0

Peeking at Pkybot

For the past few months ASERT has been keeping an eye on a relatively new banking malware (“banker”) known as “Pkybot”. It is also being classified as a variant of “Bublik”, but the former is much more descriptive of the malware. This post will take a peek at some of the bits and pieces of […]

0

Peeking at Pkybot

For the past few months ASERT has been keeping an eye on a relatively new banking malware (“banker”) known as “Pkybot”. It is also being classified as a variant of “Bublik”, but the former is much more descriptive of the malware.

This post will take a peek at some of the bits and pieces of Pkybot and the campaign using it. The visibility provided can help organizations better understand, detect, and protect against this current threat.

Sample

One of the recent samples analyzed by ASERT has the following hashes:

MD5: 9028d9b64a226b750129b41fbc43ed5e

SHA256: 38eb7625caf209ca2eff3fa46b8528827b7289f1

At the time of this writing it has a VirusTotal detection ratio of 16/57 with just about all the detections being generic in nature. One positive for reverse engineers though is that this sample comes unpacked.

Pkybot

While there’s been some research into the malware already [1] [2], a review and fleshing out never hurts.

Encrypted Bits

Pkybot contains a number of interesting items that are encrypted with the XTEA encryption algorithm. The key used is generated at runtime from a hardcoded seed value (DWORD):

It can also be generated using this Python code snippet. Along with the generated XTEA key, this IDA Continue reading

0

ZeusVM: Bits and Pieces

ZeusVM is a relatively new addition to the Zeus family of malware. Like the other Zeus variants, it is a banking trojan (“banker”) that focuses on stealing user credentials from financial institutions. Although recent attention has been on non-Zeus based bankers such as Neverquest and Dyreza, ZeusVM is still a formidable threat. At the time […]

0

ZeusVM: Bits and Pieces

ZeusVM is a relatively new addition to the Zeus family of malware. Like the other Zeus variants, it is a banking trojan (“banker”) that focuses on stealing user credentials from financial institutions. Although recent attention has been on non-Zeus based bankers such as Neverquest and Dyreza, ZeusVM is still a formidable threat. At the time of this writing, it is actively being developed and has implemented some interesting features such as a custom virtual machine and basic steganography. In addition, due to a recent leak of a builder program, the ability to create new ZeusVM campaigns is now in the hands of many more miscreants.

To foster a better understanding of ZeusVM, the attached paper examines some of the internals of the malware from a reverse engineer’s perspective. While it doesn’t cover every component, the visibility provided can help organizations better detect and protect from this threat.

ZeusVM: Bits and Pieces (PDF)

ZeusVM: Bits and Pieces Appendix 1 (TXT)

0

An Update on the UrlZone Banker

UrlZone is a banking trojan that appeared in 2009. Searching its name or one of its aliases (Bebloh or Shiotob) reveals a good deal of press from that time period along with a few technical analyses in 2009 [1] [2], 2012 [3], and 2013 [4]. Despite having a reputation of evolution, there doesn’t seem to be very many recent updates on this malware family though. Is UrlZone still a threat and if so, how has it changed?

To explore that, this post takes a look at a recent UrlZone malware sample to see if it is still an active threat. It then gives an update on the command and control (C2) communications as they have changed since being previously documented. These are then put together in some proof of concept code that downloads and decrypts the webinject configuration file (the bread and butter of any banker malware) to see what financial institutions are being targeted.

Sample

The sample analyzed for this post has an MD5 of:

01fd0f1ad59ad5403c9507bfb625fe0c

For the “stop using md5 now” converts, it has the following SHA256:

39bbde33922cd6366d7c2a252c4aadd4dfd7405d5271e3652940a7494b885e88

The sample’s compilation date is 2015-06-12 12:01:03. This date seems legit as Continue reading

0

Bedep’s DGA: Trading Foreign Exchange for Malware Domains

As initially researched by Trend Micro [1] [2], Zscaler [1] [2], Cyphort, and Malware don’t need Coffee, the Bedep malware family focuses on ad / click fraud and the downloading of additional malware. ASERT’s first sample dates from September 22, 2014, which is in line with when Trend Micro started seeing it in their telemetry. In early 2015, the family got some more attention when it was being observed as the malware payload for some instances of the Angler exploit kit, leveraging the Adobe Flash Player exploit (CVE-2015-0311) which at the time was a 0day. It was also observed that this newer version was using a domain generation algorithm (DGA) to generate its command and control (C2) domain names.

This post provides some additional notes on the DGA including a proof of concept Python implementation, a look at the two most recent sets of DGA generated domains, and concludes with some sinkhole data.

Samples

The following Bedep samples were used for this research:

• MD5 e5e72baff4fab6ea6a1fcac467dc4351
• MD5 1b84a502034f7422e40944b1a3d71f29

The former was originally sourced from KernelMode.

Algorithm

I’ve posted a proof of concept (read: works for me) Python implementation of the DGA to ASERT’s Github.

At the time of Continue reading

0

Let’s Talk About NewPosThings

by Dennis Schwarz and Dave Loftus

NewPosThings is a point of sale (PoS) malware family that ASERT has been tracking for a few weeks. It operates similarly to other PoS malware by memory scraping processes looking for credit card track data and then exfiltrating the spoils to a command and control (C2) server. Based on compilation times, it has been in active development since at least October 20, 2013—with the latest timestamp being August 12, 2014. Since we haven’t come across any public details of this family, we’re releasing our malware analysis for posterity and to get ahead of the threat.

The analyzed sample has an MD5 of 4196c67648003a18f61573a77b6d3be6.

Naming

Its name comes from an embedded PDB pathname string from the analyzed sample:

C:UsersTomdocumentsvisual studio 2012ProjectsNewPosThingsReleaseNewPosThings.pdb

Initialization

The malware initializes itself as follows:

• Sets some insecure file flags in the Registry:
  • “LowRiskFileTypes” in “HKCUSoftwareMicrosoftWindowsCurrentVersionPoliciesAssociations”
  • “1806” in “HKCUSoftwareMicrosoftWindowsCurrentVersionInternet SettingsZones”
• Copies itself to “%APPDATA%JavaJavaUpdate.exe”
• Checks whether it is running as 64-bit and if so, exits with a MessageBox of “Use 64bit version.”
• Kills any existing “JavaUpdate.exe” processes
• Sets up Registry Run persistence (HKCUSoftwareMicrosoftWindowsCurrentVersionRun) under “Java Update Manager”
• Executes copied executable passing the original executable’s pathname and “RM” as Continue reading

0

Five Sinkholes of newGOZ

By Dennis Schwarz and Dave Loftus

It has been a few weeks since news broke of the Zeus Gameover variant known as newGOZ. As has been reported, the major change in this version is the removal of the P2P command and control (C2) component in favor of a new domain generation algorithm (DGA).

The DGA uses the current date and a randomly selected starting seed to create a domain name. If the domain doesn’t pan out, the seed is incremented and the process is repeated. We’re aware of two configurations of this DGA which differ in two ways: the number of maximum domains to try (1000 and 10,000) and a hardcoded value used (0×35190501 and 0x52e645).

Date based domain generation algorithms make for excellent sinkholing targets due to their predictability, and provides security researchers the ability to estimate the size of botnets that use them. With this in mind, we have gathered five days worth of newGOZ sinkhole data. Our domains are based on the first configuration, since this configuration seems to be used the most in the wild.

As with all sinkhole data, many variables can affect the accuracy of victims such as network topology (NAT and DHCP), timing, Continue reading

0

The Citadel and Gameover Campaigns of 5CB682C10440B2EBAF9F28C1FE438468

As the infosec community waits for the researchers involved to present their Zeus Gameover take down spoils at the next big conference; ASERT wanted to profile a threat actor that uses both Citadel, “a particularly sophisticated and destructive botnet”, and Gameover, “one of the most sophisticated computer viruses in operation today”, to steal banking credentials.

Citadel Campaign

When a threat actor decides that they would like to start a Citadel campaign they: buy the builder software, build the malware, distribute it to the wild, and then, unfortunately, usually profit. A “login key” in Citadel parlance identifies a specific copy of the builder. This key is also copied into the generated binaries so a link between malware builder and malware is formed. Login keys are supposed to be unique, but due to builders being leaked to the public, some aren’t. For all intents and purposes though, malware researchers use login keys to distinguish between distinct Citadel campaigns.

On October 29, 2013, security researcher Xylitol tweeted that login key 5CB682C10440B2EBAF9F28C1FE438468 was not associated with any of the defendants in Microsoft’s Citadel botnet lawsuit:

ASERT has the following command and control (C2) URLs linked with that campaign. Most Continue reading

0

Trojan.Eclipse — A Bad Moon Rising?

ASERT’s malware collection and processing system has automatic heuristics that bubble up potentially new and interesting DDoS malware samples into a “for human analysis” queue. A recent member of this queue was Trojan.Eclipse and this post is my analysis of the malware and its associated campaigns.

Analysis was performed on the sample with an MD5 of 0cdd10cd3393d3fe916a55b946c10ad6.

The name Eclipse comes from two places: a mutex named “eclipseddos” and a hardcoded Cookie value used in the command and control (C2) phone home. We’ll see in the Campaign section below that this threat is also known as: shadowbot, gbot3, eclipsebot, Rhubot, and Trojan-Spy.Win32.Zbot.qgxi.

Based on the C2 domain names, GeoIP of the C2 IP addresses, and a social media profile of the owner of one of the C2 domains, I suspect this malware to be Russian in origin. In addition, Eclipse is written in Delphi and empirically Russian malware coders have a certain fondness for this language.

Command and Control

The analyzed binary has a hardcoded C2 domain string. This string is protected from modification by running it through a simple hashing algorithm and comparing it against a hardcoded hash at certain points of the code. The Continue reading