Testing your ZeuS variant?

The ZeuS source code leak is not recent, and we have seen new variants like Ice-IX or Citadel being widely used, but time to time we find a new trojan based on this source code.
Sometimes we see samples that seem to be used for testing purposes. In this case, we have seen one interesting sample based on ZeuS source code. It seems that it has been tested during last weeks, as compilation date is dated on April 9th.
It is funny to see how it sends debug information to a server that has been hardcoded, and which path is “/test/debug.php”. For example, once infected it encrypts this info with RC4:

[16:59:13] TC=0000000008, PID=0448(0x01C0), TID=1324(0x052C), LE=0(0x0), F=initUserData, FL=C:Zeus projectslastbot_chela_antirapport_with_x (512)..INFO:”0x2053D9C1″, coreData.currentUser.sessionId=”0″

It has some curious features that are not present in ZeuS, like detecting sandboxes, antivirus or antimalware software. For example, it is able to detect the usage of DeepFreeze or Wireshark, or if some “internal” stuff from SandBoxie, Anubis, or Camas sandboxes is found.  The searched patterns are encrypted (usual ZeuS string encryption), but their references are not encrypted, and we can inherit the behaviour of the trojan just taking a look to the strings.
It seems that it doesn’t like to work with other malware families, as some strings show that it tries to clean other infections, like ZeusV2 and SpyEye ones. 
SpyEye Kill Mutex Name: %hs                                   

SpyEye registry value: %s, path: %s                               


Zeus v2 deleted                             

Zeus v2 deleted

Of course, the name of the project by itself looks very interesting (“zeus projects”, “antirapport”, “with x64”, “chela”?):

C:Zeus projectslastbot_chela_antirapport_with_x64sourceclient…

The comments in the code shows very clearly the intention of the code. For example, regarding to Windows Firewall (windowsfirewall.cpp):

“Added exclusion for %s”

“Exclusion for %s is re-enabled”

“Exclusion for %s is already in the list”

“Firewall DONE”

And there are a lot of interesting strings:
In IE!

I’m a installer.                                   

I’m a loader. 

Current process started from system account. Installing to all users.

Malware report to server: %d                                   
Accepted client connection.                                    
Accepted new conection from bot (BotID: %s, IP: %s).                               
Accepted new conection from client (IP: %s), but bot not connected! Disconnecting client!

Nothing to add, just “thank you developer” for doing (at least this time) our work easier.

Mikel Gastesi

Deja un comentario