Sophos Cloud Optix
Last week the website belonging to TechCrunch Europe had malicious code planted on it, the payload of which was a variant of Zbot – Troj/Zbot-YP.
There are several interesting aspects of this variant that are worth exploring in a little more detail.
Firstly, the version of Zbot (aka Zeus) in use is not the latest version 2 but rather an older incarnation of version 1.
The easiest way to tell the difference between version 1 and 2 is the location that the binary is dropped to on the target system. Version one will create a file under %SYSTEM% called sdra64.exe (even older versions used ntos.exe and twext.exe), whereas version 2 creates a file in %APPDATA% with a random filename.
But the most reliable way to tell the exact version of Zbot we are dealing with is by retrieving its configuration file and reading the value from the field used explicitly to indicate which version is being used.
The configuration file is essential to a successful Zbot deployment. It contains the address that stolen data is sent to, the location of new Zbot binaries to download, the location of backup configuration files, details on URLs to re-direct, details on which URLs should have extra code injected into their webpages and much more besides.
The Zbot sample used in the TechCrunch attack has its configuration file located on a domain registered in July of this year to an address in Beijing and hosted in Hong Kong.
Here is a snippet from the decrypted configuration file (domains removed):
Here you can see that the version is “0102010A” (little endian). Version two samples will have a version number similar to “02000006”.
The other interesting thing about this Zbot sample is that the whole configuration file is relatively small compared to most normal configuration files.
We often see configuration files a few hundred kilobytes in size whereas this one is just under five KB when compressed and still under 18 KB decompressed.
Usually most of the configuration file will be taken up with the HTML code that the botnet owner wants to inject into certain webpages. We often see the botnet owner injecting different code into a huge array of different online banking webpages, and all that HTML and JavaScript takes up a lot of space.
Troj/Zbot-YP targets relatively few online banking websites and they are all located in the UK or Germany. Only barclays.co.uk, internetbanking.gad.de and citibank.de are specifically targeted.
So, despite the fact that the owners of this particular Zbot botnet managed to get their code onto the TechCrunch website and therefore potentially managed to infect huge numbers of computers with the Zbot payload, they don’t seem to have made much effort to maximise the revenue they could make out of each infected computer.
Typically we would see the configuration file containing several more entries with backup exe and configuration file download locations so that the owners can still control the botnet if some of the C & C servers are taken down. We would also normally see many more banks targeted so that the botnet owners can steal extra information such as pin numbers, CCV numbers, social security numbers etc that users would not normally enter when logging in to their online bank accounts.
Perhaps the relatively vanilla nature of this Zbot was due to it being put together in a rush when they spotted the hole in TechCrunch’s website, or maybe some less professional bad guys got lucky. Anyhow, as we can see from the impact of W32/Autorun-BHO which, despite being a comparatively unsophisticated Visual Basic Worm, has managed to considerably inconvenience corporate IT departments across the globe, it’s not always necessary to have vast technical knowledge to cause a big splash in the malware world.