New features of ZeuS

In today's post, I'll be reviewing some details of the latest release of ZeuS, i.e. version 2.x.

As it has been mentioned before on numerous occasions, ZeuS 2.x comes with several new characteristics:

• Instead of the fixed names used in versions 1.x, it uses pseudo-random file names.
• It doesn’t use the same folder as before. Now it hides in username\Program data\
• The file is not hidden any more
• It stores the configuration in the registry
• It allows several infections of the same computer

In addition to the above, it includes other new features intended to make the analysis more difficult.

During the infection process, ZeuS gathers certain information about the machine, which is in turn encrypted and stored into the file copied in \program data\.

Among this information is: name of the computer, version of the operating system, date of installation, a pseudo-random 00..FF permutation table, file name and path and registry keys where the encrypted configuration file is stored.

What is the purpose of storing this data?

1. A file from a machine A will not be able to infect another machine B. Therefore, direct analysis through sandbox is not viable.
2. The configuration file is encrypted with the key (permutation table) mentioned above, which is pseudo-randomly generated, therefore different from the key used for decrypting the configuration file downloaded from the server.

They may look like mere “tricks”, but it is clear that they can complicate the analysis, and it is another proof of the constant evolution of the ZeuS family.

Mikel Gastesi

S21sec e-crime

Killing the enemy

There are certain protection measures for difficulting the functioning of banking Trojans. Specifically,

Trusteer Rapport is an application for securing "the communication between the keyboard and the website". According to its Website:

"Rapport secures browser communication from keyboard to website. It detects and prevents Man–in-the-Browser, Man-in-the-middle, phishing, and other attacks launched directly against the user."

We have confirmed in lab tests that ZeuS cannot grab any data in a machine where this software is installed. Unfortunately, the ZeuS' guys haven't just been lazing around; in one of the latest samples of of the Trojan, we have seen how ZeuS, right after infecting a computer, downloads and executes a second file whose purpose is to render useless this software.

This executable file ends the active processes and overwrites certain files with empty files. As a result, the program cannot be restarted.

The result is extremely interesting, as the program is disabled without the user receiving any message, though the icon of the program disappears.

Update:

After contacting the team in charge of Trusteer, we confirmed that they have implemented some measures to counter the mentioned attack. Although continuous update of security measures is required, we are very pleased to see how quickly the Trusteer team can react and keep up with these attacks.

Mikel Gastesi

S21sec e-crime

IPv6 Security (VI)

The last serie of posts about IPv6 gave an introduction to the new transport protocol, including some of its security aspects.

It was discussed why IPv6 is neccesary - why it is NOW neccesary to take hands on in order to be prepared for the future. But reality is far away from that.
A recently published report "INTERNET ADDRESSING: MEASURING DEPLOYMENT OF IPv6" made by the OECD confirms that the current progress of implementing IPv6 is not wide spread. Althought network devices like routers moslty support IPv6, costs to implement the new tecnology are not spend.

Its the typical deadlock. Administrators dont want to spend time and money implementing IPv6 into their structure becasue they say that there are no IPv6 applications. And application developers say that there is no infrastructure, why should i spend money developing applications. So i guess everybody waits until the day X, when there are really no IPv4 addresses available anymore.

But when will this be ? According to potaroo.net in 513 days!

Time to get prepared!

Clemens Kurtenbach
S21sec e-crime

IPv6 Security (V)

The last post talked about the security features of IPv6 itself which are commonly referred as IPsec. The Authentication Header and Encrypted Security Payload were introduced which are responsible to ensure authenticity and confidentiality.


Both communication partners have to agree to a set of security parameters and algorithms to use. This set of rules to secure the communication channel is called Security Association. Not only parameters and algorithms, also the cipher keys itself are part of this agreement.

Security Associations know two types of connecting two hosts, the Transport Mode and the Tunnel Mode. These types of connection - including the interface and IPv6 address on which to apply them are set as Security Policy.

Transport Mode
The transport mode is considered for end-to-end connections between two communication partners. It is a real point-to-point mechanism which encrypts the payload with the specific header of each protocol (ICMP,TCP,UDP,..). The IP header is plain and not encrypted but usually included in the authentication.
Encryption partners can directly communicate with each other.

Tunnel Mode
This mode is used for gateway-to-gateway connections, but can be used also for end-to-end communication. Mainly it is designed to connect two corporate networks through designated gateway computers. The whole original packet is encrypted and encapsulated in a new datagram. Encryption partners can not directly communicate with each other, only the networks which are connected through this gateways.

Key Management
All cryptographic communication in IPsec makes use of encryption/decryption keys. If two communication partners want to agree about a SA they have to exchange information and finally the keys to use. Because in this phase there is no encryption the exchange of information is made over an insecure connection. The IKE (Internet Key Exchange) protocol is used to handle this task.

Public Key Infrastructure
IPsec requirements are specified in RFC4301 - but there is nothing to find about how the keys are exchanged. This can be done either by using pre-shared keys which is only practicable in a small network. Enterprise networks from huge companies need another method to distribute the keys. In this large environments a central certificate server is the most practical. This central server is responsible to distribute the keys for encryption and also for building a chain of trust.
If two communication partners want to get sure each other is the one he pretends to be - they need another trusted instance to assure their identity. The Certification Authority server takes the role of this trusted instance. This way a chain of trusted instances is build where the root instance is called Root CA - the certificate server in PKI based environments.

The next post will be the last of this IPv6 series. It will summarize and give information about the recent IPv6 development. Stay tuned.

Clemens Kurtenbach
S21sec e-crime

Google vs. China

"It is better to return back than to get lost in the way."

Chinese proverb

After the sophisticated attacks against Google in China, the search engine threatens to leave the country, if they don’t manage to negotiate a legal unfiltered search engine.

The attacks took place halfway through December, with the objective of accessing the Gmail accounts of Chinese human rights activists, as well as the theft of intellectual property from Google.

The attacks were not directed only to Google, as they also affected 34 companies, most of them in Silicon Valley, California.

As a consequence of the attacks, Google has published cyber-security recommendations in order help Gmail users to protect their computers and mobile devices.

On the other hand, an unidentified spokesman for China's Ministry of Industry denied any involvement in the cyberattacks, but insisted that all foreign companies operating in China must respect Chinese law.

 Source: www.torrentbomb.com

The possible departure of Google from China has provoked a deep controversy all around the world, evoking countless reactions.

Immediately after the attacks, Google’s shares fell 1,5% in the New York  Stock Market, while Baidu’s shares rose 11%. Baidu is China´s most popular search engine.

The next consequence of the attacks was the delay of the launch in China of two mobile phones with Google´s Android mobile operating system, developed in cooperation with Samsung and Motorola.

Furthermore, Google is investigating whether the attacks were supported by his Chinese staff. Therefore, the 13th January some of the employees couldn’t access their usual work space, while other employees were moved to another office.

On the other hand, the 21st January Hilary Clinton, US Secretary of State, came out in defence of Google, criticizing harshly China’s censorship.

A few days after, a new search engine called Goojjle appeared, imploring Google not to leave China. Goojjle is apparently a Chinese imitation of Google, with the only difference that the logo includes a footprint, just like Baidu’s logo.

Goojjle's logo (left) and Baidu's logo (right) are definitely very similar

Goojjle is a funny play on words in Chinese, as Google in Chinese means brother and Goojjle means sister.

Even though Goojjle’s origin is a mystery, it is obvious that it intends to be an answer to Google’s threat to quit China. In this regard, an eloquent promotional video tells a story about a deaf young girl who wants to learn to play the violin, although nobody believes she will be able to do it.

A few weeks later, in the World Economic Forum in Davos, China demanded the participants not to discuss that subject.

Actually, Google and the US National Security Agency are finalizing an agreement to work together in order to investigate the attacks, and to prevent future attacks.

Google is present in China since 2006. From the start, Google.cn has been forced to censor the search results according to the Chinese legal requirements.

On the other hand, China has a huge market, with more than 170 million internet users, which represent 20% of the world’s total internet population.

Prior to Google's establishment, Google.com was accessible, even though much of its content was not accessible due to censorship.

Actually, the Chinese search engine Baidu holds 63% of the Chinese market share, and Google holds 33%, according to iResearch (a Chinese consulting firm). The rest of competitors have less than 1%.

Adriana Rodríguez-Miranda Sánchez
S21sec, Oficina de Proyectos.

ZeuS spreading via Facebook

ZeuS is still the talk of the town. It's downloaded through fake antivirus, downloaders and several exploit kits. Of course, the best-known social networking site couldn't be out of this. Last week we could see some Facebook messages like the following:

The link in the message would take the users to a Facebook phishing page where they were requested to authenticate. Simultaneously, obfuscated Javascript code was being executed, creating a hidden iframe in the page body:

This iframe redirected the user to another webpage with two more iframes:

<iframe g1g="321" src="xd/pdf.pdf" l="56" height="31" width="13">
<iframe g1g="321" src="xd/sNode.php" l="56" height="31" width="13">

After advancing further, we arrived to a directory listing in the same server:

The PDF file intended to be downloaded was a malicious file executing obfuscated Javascript code and containing three vulnerabilities, which were exploited depending on the PDF reader version in use:

The three exploits had identical shellcode:

As it can see seen, the shellcode allowed downloading and launching a binary from the URL of the last image. This binary was a ZeuS sample, version 1.3.2.4, which was installed in the system as sdra64.exe.

On the other hand, the sNode.php file would try to exploit a flash vulnerability through the execution of the nowTrue.swf file after loading in memory a shellcode very similar to the last one, but in this case the binary was downloaded from the following URL:

hxxp://109.95.115.35/fsp/load.php?id=5

This binary had a different MD5, but its behavior was identical, being a 1.3.2.4. version ZeuS too.

Additionally, when the data requested is filled in the Facebook phishing page they are sent to another URL. At the moment of the analysis this URL contained an incorrect domain, not redirecting correctly:

However, after changing this malformed domain by the IP server, it became possible to get to the desired webpage, where a pop-up would inform about the need to upload the Adobe Flash Player version and provide a new binary called update.exe to do it. There was another link in the same page to download another binary, photo.exe, with the same MD5 as update.exe. Both of them have a different MD5 than the rest of commented binaries, but they still have the same behavior: 1.3.2.4 version ZeuS.

If unfortunately any of you have visited any of the mentioned links you can check if you are infected following the tips published some months ago.

Jose Miguel Esparza

S21sec e-crime

Once a crook…

In the world of security, as in other areas, it’s extremely important to plan carefully before starting a new project. In fact, this is even more important in our field, because we have to deal with continuous attempts to find holes in the system.

When it comes to critical applications or systems, this is crucial. A design error can be more serious than other, more complex "technical" errors.

Let’s see a few examples:

• A hypothetical brand wants to protect its own applications by setting an execution time limit. In order to do this, the brand uses a new packer that adds a new protection layer based on the maximum length of time that can be used to evaluate a program. To this end, it uses a base program with the protected program embedded. The latter will be unpacked in runtime, launched, killed and removed from disk after finishing execution.

Yes, removed! All these applications were vulnerable to copy&paste while executed.

Creation of temporary file

• Another example, a tad more subtle, can be found in on-line banking. A Trojan wants to get the codes on the card. The most common attack – simply asking for these codes – is too obvious. Now, what happens if someone enters wrongly one of the numbers? Was it just a mistake of the client? Or maybe it’s not the client? The easiest solution is to ask again, up to three times - to counter brute-force attacks.

However, our sharp friends in charge of InfoStealer use a much more subtle technique: after stealing the code, they show an error message - page not found, etc - to the client. This way, they get some time to access the account. If the same access code is asked again in a new session, then the card code has been reduced to a simple PIN number.

So, before starting writing your fingers off, sit back, relax, have a coffee… and think ;)

Mikel Gastesi

S21sec e-ecrime