drop zone URLs
○ Config file URLs
○ Backup URLs
• What changes were made?
○ Commands executed
○ Web injects – config data
• Who were the attackers?
○ Tracking
9
How to Achieve These Goals?
• C2 addresses
○ Extract from binary, config file, network traffic captures
• Stolen data
○ Decrypt network data, cache files
• Configuration files
○ Obtain, decrypt, decipher config data
○ Webinjects, filters, targeted processes
• Runtime information
○ Exe path, registry keys etc
• Store and track data
○ Keys, URLs, customisations
1010
How do we extract
the information?
11
Key Variants
• Leaked Zeus (2.0.8.9)
○ Original codebase
○ Same process will work for many minor variations
• IceIX
○ Encryption algorithm changes
○ Config file retrieval complications
• Citadel (1.3.5.1)
○ Encryption heavily rewritten
○ More config file retrieval changes
• Gameover
○ Peer 2 peer
• KINS
○ VM based decryption routine
12
Zeus 2.0.8.9
• Config file URL
• Retrieve, decrypt, decipher config file
• Assess stolen data – decrypt network traffic, cache file
• Read runtime information
13
Zeus 2.0.8.9
• Static config details embedded in binary
• Config block XOR encrypted
• Find block offset and XOR key
Config file URL
14
Zeus 2.0.8.9
Config URL
15
Zeus 2.0.8.9
• Regexp search, e.g:
○ "[x50-x57][xb8-xbf].{2}x00x00[x50-x57]x68.{4}[x50-
x57]xe8.{4}x8b.{5}x03“
• Key always at start of ‘.reloc’ section
• Key length = size of StaticConfig
• StaticConfig also contains RC4 key
Config URL
16
Zeus 2.0.8.9
• Retrieved with simple Get request to URL
• RC4 decrypt
○ Using key from StaticConfig (no key scheduling stage)
• VisualDecrypt
○ for (m = (Size-1); m >0; m--)
○ Data[m] = Data[m] ^ Data[m-1]
• Decompress compressed blocks
○ nrv2b
• Covert to something more readable
○ XML is an option
Config File
17
Zeus 2.0.8.9
• Common to many subsequent variants
• Config header structure:
Config file structure
Offset Size Value
0x0 0x14 Random data
0x14 0x4 Size of config file
0x18 0x4 Flags (usually 0)
0x1c 0x4
Number of
Blocks
0x20 0x10 MD5 of data
0x30 … Config blocks
18
Zeus 2.0.8.9
• Config blocks – header then data
• Config block header structure:
Config file structure
Offset Size Value
0x0 0x4 Block ID
0x4 0x4
Flags, e.g.
compressed
0x8 0x4
Compressed
size
0xc 0x4
Decompressed
size
19
Zeus 2.0.8.9
• Block ID identifies specific type of config entry e.g. version,
new exe url, drop zone url, web injects
• Leaked source indicates what each binary value means
• Conversion to XML makes the data easier to interpret:
Config file structure
20
Zeus 2.0.8.9
• Network data
○ RC4 decrypt using key from StaticConfig
○ Data is structured similar to config data
• Cache data
○ Temporary store of data before sending back to drop zone
○ Structure:
Stolen data
Offset Size Value
0x0 0x4
Xor encoded
size of block
0x4 0x1 0
0x5 ??
First encrypted
block
21
Zeus 2.0.8.9
• XOR key stored in runtime data at offset 0x1e2
• Blocks encrypted with VisualEncrypt + RC4
• New RC4 key from runtime data
• Blocks have same structure as network data
• Cache gets deleted when data sent over network
Cache data
22
Zeus 2.0.8.9
• Dynamically created block written by dropper
• See
https://code.google.com/p/volatility/source/browse/trunk/con
trib/plugins/malware/zeusscan.py for structure
• Key fields:
○ RC4 key – encrypting cache data
○ XORkey – cache data block sizes
• Also, registry keys, exe file name, cache file name etc.
Runtime information
23
Zeus 2.0.8.9
• Find block in dump:
• Often appended to file
Runtime information
24
IceIX
• Same goals
○ Config file URL
○ Retrieve, decrypt, decipher config file
○ Assess stolen data – decrypt network traffic, cache file
○ Read runtime information
• How do we identify?
• What are the differences?
25
IceIX
• Config file URL by default ends with config.php
• Strings: “bn=1” and “&sk=1”
• Modified RC4 routine:
Identification
26
IceIX
• RC4 changes
• Config file retrieval requires structured POST request
Modifications
27
IceIX
• Classic:
• Modified:
RC4 changes
28
IceIX
• POST request requires special format or config file is not
delivered
• POST data format:
bn=<BOTID string>&sk=<MD5 of encrypted BOTID string>
• BOTID generated per machine, e.g.: MYPC_737574566769_474
• Encrypted using modified RC4 with key from StaticConfig
• All POST data encrypted before being sent
Config file retrieval
29
Citadel
• Giveaway string:
○ 'Coded by BRIAN KREBS for personal use only. I love my job & wife.‘
• Version number:
• Maybe further strings:
○ cit_ffcookie.module, cit_video.module
Identification
30
Citadel
• Encryption process rewritten – AES + RC4, multiple keys
• Formatted POST request for config file retrieval
• Backup config file URLs
Modifications
31
Citadel
• RC4 has XOR on top with LOGIN_KEY
○ Extra key generated at build time e.g.:
○ "C1F20D2340B519056A7D89B7DF4B0FFF"
• Config data encrypted with AES
• Network traffic requires generating a new RC4 key
Encryption process
32
• Extra non-standard
permutation
• Need to extract salt
value
• All network traffic
encrypted in this way
Citadel
Config file retrieval
33
Citadel
• Formatted similar to config data – header with 2 data blocks
• Block ID 0x2725 – contains the login_key
• Block ID 0x2726 – file name from config URL:
○ http://pubber.ru/images/greater/wisdom/file.php|file=config.dll
○ Everything after the ‘|’ goes in the block data
POST data
34
Citadel
• Switch case based on DWORD value:
POST data custom permutation
35
Citadel
• Python:
POST data custom permutation
36
Citadel
Config file decryption
• RC4 key from StaticConfig
• login_key
• 128-bit config XOR key
37
Citadel
• Found in the AES routine:
Extra config key
38
Gameover/P2P
• Command strings used in the P2P protocol:
○ OPTIONS
○ PROPFIND
○ PROPPATCH
○ SEARCH
○ UNLOCK
○ REPORT
○ MKACTIVITY
○ CHECKOUT
○ M-SEARCH
○ NOTIFY
○ SUBSCRIBE
○ UNSUBSCRIBE
Identification
39
Gameover/P2P
• Static peer list
○ Each peer has its own RC4 key
• Connect to P2P network to retrieve config
• Zlib compression
• https://github.com/arbor/zeus_gameover-re
Modifications
40
KINS/VMZeus
• VM based StaticConfig decryption
• Embedded byte code determines which VM handler is
executed on which byte of ciphertext
• Embedded opcode handler table
• Each element of bytecode is an index into the handler table
Modifications
41
KINS/VMZeus
• Find the entry to the VM handler:
Identification
42
KINS
• RC4 key is in the StaticConfig but now much harder to decrypt
• Need to replicate the handler sequence by running the
bytecode through the handler table
• Leaked KINS source: source/common/configcrypt.cpp
• But handler table order is shuffled by the builder so we must
work out the correct order dynamically for each sample
Key extraction
4343
Automation
44
Automation
• As part of sandbox analysis – e.g. cuckoo
○ Process dump
○ Key extraction and data decryption as part of a processing module
○ Analyzer module to perform the retrieval for non-executing samples
• Volatility
○ Key and data extraction from a memory dump
○ https://code.google.com/p/volatility/source/browse/trunk/contrib/plugin
s/malware/zeusscan.py
4545
Conclusion
46
Conclusion
• Many successful and widespread variants spawned from Zeus
code
• More builders and source code leaked, many variants still
being actively developed
• Despite some significant modifications, new variants are
incremental
• Tools can be updated relatively easy for modifications
47© Sophos Ltd. All rights reserved.

Más contenido relacionado

La actualidad más candente

Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsAPNIC
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngPeter Czanik
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory PwnagePetros Koutroumpis
 
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataBalaBit
 
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...markmcclain
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networkingmarkmcclain
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6Positive Hack Days
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装inaz2
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondSam Bowne
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat Security Conference
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopAjay Choudhary
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit - wolfSSL
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNIJisc
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]RootedCON
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSAlex Mayrhofer
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionSam Bowne
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesSam Bowne
 

La actualidad más candente (20)

Signing DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutionsSigning DNSSEC answers on the fly at the edge: challenges and solutions
Signing DNSSEC answers on the fly at the edge: challenges and solutions
 
Get the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ngGet the most out of your security logs using syslog-ng
Get the most out of your security logs using syslog-ng
 
(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage(Ab)Using GPOs for Active Directory Pwnage
(Ab)Using GPOs for Active Directory Pwnage
 
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big DataSCaLE 2016 - syslog-ng: From Raw Data to Big Data
SCaLE 2016 - syslog-ng: From Raw Data to Big Data
 
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
OpenStack Paris Summit: Bridges and Tunnels: A Drive Through OpenStack Networ...
 
Bridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack NetworkingBridges and Tunnels a Drive Through OpenStack Networking
Bridges and Tunnels a Drive Through OpenStack Networking
 
ION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLSION Bucharest - DANE-DNSSEC-TLS
ION Bucharest - DANE-DNSSEC-TLS
 
Разведка в сетях IPv6
Разведка в сетях IPv6Разведка в сетях IPv6
Разведка в сетях IPv6
 
HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装HTTPプロクシライブラリproxy2の設計と実装
HTTPプロクシライブラリproxy2の設計と実装
 
CNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyondCNIT 40: 6: DNSSEC and beyond
CNIT 40: 6: DNSSEC and beyond
 
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
BlueHat v17 || Dyre to Trickbot: An Inside Look at TLS-Encrypted Command-And-...
 
BSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming WorkshopBSides SG Practical Red Teaming Workshop
BSides SG Practical Red Teaming Workshop
 
Securing Data in Transit -
Securing Data in Transit - Securing Data in Transit -
Securing Data in Transit -
 
DoH, DoT and ESNI
DoH, DoT and ESNIDoH, DoT and ESNI
DoH, DoT and ESNI
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
Jose Selvi - Side-Channels Uncovered [rootedvlc2018]
 
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape TownDANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
DANE/DNSSEC/TLS Testing in the go6Lab - ION Cape Town
 
Encrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPSEncrypted DNS - DNS over TLS / DNS over HTTPS
Encrypted DNS - DNS over TLS / DNS over HTTPS
 
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruptionCNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
CNIT 40: 5: Prevention, protection, and mitigation of DNS service disruption
 
CNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breachesCNIT 40: 4: Monitoring and detecting security breaches
CNIT 40: 4: Monitoring and detecting security breaches
 

Destacado

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on AndroidSource Conference
 
Niraj on Financial Derivatives
Niraj on Financial DerivativesNiraj on Financial Derivatives
Niraj on Financial DerivativesCA Niraj Thapa
 
Derivatives lecture1& 2-introduction
Derivatives lecture1& 2-introductionDerivatives lecture1& 2-introduction
Derivatives lecture1& 2-introductioniipmff2
 
Applications of Derivatives
Applications of DerivativesApplications of Derivatives
Applications of DerivativesIram Khan
 
Derivatives basic concept
Derivatives basic conceptDerivatives basic concept
Derivatives basic conceptSweta Agarwal
 
Derivatives market
Derivatives marketDerivatives market
Derivatives marketNikhiliit
 

Destacado (10)

iBanking - a botnet on Android
iBanking - a botnet on AndroidiBanking - a botnet on Android
iBanking - a botnet on Android
 
Niraj on Financial Derivatives
Niraj on Financial DerivativesNiraj on Financial Derivatives
Niraj on Financial Derivatives
 
Guide to Financial Derivatives
Guide to Financial DerivativesGuide to Financial Derivatives
Guide to Financial Derivatives
 
Derivatives lecture1& 2-introduction
Derivatives lecture1& 2-introductionDerivatives lecture1& 2-introduction
Derivatives lecture1& 2-introduction
 
Financial Derivatives
Financial  DerivativesFinancial  Derivatives
Financial Derivatives
 
Applications of Derivatives
Applications of DerivativesApplications of Derivatives
Applications of Derivatives
 
Derivatives basic concept
Derivatives basic conceptDerivatives basic concept
Derivatives basic concept
 
Derivatives market
Derivatives marketDerivatives market
Derivatives market
 
Derivatives - Classroom Presentation
Derivatives - Classroom PresentationDerivatives - Classroom Presentation
Derivatives - Classroom Presentation
 
Financial derivatives ppt
Financial derivatives pptFinancial derivatives ppt
Financial derivatives ppt
 

Similar a Extracting Forensic Information From Zeus Derivatives

CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesSam Bowne
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesSam Bowne
 
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica SarbuOSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica SarbuNETWAYS
 
.NET Cloud-Native Bootcamp Minneapolis
.NET Cloud-Native Bootcamp Minneapolis.NET Cloud-Native Bootcamp Minneapolis
.NET Cloud-Native Bootcamp MinneapolisVMware Tanzu
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceSam Bowne
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Chris Sistrunk
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote ShellcodeAj MaChInE
 
Adding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded SystemAdding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded SystemJohn Efstathiades
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...DefconRussia
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Michele Orru
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.xFabio Codebue
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...Felipe Prado
 
Advancing Apache Nifi Framework Security With David Handermann | Current 2022
Advancing Apache Nifi Framework Security With David Handermann | Current 2022Advancing Apache Nifi Framework Security With David Handermann | Current 2022
Advancing Apache Nifi Framework Security With David Handermann | Current 2022HostedbyConfluent
 
Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018Fernando Tomlinson, CISSP, MBA
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Scott Sutherland
 
Web前端性能优化 2014
Web前端性能优化 2014Web前端性能优化 2014
Web前端性能优化 2014Yubei Li
 
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuOSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuNETWAYS
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuNETWAYS
 

Similar a Extracting Forensic Information From Zeus Derivatives (20)

CNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise ServicesCNIT 121: 10 Enterprise Services
CNIT 121: 10 Enterprise Services
 
CNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise ServicesCNIT 152: 10 Enterprise Services
CNIT 152: 10 Enterprise Services
 
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica SarbuOSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
OSDC 2016 - Unifying Logs and Metrics Data with Elastic Beats by Monica Sarbu
 
.NET Cloud-Native Bootcamp Minneapolis
.NET Cloud-Native Bootcamp Minneapolis.NET Cloud-Native Bootcamp Minneapolis
.NET Cloud-Native Bootcamp Minneapolis
 
CNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise ServiceCNIT 152 10 Enterprise Service
CNIT 152 10 Enterprise Service
 
Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?Blackhat USA 2016 - What's the DFIRence for ICS?
Blackhat USA 2016 - What's the DFIRence for ICS?
 
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode[若渴計畫] Challenges and Solutions of Window Remote Shellcode
[若渴計畫] Challenges and Solutions of Window Remote Shellcode
 
Burp suite
Burp suiteBurp suite
Burp suite
 
Adding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded SystemAdding Support for Networking and Web Technologies to an Embedded System
Adding Support for Networking and Web Technologies to an Embedded System
 
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
Nikita Abdullin - Reverse-engineering of embedded MIPS devices. Case Study - ...
 
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
Rooting your internals - Exploiting Internal Network Vulns via the Browser Us...
 
Introduction to firebidSQL 3.x
Introduction to firebidSQL 3.xIntroduction to firebidSQL 3.x
Introduction to firebidSQL 3.x
 
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
DEF CON 27 - ORANGE TSAI and MEH CHANG - infiltrating corporate intranet like...
 
Advancing Apache Nifi Framework Security With David Handermann | Current 2022
Advancing Apache Nifi Framework Security With David Handermann | Current 2022Advancing Apache Nifi Framework Security With David Handermann | Current 2022
Advancing Apache Nifi Framework Security With David Handermann | Current 2022
 
Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018Powering up on PowerShell - BSides Charleston - Nov 2018
Powering up on PowerShell - BSides Charleston - Nov 2018
 
Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!Secure360 - Attack All the Layers! Again!
Secure360 - Attack All the Layers! Again!
 
Web前端性能优化 2014
Web前端性能优化 2014Web前端性能优化 2014
Web前端性能优化 2014
 
Node and Azure
Node and AzureNode and Azure
Node and Azure
 
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica SarbuOSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 | Monitor your Infrastructure with Elastic Beats by Monica Sarbu
 
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica SarbuOSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
OSMC 2016 - Monitor your infrastructure with Elastic Beats by Monica Sarbu
 

Más de Source Conference

I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICSource Conference
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsSource Conference
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network SecuritySource Conference
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration TestersSource Conference
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSource Conference
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSource Conference
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserSource Conference
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItSource Conference
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of AnonymousSource Conference
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Source Conference
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary plantingSource Conference
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudSource Conference
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?Source Conference
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawSource Conference
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendSource Conference
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationSource Conference
 

Más de Source Conference (20)

Million Browser Botnet
Million Browser BotnetMillion Browser Botnet
Million Browser Botnet
 
I want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUICI want the next generation web here SPDY QUIC
I want the next generation web here SPDY QUIC
 
From DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and BobsFrom DNA Sequence Variation to .NET Bits and Bobs
From DNA Sequence Variation to .NET Bits and Bobs
 
How to Like Social Media Network Security
How to Like Social Media Network SecurityHow to Like Social Media Network Security
How to Like Social Media Network Security
 
Wfuzz para Penetration Testers
Wfuzz para Penetration TestersWfuzz para Penetration Testers
Wfuzz para Penetration Testers
 
Security Goodness with Ruby on Rails
Security Goodness with Ruby on RailsSecurity Goodness with Ruby on Rails
Security Goodness with Ruby on Rails
 
Securty Testing For RESTful Applications
Securty Testing For RESTful ApplicationsSecurty Testing For RESTful Applications
Securty Testing For RESTful Applications
 
Esteganografia
EsteganografiaEsteganografia
Esteganografia
 
Men in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the BrowserMen in the Server Meet the Man in the Browser
Men in the Server Meet the Man in the Browser
 
Advanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done ItAdvanced Data Exfiltration The Way Q Would Have Done It
Advanced Data Exfiltration The Way Q Would Have Done It
 
Adapting To The Age Of Anonymous
Adapting To The Age Of AnonymousAdapting To The Age Of Anonymous
Adapting To The Age Of Anonymous
 
Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?Are Agile And Secure Development Mutually Exclusive?
Are Agile And Secure Development Mutually Exclusive?
 
Advanced (persistent) binary planting
Advanced (persistent) binary plantingAdvanced (persistent) binary planting
Advanced (persistent) binary planting
 
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to CloudLegal/technical strategies addressing data risks as perimeter shifts to Cloud
Legal/technical strategies addressing data risks as perimeter shifts to Cloud
 
Who should the security team hire next?
Who should the security team hire next?Who should the security team hire next?
Who should the security team hire next?
 
The Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime LawThe Latest Developments in Computer Crime Law
The Latest Developments in Computer Crime Law
 
JSF Security
JSF SecurityJSF Security
JSF Security
 
How To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security SpendHow To: Find The Right Amount Of Security Spend
How To: Find The Right Amount Of Security Spend
 
Everything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitationEverything you should already know about MS-SQL post-exploitation
Everything you should already know about MS-SQL post-exploitation
 
Keynote
KeynoteKeynote
Keynote
 

Último

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6DianaGray10
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostMatt Ray
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDELiveplex
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Websitedgelyza
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.YounusS2
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemAsko Soukka
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfAijun Zhang
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IES VE
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8DianaGray10
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesMd Hossain Ali
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfDaniel Santiago Silva Capera
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPathCommunity
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1DianaGray10
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?IES VE
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxGDSC PJATK
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1DianaGray10
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfDianaGray10
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Commit University
 

Último (20)

UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6UiPath Studio Web workshop series - Day 6
UiPath Studio Web workshop series - Day 6
 
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCostKubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
KubeConEU24-Monitoring Kubernetes and Cloud Spend with OpenCost
 
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDEADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
ADOPTING WEB 3 FOR YOUR BUSINESS: A STEP-BY-STEP GUIDE
 
COMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a WebsiteCOMPUTER 10 Lesson 8 - Building a Website
COMPUTER 10 Lesson 8 - Building a Website
 
Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.Basic Building Blocks of Internet of Things.
Basic Building Blocks of Internet of Things.
 
Bird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystemBird eye's view on Camunda open source ecosystem
Bird eye's view on Camunda open source ecosystem
 
201610817 - edge part1
201610817 - edge part1201610817 - edge part1
201610817 - edge part1
 
Machine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdfMachine Learning Model Validation (Aijun Zhang 2024).pdf
Machine Learning Model Validation (Aijun Zhang 2024).pdf
 
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
IESVE Software for Florida Code Compliance Using ASHRAE 90.1-2019
 
UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8UiPath Studio Web workshop series - Day 8
UiPath Studio Web workshop series - Day 8
 
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just MinutesAI Fame Rush Review – Virtual Influencer Creation In Just Minutes
AI Fame Rush Review – Virtual Influencer Creation In Just Minutes
 
20150722 - AGV
20150722 - AGV20150722 - AGV
20150722 - AGV
 
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdfIaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
IaC & GitOps in a Nutshell - a FridayInANuthshell Episode.pdf
 
UiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation DevelopersUiPath Community: AI for UiPath Automation Developers
UiPath Community: AI for UiPath Automation Developers
 
Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1Secure your environment with UiPath and CyberArk technologies - Session 1
Secure your environment with UiPath and CyberArk technologies - Session 1
 
How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?How Accurate are Carbon Emissions Projections?
How Accurate are Carbon Emissions Projections?
 
Cybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptxCybersecurity Workshop #1.pptx
Cybersecurity Workshop #1.pptx
 
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1UiPath Platform: The Backend Engine Powering Your Automation - Session 1
UiPath Platform: The Backend Engine Powering Your Automation - Session 1
 
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdfUiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
UiPath Solutions Management Preview - Northern CA Chapter - March 22.pdf
 
Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)Crea il tuo assistente AI con lo Stregatto (open source python framework)
Crea il tuo assistente AI con lo Stregatto (open source python framework)
 

Extracting Forensic Information From Zeus Derivatives

  • 1. 1 James Wyke Senior Threat Researcher Extracting Forensic Information from Zeus Derivatives SOURCE Dublin 2014
  • 3. 3 Agenda • Zeus and derivatives overview • What information do we want to extract and why? • How do we extract the information? • Automation • Conclusion
  • 5. 5 Zeus and Derivatives • Highly successful kit • Source code leaked 2011 • New variants – Citadel, IceIX, KINS, Gameover + many more • Leaked code also widely used with few or no modifications • Many variants successful in their own right • More builders leaked
  • 6. 6 Zeus and Derivatives • Variant prevalence: Citadel 19% Ice9 8% P2P 31% 2.0.8.9 Based 17% KINS 12% Other 13% Typical Weekly Breakdown Citadel Ice9 P2P 2.0.8.9 Based KINS Other
  • 7. 77 What information do we want to extract?
  • 8. 8 High Level Goals • What was stolen? ○ Network traffic ○ Cache data • Where was data sent? ○ Drop zone URLs ○ Config file URLs ○ Backup URLs • What changes were made? ○ Commands executed ○ Web injects – config data • Who were the attackers? ○ Tracking
  • 9. 9 How to Achieve These Goals? • C2 addresses ○ Extract from binary, config file, network traffic captures • Stolen data ○ Decrypt network data, cache files • Configuration files ○ Obtain, decrypt, decipher config data ○ Webinjects, filters, targeted processes • Runtime information ○ Exe path, registry keys etc • Store and track data ○ Keys, URLs, customisations
  • 10. 1010 How do we extract the information?
  • 11. 11 Key Variants • Leaked Zeus (2.0.8.9) ○ Original codebase ○ Same process will work for many minor variations • IceIX ○ Encryption algorithm changes ○ Config file retrieval complications • Citadel (1.3.5.1) ○ Encryption heavily rewritten ○ More config file retrieval changes • Gameover ○ Peer 2 peer • KINS ○ VM based decryption routine
  • 12. 12 Zeus 2.0.8.9 • Config file URL • Retrieve, decrypt, decipher config file • Assess stolen data – decrypt network traffic, cache file • Read runtime information
  • 13. 13 Zeus 2.0.8.9 • Static config details embedded in binary • Config block XOR encrypted • Find block offset and XOR key Config file URL
  • 15. 15 Zeus 2.0.8.9 • Regexp search, e.g: ○ "[x50-x57][xb8-xbf].{2}x00x00[x50-x57]x68.{4}[x50- x57]xe8.{4}x8b.{5}x03“ • Key always at start of ‘.reloc’ section • Key length = size of StaticConfig • StaticConfig also contains RC4 key Config URL
  • 16. 16 Zeus 2.0.8.9 • Retrieved with simple Get request to URL • RC4 decrypt ○ Using key from StaticConfig (no key scheduling stage) • VisualDecrypt ○ for (m = (Size-1); m >0; m--) ○ Data[m] = Data[m] ^ Data[m-1] • Decompress compressed blocks ○ nrv2b • Covert to something more readable ○ XML is an option Config File
  • 17. 17 Zeus 2.0.8.9 • Common to many subsequent variants • Config header structure: Config file structure Offset Size Value 0x0 0x14 Random data 0x14 0x4 Size of config file 0x18 0x4 Flags (usually 0) 0x1c 0x4 Number of Blocks 0x20 0x10 MD5 of data 0x30 … Config blocks
  • 18. 18 Zeus 2.0.8.9 • Config blocks – header then data • Config block header structure: Config file structure Offset Size Value 0x0 0x4 Block ID 0x4 0x4 Flags, e.g. compressed 0x8 0x4 Compressed size 0xc 0x4 Decompressed size
  • 19. 19 Zeus 2.0.8.9 • Block ID identifies specific type of config entry e.g. version, new exe url, drop zone url, web injects • Leaked source indicates what each binary value means • Conversion to XML makes the data easier to interpret: Config file structure
  • 20. 20 Zeus 2.0.8.9 • Network data ○ RC4 decrypt using key from StaticConfig ○ Data is structured similar to config data • Cache data ○ Temporary store of data before sending back to drop zone ○ Structure: Stolen data Offset Size Value 0x0 0x4 Xor encoded size of block 0x4 0x1 0 0x5 ?? First encrypted block
  • 21. 21 Zeus 2.0.8.9 • XOR key stored in runtime data at offset 0x1e2 • Blocks encrypted with VisualEncrypt + RC4 • New RC4 key from runtime data • Blocks have same structure as network data • Cache gets deleted when data sent over network Cache data
  • 22. 22 Zeus 2.0.8.9 • Dynamically created block written by dropper • See https://code.google.com/p/volatility/source/browse/trunk/con trib/plugins/malware/zeusscan.py for structure • Key fields: ○ RC4 key – encrypting cache data ○ XORkey – cache data block sizes • Also, registry keys, exe file name, cache file name etc. Runtime information
  • 23. 23 Zeus 2.0.8.9 • Find block in dump: • Often appended to file Runtime information
  • 24. 24 IceIX • Same goals ○ Config file URL ○ Retrieve, decrypt, decipher config file ○ Assess stolen data – decrypt network traffic, cache file ○ Read runtime information • How do we identify? • What are the differences?
  • 25. 25 IceIX • Config file URL by default ends with config.php • Strings: “bn=1” and “&sk=1” • Modified RC4 routine: Identification
  • 26. 26 IceIX • RC4 changes • Config file retrieval requires structured POST request Modifications
  • 28. 28 IceIX • POST request requires special format or config file is not delivered • POST data format: bn=<BOTID string>&sk=<MD5 of encrypted BOTID string> • BOTID generated per machine, e.g.: MYPC_737574566769_474 • Encrypted using modified RC4 with key from StaticConfig • All POST data encrypted before being sent Config file retrieval
  • 29. 29 Citadel • Giveaway string: ○ 'Coded by BRIAN KREBS for personal use only. I love my job & wife.‘ • Version number: • Maybe further strings: ○ cit_ffcookie.module, cit_video.module Identification
  • 30. 30 Citadel • Encryption process rewritten – AES + RC4, multiple keys • Formatted POST request for config file retrieval • Backup config file URLs Modifications
  • 31. 31 Citadel • RC4 has XOR on top with LOGIN_KEY ○ Extra key generated at build time e.g.: ○ "C1F20D2340B519056A7D89B7DF4B0FFF" • Config data encrypted with AES • Network traffic requires generating a new RC4 key Encryption process
  • 32. 32 • Extra non-standard permutation • Need to extract salt value • All network traffic encrypted in this way Citadel Config file retrieval
  • 33. 33 Citadel • Formatted similar to config data – header with 2 data blocks • Block ID 0x2725 – contains the login_key • Block ID 0x2726 – file name from config URL: ○ http://pubber.ru/images/greater/wisdom/file.php|file=config.dll ○ Everything after the ‘|’ goes in the block data POST data
  • 34. 34 Citadel • Switch case based on DWORD value: POST data custom permutation
  • 35. 35 Citadel • Python: POST data custom permutation
  • 36. 36 Citadel Config file decryption • RC4 key from StaticConfig • login_key • 128-bit config XOR key
  • 37. 37 Citadel • Found in the AES routine: Extra config key
  • 38. 38 Gameover/P2P • Command strings used in the P2P protocol: ○ OPTIONS ○ PROPFIND ○ PROPPATCH ○ SEARCH ○ UNLOCK ○ REPORT ○ MKACTIVITY ○ CHECKOUT ○ M-SEARCH ○ NOTIFY ○ SUBSCRIBE ○ UNSUBSCRIBE Identification
  • 39. 39 Gameover/P2P • Static peer list ○ Each peer has its own RC4 key • Connect to P2P network to retrieve config • Zlib compression • https://github.com/arbor/zeus_gameover-re Modifications
  • 40. 40 KINS/VMZeus • VM based StaticConfig decryption • Embedded byte code determines which VM handler is executed on which byte of ciphertext • Embedded opcode handler table • Each element of bytecode is an index into the handler table Modifications
  • 41. 41 KINS/VMZeus • Find the entry to the VM handler: Identification
  • 42. 42 KINS • RC4 key is in the StaticConfig but now much harder to decrypt • Need to replicate the handler sequence by running the bytecode through the handler table • Leaked KINS source: source/common/configcrypt.cpp • But handler table order is shuffled by the builder so we must work out the correct order dynamically for each sample Key extraction
  • 44. 44 Automation • As part of sandbox analysis – e.g. cuckoo ○ Process dump ○ Key extraction and data decryption as part of a processing module ○ Analyzer module to perform the retrieval for non-executing samples • Volatility ○ Key and data extraction from a memory dump ○ https://code.google.com/p/volatility/source/browse/trunk/contrib/plugin s/malware/zeusscan.py
  • 46. 46 Conclusion • Many successful and widespread variants spawned from Zeus code • More builders and source code leaked, many variants still being actively developed • Despite some significant modifications, new variants are incremental • Tools can be updated relatively easy for modifications
  • 47. 47© Sophos Ltd. All rights reserved.

Notas del editor

  1. Typical weekly breakdown of Zeus variants seen by SophosLabs.
  2. Ref: http://nakedsecurity.sophos.com/2012/12/05/the-citadel-crimeware-kit-under-the-microscope/