Saturday, March 28, 2009

Financial institutions targeted by the botnet Zeus. Part one

As I said in previous post, zeus is one of the networks of zombie computers more important because of the large number of nodes that make up your network, and although its origin dates back to late 2007, now malware is exploiting a active and massive, expanding its coverage of attacks and fraudulent activities, each managed node through a web interface.

So much so that its activities are, in addition to the malicious action of infection, activate a whole array of malicious scripts whose purposes are channeled into massive infection of computers through trojans exploit various known vulnerabilities, phishing attacks under the method of cloning sites of different banks and global systems that offer online payments.

Knowing this fundamental point of view to focusing zeus in a high percentage of data theft, we assume that the specific question after reading these short paragraphs is: how does zeus get the information you need equipment victim?

The answer to this mystery lies in its configuration file, which is encrypted. Once decrypted, the contents of this configuration file is similar to the following real life example that shows the information contained in the file cfg.bin (MD5: 905dfab98b33e750bf78c8b29765279b):
Config version: 1.0.3.7
Loader url: http://yourcatfree.cn/trashes/ldr.exe
Server url: http://theyourbest.cn/rssfeederd/stat1.php
Advanced config 1: http://greatyourway.cn/trashesgg2/cfg.bin
Advanced config 2: http://theyourown.cn/trashesff1/cfg.bin
Advanced config 3: http://adviceswarning.com/trashesrr5/cfg.bin
Advanced config 4: http://ispspartners.com/trashes6/cfg.bin
Advanced config 5: http://ispscenter.com/trashesrr3/cfg.bin
Advanced config 6: http://alleips.com/trashestt3/cfg.bin
Fake 1: 0 PG http://adultfriendfinder.com/go*|http://centralet.cn/1/1.php|291351|
Fake 2: 0 PG http://adultfriendfinder.com/search/g*|http://centralet.c
/1/1.php|291351|
Fake 3: 0 PG http://adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Fake 4: 0 PG http://adultfriendfinder.com/cgi-bin/public/page.cgi?p=affiliate_multi*|http://centralet.cn/1/1.php|291351|
Fake 5: 0 PG http://staging.adultfriendfinder.com/search/g*|http://centralet.cn/1/1.php|291351|
Fake 6: 0 PG http://staging.adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Fake 7: 0 PG http://www.adultfriendfinder.com/go*|http://centralet.cn/1/1.php|291351|
Fake 8: 0 PG http://www.adultfriendfinder.com/search/g*|http://centralet.cn/1/1.php|291351|
Fake 9: 0 PG http://www.adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Fake 10: 0 PG http://www.adultfriendfinder.com/cgi-bin/public/page.cgi?p=affiliate_multi*|http://centralet.cn/1/1.php|291351|
Fake 11: 0 PG http://www.staging.adultfriendfinder.com/search/g*|http://centralet.cn/1/1.php|291351|
Fake 12: 0 PG http://www.staging.adultfriendfinder.com/search/p*|http://centralet.cn/1/1.php|291351|
Inject data 1: OK
Inject data 2: OK
Inject data 3: OK
Inject data 4: OK
Inject data 5: OK
Inject data 6: OK
Inject data 7: OK
Inject data 8: OK
Inject 1: https://www.e-gold.com/acct/balance.asp*|GPL|*|*
Inject 2: https://online.wellsfargo.com/das/cgi-bin/session.cgi*|GL|*|*
Inject 3: https://www.wellsfargo.com/*|G|*|*
Inject 4: https://online.wellsfargo.com/login*|GP|*|*
Inject 5: https://online.wellsfargo.com/signon*|GP|*|*
Inject 6: https://www.paypal.com/*/webscr?cmd=_account|GL|*|*
Inject 7: https://www.paypal.com/*/webscr?cmd=_login-done*|GL|*|*
Inject 8: https://www.gruposantander.es/bog/sbi*?ptns=acceso*|GP|*|*
Done!

In this way, and through the advanced configurations that exploit the victim computer, the trojan zeus obtain sensitive information.


# Jorge Mieres

No comments: