Evolution, ramification and reflections on Zeus.

After some years as the prevailing king of the banking Trojans, in recent months there has been lots of talk about the possibility of radical changes in ZeuS itself, and in this post I am going to try to give my opinion about the most important aspects of the subject.
  • A possible merger with SpyEye?
Firstly, there was talk of the possible release of the ZeuS source code to the creators of SpyEye, leading to talk of the disappearance of ZeuS and the evolution of SpyEye in its place. While it is true that SpyEye has evolved and certain characteristics pertaining to ZeuS have been seen in SpyEye versions (indeed, some servers seem to have 2 front ends for the same database), the reality is that both Trojans are still being used separately and that each one has evolved.
As may be expected, improvements will be implemented that are both easily achievable and the creator feels add value to the piece of malware. Now that the ZeuS source code has been made public, it is likely that we will see parts of ZeuS used in other malware samples, but ZeuS will remain as active as ever.
  • Ramifications of the publication of the source code?
As everyone knows, version source code was made public, which led to fears of a proliferation of modified versions. It is a reasonable fear, but given that the underground world is so specialized, it is probable that the biggest users of ZeuS kits do not have the necessary technical knowledge to personalize the botnet as they would like.
There is no doubt that people with the capability for the task exist, but it is not straightforward and whoever does it should profit from its sale. There are few groups that have a solid knowledge base and the necessary resources of time and effort needed to take this step. For these reasons, I do not believe that by the end of the year there will be 100 new variants of ZeuS, although it would not surprise me to find 2 or 3, possibly more given that we have already seen some new versions recently.
  • ZeuS v2.1 and the challenges it poses.
As has been discussed in depth, versions 2.1 of Zeus (known as Licat and Murofet), contain characteristics that vary substantially from the usual ZeuS:
  • The generation of domain names based on the date (in case the configured, default domain name does not work).
  • Changes in the configuration file:
    1. Identification codes of new sections can be found.
    2. The URL for the binary update, configuration and C&C are not hardcoded, as they are generated with the algorithm mentioned above.
    3. Some sections of the configuration file have extra encryption besides the XOR and RC4 layers usually found in the Zeus 2.0.x family.
Besides these versions, we have observed versions 2.1.x that do not share these characteristics and apparently belong to the natural evolution of ZeuS.
In the modified version, due to the use of a domain name algorithm, I dare say that it belongs to a personalized version of ZeuS, modified by a specific group and not an evolution of the, shall we say, core version.
Adding a date based domain name generation means centralizing the control panel and therefore selling it as a malware kit no longer makes sense. Of course, this could be removed from the generation of domain names, as besides the date, it can use a key to personalize the algorithm, but it seems that is not the case.
Without making a complete analysis of domain name generation, I would say that the campaign of personalizing versions belongs to the owners of the same campaigns from the end of last year (when, in fact, the ZeuS code was still not public). I base this on 3 details:
  1. The same modus operandi, with a hardcoded domain name and the generation of domain names based on the current date, in case the initial domain does not respond.
  2. A limitation to, supposedly, 1020 values based on the current minute.

  3. Checks to see if the year is less than 2010 (and not 2011)

Mikel Gastesi

S21sec e-crime
Recommended Posts

Leave a Comment