Testing your ZeuS variant?

The ZeuS source code leak is not recent, and we have seen new variants like Ice-IX or Citadel being widely used, but time to time we find a new trojan based on this source code.

Sometimes we see samples that seem to be used for testing purposes. In this case, we have seen one interesting sample based on ZeuS source code. It seems that it has been tested during last weeks, as compilation date is dated on April 9th.

It is funny to see how it sends debug information to a server that has been hardcoded, and which path is "/test/debug.php". For example, once infected it encrypts this info with RC4:

[16:59:13] TC=0000000008, PID=0448(0x01C0), TID=1324(0x052C), LE=0(0x0), F=initUserData, FL=C:\Zeus projects\last\bot_chela_antirapport_with_x (512)..INFO: coreData.currentUser.id="0x2053D9C1", coreData.currentUser.sessionId="0"

It has some curious features that are not present in ZeuS, like detecting sandboxes, antivirus or antimalware software. For example, it is able to detect the usage of DeepFreeze or Wireshark, or if some "internal" stuff from SandBoxie, Anubis, or Camas sandboxes is found.  The searched patterns are encrypted (usual ZeuS string encryption), but their references are not encrypted, and we can inherit the behaviour of the trojan just taking a look to the strings.

It seems that it doesn't like to work with other malware families, as some strings show that it tries to clean other infections, like ZeusV2 and SpyEye ones. 

SpyEye Kill Mutex Name: %hs                                   

SpyEye registry value: %s, path: %s                               

SpyEyeRemove

Zeus v2 deleted                             

zeusV2Remove                                

Zeus v2 deleted

Of course, the name of the project by itself looks very interesting ("zeus projects", "antirapport", "with x64", "chela"?):

C:\Zeus projects\last\bot_chela_antirapport_with_x64\source\client\...

The comments in the code shows very clearly the intention of the code. For example, regarding to Windows Firewall (windowsfirewall.cpp):

WindowsFirewall::FirewallAddExclusions"

"Added exclusion for %s"

"Exclusion for %s is re-enabled"

"Exclusion for %s is already in the list"

"Firewall DONE"

   

And there are a lot of interesting strings:

In IE!

I'm a installer.                                   

I'm a loader. 

Current process started from system account. Installing to all users.

Malware report to server: %d                                   

MalwareDelete::_removeAll 

Accepted client connection.                                    

Accepted new conection from bot (BotID: %s, IP: %s).                               

Accepted new conection from client (IP: %s), but bot not connected! Disconnecting client!

...

   

Nothing to add, just "thank you developer" for doing (at least this time) our work easier.

Mikel Gastesi
S21Sec ACSS

Collaboration for a More Secure Europe

I hope by the time you are reading this blog post you will have already heard about the European Cyber Security Group for those of you that have not read about this new alliance let me give you a very quick overview. The European Cyber Security Group (ECSG) is Europe’s largest independent cyber defence force, created to address the growing threats to Europe’s cyber security.
The ECSG:

1. Leverages the expertise of 600+ experts in cyber security
2. Has on the ground experience supporting 2,000 unique government and industry clients
3. Delivers seamless cooperation across member companies for agile and customized emergency response
4. Is an objective advocate and policy advisor on cyber crime risk, prevention, mitigation and effective cross-border cooperation

The Numbers:

• Combined turnover approx 61 million Euros
• 2000 unique clients covering the globe
• Besides various governments we have clients in all major industry verticals, Finance, Manufacturing, Banking, Retail, Transport and Pharma.

S21sec was one of the founding members of this dynamic collection of cyber security companies who have come together to pool not only their expertise but also resources in the fight against cyber crime. The members are as follows:

• S21sec
• Fox It
• CERT Lexsi
• CSIS

I am sure the immediate question that may come to the readers mind is why now. The reasons are many and perhaps to intricate to go into at great length in this blog. This is a conversation we are going to engage with as we meet leaders both from the private and public sectors. I would encourage existing and potential customers to both contact me directly for further information on the goals the alliance has set itself.

I personally believe that creation of this new alliance is going to drive forward significant enhancements in the manner in which we deliver our services. One of the most exciting challenges that await us is the wealth of data that we have between us. You could use the expression (big data) and I think it would be most apt in this instance. This rich seem of intelligence and threat information will take some time to get through but once we have completed

This task it will provide the alliance with a deeper and more nuanced understanding of what is happening out there in the underground economy. The very first service that the alliance will be lunching is the Incident Response Team (IRT). Our goal in setting this team up was to create the largest and technically one of the most sophisticated IRT´s in the world that could respond to any type of breach taking place anywhere in the world. By tackling CERT engagements collaboratively,

ECSG offers the most comprehensive and rapid services for corporate and government clients. Members work independently, and can draw from additional and specialized resources from their ECSG partners where and when needed. Relying on this added strength in depth ensures successful CERT engagements of any scale. The ECSG will additionally collaborate with the governments of individual countries, as well as the European Union, to advise on best practices and assist on cyber security engagements where necessary to ensure speedy mitigation of security issues.

Finally, ECSG will also lobby local and EU lawmakers to enact legislation to ease the cross-border information sharing and cooperation that will ultimately lead to a more secure Europe. From a personal perspective I am very excited that S21sec will have the opportunity to work alongside some of the most talented teams in Europe in order to tackle the issue of cyber crime. I would once like to encourage all readers of our blog to engage with me to learn more about the work of the ECSG and how we may be able to assist you in tackling the cyber security problems you face. I would also like to encourage you to spread the word for we open to speaking with any institution or organisation no matter where it is located in the world. This does feel the like the dawn of new and exciting journey and we would like you all to be part of it.

Nahim Fazal
Cybercrime and Fraud SME S21sec

Sopelka Botnet: three banking trojans and one banking panel

Sopelka botnet started life in May this year and was taken down by end of September. It has been called Sopelka because of the path used in the distribution of binaries and configuration files, and was an odd mixture of variants of the known banking trojans Tatanga, Feodo and Citadel.

This botnet’s objective was the collection of banking credentials from European entities, mostly banks from Spain and Germany, but also Holland, Italy and Malta. In addition, it made use of different mobile components for Android, BlackBerry and Symbian phones. Symbian was the first operating system where this type of malicious component emerged two years ago. 

During the botnet’s lifetime there were at least five campaigns and it’s likely that more were carried out. Of the five known campaigns, three of them installed variants of Citadel (versions 1.3.4.0 and 1.3.4.5), another Feodo, and Tatanga was the chosen trojan in the other one. All the Citadel campaigns carried the name “sopelka” (a flute type in Russian) in their download paths for binaries and configuration files, but this was not the case with Tatanga and Feodo.

Campaign	Date	Trojan	Path	Countries
Sopelka1	01/05 30/05	Citadel 1.3.4.0	/sopelka1/file.php|file=citsp1.exe /sopelka1/file.php|file=sopelka1_config.bin	ES,DE, NL
Sopelka2	01/05 30/05	Citadel 1.3.4.0	/sopelka2/file.php|file=citsp2.exe /sopelka2/file.php|file=sopelka2_config.bin	ES
Tatanga	15/06 15/07	Tatanga	/sec/g.php	IT, ES, DE, NL
Feodo	15/06 15/07	Feodo	/zb/v_01_a/in/cp.php	ES, NL, DE, IT
Sopelka3	15/08 27/09	Citadel 1.3.4.5	/sopelka3/file.php|file=citsp3.exe /sopelka3/file.php|file=sopelka3_config.bin	ES, DE

Mobile Device Management Security

From some years ago, almost everybody use mobile devices and mobile Internet access in a daily basis. Nowadays, most corporates allow using smartphones or tablets in order to access to corporate resources such as email or even corporate critical information. Definitely, mobility is in fashion.

Since now mobile devices handle highly critical information, they’re not just phones anymore. Now lots of well-known threats affect these devices and even some new ones.

As a response, some software firms have developed a kind of security software called Mobile Device Management (MDM). This software controls and protects the device by applying security policies on it. For instance, a MDM could block software installation, in order to avoid the device being infected by a user’s misuse.

However, this kind of software rarely can install new features in the mobile operating system, so they often use security features that they already have, but they make easier setup and deployment. For instance, MDMs on iOS usually relies on the Apple Configuration Profiles feature. In addition, these profiles are configured in order to block uninstalls.


That’s fine! It’s true that a user can’t uninstall a profile if “uninstall” button doesn’t exists in the interface, but an advanced user with an access such as SSH (on a Jailbreaked device, of course) can change this profiles in a different way. A configuration profile is stored as an XML file with .stub extension, in the following directory: /private/var/mobile/Library/ConfigurationProfiles/

These XML files, created by MDM software, are easily readable and most of parameters can be changed without any integrity control:

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
    <key>InstallDate</key>
    <date>2011-07-27T15:54:44Z</date>
    <key>MCProfileIsRemovalStub</key>
    <true/>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string>Configures security-related items.</string>
            <key>PayloadDisplayName</key>
            <string>Passcode</string>
            <key>PayloadIdentifier</key>
            <string>XXXXXX - Configure.passcode</string>
            <key>PayloadOrganization</key>
            <string>XXXXXX - Configure</string>
            <key>PayloadType</key>
            <string>com.apple.mobiledevice.passwordpolicy</string>
            <key>PayloadUUID</key>
            <string>xxxxxxxx-yyyy-zzzz-wwww-000000000000</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>allowSimple</key>
            <true/>
            <key>forcePIN</key>
            <true/>
            <key>maxGracePeriod</key>
            <integer>0</integer>
            <key>maxInactivity</key>
            <integer>5</integer>
            <key>minLength</key>
            <integer>4</integer>
            <key>pinHistory</key>
            <integer>0</integer>
            <key>requireAlphanumeric</key>
            <true/>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Payload Count: 1</string>
[...]
    <key>ProfileWasLocked</key>
    <true/>
[...]

All the restrictions about the device use can be bypassed by editing this file. For instance, we can change the “ProfileWasLocked” key and set it up to “false”. Now, something in the user interface must change:



These changes sometimes disappear when a change in a configuration profile is applied, since these files are overwritten. But… what if we just don’t allow this overwrite?

# chmod -w -R /private/var/mobile/Library/ConfigurationProfiles

Of course, Jailbreaking your iOS is mandatory for all these techniques, so MDM software usually try to detect and block jailbreaked devices. Sadly, they mostly use a too easy approach such as looking for an installed application called Cydia, which is the most common alternative “App Store”. As a consequence, you can bypass this kind of jailbreak detection easily, just by renaming an application or making other similar changes.

Summarizing, Mobile Devices should be protected since they sometimes handle highly critical information, but most security software (such as MDM) is not as useful as it should. Be careful when designing and deploying your Mobile Device protections, choose a proper software provider and set it up in detail. If not, it can turn in a waste of time and money.

Jose Selvi
Dept. ACSS S21sec
Twitter / Blog