Zeus PIF - The evolving strain looking to defeat your security software
Posted by Elad Sharf on 07 July 2014 07:04 PM
Websense Security Labs™ have identified a Zeus strain that implements information stealing procedures that appear to be an evolution of the 'DNA' of previous emerging Zeus variants. The Zeus variants in the campaign we're about to describe also appear to be using Zeus droppers that employ the hidden Windows 'PIF' file extension - a file extension that used to be popular many years back, that was often associated with viruses then, and that appears to be making a comeback.
Websense® ThreatSeeker® Intelligence Cloud has been tracking a malicious low volume email campaign over the last months that employs exploits and social engineering tricks to spread the evolving breed of the Zeus banking malware. Specifically, the Zeus variants spotted in the campaign have been seen to persistently evolve and adapt their methods to implement information stealing procedures (a.k.a. 'hooking procedures') that are a direct evolution of a previous variant dubbed 'Zberp'. This trend indicates a clear persistent effort to evade detection from client-side security software.
In this blog we're going to take a look at some email examples and prototype the lure emails that are part of this campaign. Furthermore, we're going to take a look at how we believe the actors behind the Zeus strain seen in the campaign modified Zeus' hooking routines persistently, and employed other tactics in order to evade detection by client-side security software and network-based security software.
Co-Writer: Nick Griffin.
The Lure Emails
The lure emails typically hold subjects that are aimed to entice the target to download and run a file from a URL. For example, messages have been seen to include subjects like: "eFax message from fax #", "Payment confirmation", "Pending consumer complain", "Failed delivery for package", etc. The email messages don't contain file attachments, but rather a URL link to a ZIP file that contains a PIF file that is the Trojan Zeus Dropper. PIF is another executable extension (like .exe, etc.) and it operates like other executable files. One of the direct advantages of the PIF file is that the extension is hidden even if Windows is configured to show file extensions of known file types. The additional direct advantage of using PIF files with this campaign is that the lures are sent as 'PDF' files that are actually PIF files, which is a direct attempt to deceive the user in case they are able to see the extension.
At first we were surprised to see PIF files used with this campaign because PIF files are most often associated with old virus threats that existed many years ago, and the file extension is not often seen to be used by modern malware. PIF files (Program Information Files) were created to serve specific functionality that defines how a given DOS program should be run. PIFs are analyzed by Windows' ShellExecute function and are run as specified by their content, not extension, which makes them convenient to use in social engineering tricks because their file extension does not appear to the target, which improves the chances that the target will double-click on the file attempting to run it, thereby getting infected.
Zeus dropper Inside the ZIP file example:
The lure emails' content seems to be of good quality. The messages do not contain spelling mistakes and include, at times, pictures in order to appear more convincing (some example screenshots are included below). The URLs used in the messages that lead to Zeus Droppers appear to be of two kinds; some are URLs that were registered only for a few days, and some utilize compromised websites. The Zeus PIF dropper files, as often seen with modern malware, appear to be 'crypted', which is a term used to describe that the file was 'repackaged' for the purpose of evading antivirus detection and other file scanning solutions.
Last week we observed this campaign using email themes that appeal to Canadian targets, and we noticed that the dropped Zeus variants specifically targeted Canadian banks (more on that in the next section).
Here are a few VirusTotal references to the Zeus PIF Dropper included in this campaign and screenshots of the lure emails they were a part of:
Email subject: Failed delivery for package #1398402
File name: pdf_canpost_RT000961269SG.zip
VirusTotal detection rate: 2%.
ThreatScope analysis: link
Email subject: Pending consumer complaint
File name: ftc_pdf_complaint.zip
VirusTotal detection rate: 11%
ThreatScope analysis: link
Email subject: Your Order #742830017 - PROCESSED
File name: pdf_eticket_QB742830017CA.zip
VirusTotal detection rate: 9%
ThreatScope analysis: link
Lure email examples:
Hooking Detection Evasion Evolution
Looking under the hood and digging into the Zeus binaries spreading throughout this campaign shows the efforts made to evade client-side security software, especially the security software that aims to alert on 'malicious hooks' - the places on the computer where the malware inserts procedures aimed to eavesdrop on legitimate processes like browsers. One interesting observation is that the code seems to be an evolution of the 'hooking' procedures used by the Zeus variant known as 'Zberp'. On top of the 'hooking' changes, it is interesting to see that the format of the configuration file is a modification of the one used by frequently seen Zeus variants. In the following screenshots you can see a snapshot series representing the evolution of the changing patterns aimed to evade detection as spotted with the Zeus PIF variants in this campaign in comparison to 'Zberp':
The Growing Importance Of SSL Content Inspection
Upon decryption of the Zeus configuration files used in this campaign, it's evident that the bot communicates and 'calls home' to its command and control servers using HTTPS. The Zeus configuration file contains a number of entries that indicate that HTTPS is utilized (HTTP + SSL encryption). Screenshots below show the URL the bot calls to download an update, and the URL the bot calls to drop stolen information.
After looking into the command and control domains, it was found that they all had valid and signed certificates, for a short period of 3 months, from a certification authority known as 'Comodo Essential SSL' (see screenshots of certificates below). Modern browsers normally give a layer of defense to browsing users against untrusted certificates by alerting and blocking access to the website, which unfortunately in this instance is not the case. This gives the actors behind this campaign another layer of resilience and anonymity because their malicious domains appear to be more trusted and at the same time pose a much bigger challenge to inspect because network communication is encrypted by SSL. This could explain why the domains involved with the variants we've looked into for this blog have low detection rates:
hxxps://billing-service.ru/skinny/phpinfo.php - VirusTotal detection rate: 4%.
hxxps://invoice-maker.ru/flash/flashplayer.exe - VirusTotal deection rate: 2%
hxxp://crypto-coinz.ru/pizza.jpg - VirusTotal detection rate: 2%
hxxps://secure-checker.com - VirusTotal detection rate: 2%
You may ask yourself, Why is SSL inspection important? Imagine that you have a sandbox on your network that inspects executables that go through your network. If your sandbox solution does not use SSL inspection it will not see a file that has gone through the network encrypted with SSL. In this case, the bot can update itself by downloading an executable file using SSL, which will defeat any sandbox that doesn't employ SSL inspection. For example: hxxps://invoice-maker.ru/flash/flashplayer.exe .
Zeus PIF variant configuration file:
Valid certificates employed by the command and control servers:
Zeus configuration file and the list of web injects targeting various banks in Canada:
Websense customers are protected against this threat with ACE, our Advanced Classification Engine, at the stages detailed below:
In this blog we covered a malicious email campaign that employs an evolving strain of the infamous Zeus malware. The campaign has been ongoing for months in bursts of low volume attacks that have been evolving to evade detection employed by client-side security software. The actors behind this campaign seem to be savvy and in-the-know regarding what is needed to accommodate durability and to sustain 'longer periods' of undetected covert activity from their main criminal tool, the Zeus bot. The persistence of the actors behind this campaign is represented in their continual effort to change and modify the 'DNA' of the Zeus bot in order to avoid detection and by utilizing other techniques, like command and control servers that utilize SSL to sustain the duration and success of their campaign, which has the ultimate purpose of data theft.
We also managed to connect the previously observed 'Zberp' Zeus strain to this campaign in terms of evolution. This shows that the 'cat and mouse' game is ever continuing. Because the Zeus source code was leaked back in 2011, many evolving variants of the bot started to spawn by different cyber-criminal groups. New variants have been given different names, and we believe the list of variants is going to grow. Strains that may at first look quite different, often have the familiar Zeus at their core. Tracking and dissecting the evolution of a malware strain allows us to know exactly the technological challenges that come with it and what is required to stop it.
Read more »
Zberp - is there anything to fear?
Posted by ngriffin on 18 June 2014 08:01 PM
Websense Security Labs™ see a lot of new malware names on a daily basis. Some are brand new and unique, and others are spin-off variants of well known malware. Recently the name 'Zberp' appeared in the media, with reports suggesting it combines some of the most powerful features of the Zeus and Carberp malware. But how different is it from Zbot, and what advanced features does it possess? In this blog, we will detail the features of 'Zberp', explain how to protect ourselves from it, and reveal why the hype surrounding it is somewhat unfounded.
In our previous blog on Zeus GameOver we saw an increase in that particular variant during April and May but as we can see in the following heatmap, the popularity of Zeus variants in general has decreased since the large spikes we saw at the end of February and throughout March.
(Please visit the site to view this media)
Identification - same old Zeus?
Firstly, we need to check whether this is actually a known Zeus variant. Uploading a sample of Zberp to Zeus tracker suggests that it is indeed the KINS variant:
KINS is also known as 'ZeusVM' in the security community and has been well documented in the past. Its features include the usage of a virtual machine code obfuscation to execute code using (and abusing) a commercial product known as 'VMProtect', and hiding the download of its configuration file in images with a well known technique called steganography. Also seen in some KINS versions is the ability to hide its registry modifications that allow it to be launched on start-up, an interesting persistence feature that makes it a bit more challenging to detect. However, the underlying malware dubbed 'Zberp' is almost identical to Zeus and has no behavioral differences, so what is different after all? Let's have a deeper look.
Dumping the configuration file from Zberp shows us that the version number is 18.104.22.168, a common KINS version. Unsurprisingly, the configuration file format itself is very much the same as many other Zeus variants:
VERSION 22.214.171.124 BOT URL https://bloggershop.co.vu/idcon/driver/load.exe COMMAND AND CONTROL URL https://bloggershop.co.vu/idcon/static.php ...
Evasion Techniques & Unique Features
'Zberp' has a slight change to the code that handles its hooks. Before we dive a bit deeper, what exactly is hooking doing in malware context? In short, Hooking is a technique used by malware to 'spy' on the victim's actions and subsequently steal relevant information. In simple terms, think of opening your banking website in your browser: the data that goes to and is received from the banking website can be intercepted using hooking at the application level (this means it will subvert any SSL encryption too) . Back to our analysis, a typical KINS/Zeus hook on the HttpSendRequest Windows API looks like this:
Whereas a 'Zberp' hook is quite different:
The 'handler' is the part of the hook that utilises and intercepts the information from the API. The purpose of changing the hook in the manner shown is presumably to hinder detection from antivirus products or specific products aimed at identifying financial malware that targets bank-related credentials and other confidential data. The style of hook is indeed similar to how the Carberp malware works and may have been taken from the leaked Carberp source code.
'Zberp' also uses SSL for its command and control (C&C) communication, but this has been seen before in other variants. We have not seen any usage of valid certificates for this, though. Typically the certificates used are self-signed or non-valid certificates that were stolen or re-used from other domains. One way to check the validity of the certificate is by browsing to the domain through a browser that employs certificate checks which will result in a certificate warning:
There are also the usual KINS features such as steganography and stealth registry keys. Steganography is used to disguise the configuration file that is downloaded over the network, causing many security solutions to believe it is a normal image file. However, the RC4-encrypted configuration is appended to the image in base64 encoded format. The registry keys used for its persistence are deleted on system startup and only written back into the registry upon shutdown, evading any scans that may detect them.
Protecting from Zeus - why is SSL inspection essential?
It may seem like a difficult task to reliably detect and prevent a Zeus infection, especially considering the advanced and differing techniques that each variant employs. However, Zeus is still Zeus and can be prototyped as such. Websense ACE, our Advanced Classification Engine, is designed and pre-loaded with the ability to stop Zeus infections and attempted infection in real time.
The use of SSL in Zeus variants can be intercepted with the ability to provide SSL real-time inspection for HTTPS connections: enabling an extra layer of security for the protocol can include supported checks for certificate validity and certificate revocation lists (CRLs). The network traffic generated and relied upon by Zeus, including its attempts to download a configuration file and upload stolen information at the 'call home' stage, are prototyped and can be identified in real time. For example one of the traits that allows us to identify Zeus is its way of transmitting encrypted data with the RC4 algorithm, which in conjunction with other features allows ACE to prototype its communication patterns. Finally, most Zeus variants exhibit certain dynamic behavioral patterns that allow it to be identified with an application sandbox, such as our Websense® TRITON® ThreatScope™ solution.
Websense customers are protected with ACE, our Advanced Classification Engine, at the stages detailed below:
Websense customers are also protected with ThreatScope behavioral analysis at stage 5, which identifies Zberp as malicious:
Here is the full ThreatScope report.
A Few Words About Data Theft as a Service
The Zeus family is well known as a banking trojan, and in recent times we have seen the use of 'automated transfer scripts' ('ATS') that do all of the dirty work. 'ATS' is a way of hijacking a browser in order to force it to include external scripts when browsing to specific websites. Typically, these scripts are provided as a service by 3rd party malware authors and kept up to date when banking websites change.
For example, Zeus-based malware may detect when a browser is loading a banking website and trick it into using a script from an external source (a 3rd party delivering the script as a service). This external script may contain tailored code that modifies the target banking website and captures personal information like usernames and passwords. These scripts can be offered as a premium service to users of the malware, where all of the captured information is stored on their personal account and they are given a login to access it. This is a typical example of the increasing move by malware authors to offer paid-for services and products that are much like a legitimate, professional business.
While we do see a new type of hooking code employed in Zberp, it is still basically the KINS variant of Zeus. The use of steganography, hiding registry keys, and using SSL for C&C communication are nothing new but are still noteworthy features. We expect to see a continuing use of the Zeus malware framework, including more variants and modifications, in this never-ending cat-mouse saga. However, when the underlying framework is properly understood and prototyped it is straightforward to protect against.
Read more »