In today's post, I'll be reviewing some details of the latest release of ZeuS, i.e. version 2.x.
As it has been mentioned before on numerous occasions, ZeuS 2.x comes with several new characteristics:
- Instead of the fixed names used in versions 1.x, it uses pseudo-random file names.
- It doesn’t use the same folder as before. Now it hides in username\Program data\
- The file is not hidden any more
- It stores the configuration in the registry
- It allows several infections of the same computer
During the infection process, ZeuS gathers certain information about the machine, which is in turn encrypted and stored into the file copied in \program data\.
Among this information is: name of the computer, version of the operating system, date of installation, a pseudo-random 00..FF permutation table, file name and path and registry keys where the encrypted configuration file is stored.
What is the purpose of storing this data?
- A file from a machine A will not be able to infect another machine B. Therefore, direct analysis through sandbox is not viable.
- The configuration file is encrypted with the key (permutation table) mentioned above, which is pseudo-randomly generated, therefore different from the key used for decrypting the configuration file downloaded from the server.
They may look like mere “tricks”, but it is clear that they can complicate the analysis, and it is another proof of the constant evolution of the ZeuS family.