ZeuS

From the very begining of the operation against the infamous Murofet/Gameover/ZeusP2P banking trojan (known as Operation Tovar) the botnet growth has stalled and it seems it has been abandoned since then. Instead of recovering control over the botnet, it seems that botmasters (or new ones) decided to create a new botnet from scratch using  a new GOZ version. We will analyze the main new features throughout the post.

Communication:

  • The new trojan has replaced the Peer-to-Peer (P2P) mechanism in favor of a Fast-Flux network using a new domain generation algorithm (DGA).
  • The public key included within the trojan (which is XORed in the same way) is no longer used to verify the signature of the resources exchanged via P2P and is now used as part of the classic symmetric + asymmetric communication schema in which the payload is ciphered with the symmetric key whilst the random generated key is ciphered with the public key before it is sent to the command and control server. The scheme is similar to the one used, for instance, by Cryptolocker (Murofet related) or Cridex/Bugat/Feodo/Geodo.

Taking into account DGA is based on a hardcoded seed, creating a new botnet is just a matter of changing both, the seed, and the public key in the binary.

Encryption:

Whereas the cypher has been kept unchanged in some way, there has been some modifications due to the new communication scheme seen above. In short:

  • RC4 is maintained for the configuration stored in the system registry
  • The communication with the command and control panel is now based on AES256 + RSA.

Configuration:

The configuration has remained largely unchanged. In fact, most injections and target entities are old and they even contain variables which belongs to features no longer present on the current version like those related with the P2P proxy:

Therefore, it seems that we are facing what seems to be a lite version of GOZ which, somehow, reminds us Licat, its predecessor. Far from reducing the prominence of the trojan, even if the configuration files may lead us to think that it has been released in haste, features such as the DGA seed may lead to a boom of new GOZ botnets which will start a new cat and mouse chase.

Santiago Vicente

New GOZ first steps

From the very begining of the operation against the infamous Murofet/Gameover/ZeusP2P banking trojan (known as Operation Tovar) the botnet growth has stalled and it seems it has been abandoned since then. Instead of recovering control over the botnet, it seems…

Leer más

New trojans on the horizon? (II)

As an addition to the information related to a new ZeuS variant published once again by Trusteer researchers, we would like to point that this botnet has been active since at least December 2013 and it does not show any…

Leer más

New Trojans on the Horizon? (I)

Last weekend we have seen some heat around a post published by IBM regarding the discovery of a new banking trojan. In the article, they stated that, recently, Trusteer researchers had discovered a new malware sample whose behaviour resembled those…

Leer más

ZeuS timeline (and III)

In this last post of the series dedicated to the timeline ZeuS trojan (and its leaks) [1][2], we are going to show some numbers that S21sec have being collecting regarding them.The number of botnets detected in past few years has raised…

Leer más

ZeuS: Because not all is banking

Last week, security researchers published a post regarding a new variant of ZeuS which took advantage of the fact that people is willing to gain popularity via Instagram "likes" even if they have to pay big bucks for it. This…

Leer más

Testing your ZeuS variant?

The ZeuS source code leak is not recent, and we have seen new variants like Ice-IX or Citadel being widely used, but time to time we find a new trojan based on this source code.Sometimes we see samples that seem…

Leer más

Murofet v2.0 (ZeuS P2P)

Following on from the previous post about the ZeuS "ACH transaction canceled" distribution campaign, we now turn to look at the distributed binary.This is version 2.0 of the Zeus variant known as Murofet. It has come to be named ZeuS…

Leer más