1

James WykeSenior Threat Researcher

Extracting Forensic Information from Zeus DerivativesSOURCE Dublin 2014

22

Agenda

3

Agenda

• Zeus and derivatives overview

• What information do we want to extract and why?

• How do we extract the information?

• Automation

• Conclusion

44

Zeus and Derivatives

5

Zeus and Derivatives

• Highly successful kit

• Source code leaked 2011

• New variants – Citadel, IceIX, KINS, Gameover + many more

• Leaked code also widely used with few or no modifications

• Many variants successful in their own right

• More builders leaked

6

Zeus and Derivatives

• Variant prevalence:

Citadel19%

Ice99%

P2P31%

2.0.8.9 Based18%

KINS12%

Other13%

Typical Weekly Breakdown

CitadelIce9P2P2.0.8.9 BasedKINSOther

77

What information do we want to extract?

8

High Level Goals

• What was stolen?￮ Network traffic￮ Cache data

• Where was data sent?￮ Drop zone URLs￮ Config file URLs￮ Backup URLs

• What changes were made?￮ Commands executed￮ Web injects – config data

• Who were the attackers?￮ Tracking

9

How to Achieve These Goals?

• C2 addresses￮ Extract from binary, config file, network traffic captures

• Stolen data￮ Decrypt network data, cache files

• Configuration files￮ Obtain, decrypt, decipher config data￮ Webinjects, filters, targeted processes

• Runtime information￮ Exe path, registry keys etc

• Store and track data￮ Keys, URLs, customisations

1010

How do we extract the information?

11

Key Variants

• Leaked Zeus (2.0.8.9)￮ Original codebase￮ Same process will work for many minor variations

• IceIX￮ Encryption algorithm changes￮ Config file retrieval complications

• Citadel (1.3.5.1)￮ Encryption heavily rewritten￮ More config file retrieval changes

• Gameover￮ Peer 2 peer

• KINS￮ VM based decryption routine

12

Zeus 2.0.8.9

• Config file URL

• Retrieve, decrypt, decipher config file

• Assess stolen data – decrypt network traffic, cache file

• Read runtime information

13

Zeus 2.0.8.9

• Static config details embedded in binary

• Config block XOR encrypted

• Find block offset and XOR key

Config file URL

14

Zeus 2.0.8.9Config URL

15

Zeus 2.0.8.9

• Regexp search, e.g:￮ "[\x50-\x57][\xb8-\xbf].{2}\x00\x00[\x50-\x57]\x68.{4}[\x50-\x57]\xe8.

{4}\x8b.{5}\x03“

• Key always at start of ‘.reloc’ section

• Key length = size of StaticConfig

• StaticConfig also contains RC4 key

Config URL

16

Zeus 2.0.8.9

• Retrieved with simple Get request to URL• RC4 decrypt￮ Using key from StaticConfig (no key scheduling stage)

• VisualDecrypt￮ for (m = (Size-1); m >0; m--)￮ Data[m] = Data[m] ^ Data[m-1]

• Decompress compressed blocks￮ nrv2b

• Covert to something more readable￮ XML is an option

Config File

17

Zeus 2.0.8.9

• Common to many subsequent variants• Config header structure:

Config file structure

Offset Size Value0x0 0x14 Random data0x14 0x4 Size of config file0x18 0x4 Flags (usually 0)

0x1c 0x4Number of Blocks

0x20 0x10 MD5 of data0x30 … Config blocks

18

Zeus 2.0.8.9

• Config blocks – header then data• Config block header structure:

Config file structure

Offset Size Value0x0 0x4 Block ID

0x4 0x4Flags, e.g. compressed

0x8 0x4Compressed size

0xc 0x4Decompressed size

19

Zeus 2.0.8.9

• Block ID identifies specific type of config entry e.g. version, new exe url, drop zone url, web injects

• Leaked source indicates what each binary value means• Conversion to XML makes the data easier to interpret:

Config file structure

20

Zeus 2.0.8.9

• Network data￮ RC4 decrypt using key from StaticConfig￮ Data is structured similar to config data

• Cache data￮ Temporary store of data before sending back to drop zone￮ Structure:

Stolen data

Offset Size Value

0x0 0x4Xor encoded size of block

0x4 0x1 0

0x5 ??First encrypted block

21

Zeus 2.0.8.9

• XOR key stored in runtime data at offset 0x1e2

• Blocks encrypted with VisualEncrypt + RC4

• New RC4 key from runtime data

• Blocks have same structure as network data

• Cache gets deleted when data sent over network

Cache data

22

Zeus 2.0.8.9

• Dynamically created block written by dropper• See https://

code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/zeusscan.py for structure

• Key fields:￮ RC4 key – encrypting cache data￮ XORkey – cache data block sizes

• Also, registry keys, exe file name, cache file name etc.

Runtime information

23

Zeus 2.0.8.9

• Find block in dump:

• Often appended to file

Runtime information

24

IceIX

• Same goals

￮ Config file URL￮ Retrieve, decrypt, decipher config file￮ Assess stolen data – decrypt network traffic, cache file￮ Read runtime information

• How do we identify?

• What are the differences?

25

IceIX

• Config file URL by default ends with config.php• Strings: “bn=1” and “&sk=1”• Modified RC4 routine:

Identification

26

IceIX

• RC4 changes

• Config file retrieval requires structured POST request

Modifications

27

IceIX

• Classic:

• Modified:

RC4 changes

28

IceIX

• POST request requires special format or config file is not delivered

• POST data format:

bn=<BOTID string>&sk=<MD5 of encrypted BOTID string>

• BOTID generated per machine, e.g.: MYPC_737574566769_474• Encrypted using modified RC4 with key from StaticConfig• All POST data encrypted before being sent

Config file retrieval

29

Citadel

• Giveaway string:￮ 'Coded by BRIAN KREBS for personal use only. I love my job & wife.‘

• Version number:

• Maybe further strings:￮ cit_ffcookie.module, cit_video.module

Identification

30

Citadel

• Encryption process rewritten – AES + RC4, multiple keys

• Formatted POST request for config file retrieval

• Backup config file URLs

Modifications

31

Citadel

• RC4 has XOR on top with LOGIN_KEY￮ Extra key generated at build time e.g.:￮ "C1F20D2340B519056A7D89B7DF4B0FFF"

• Config data encrypted with AES

• Network traffic requires generating a new RC4 key

Encryption process

32

• Extra non-standard permutation

• Need to extract salt value

• All network traffic encrypted in this way

CitadelConfig file retrieval

33

Citadel

• Formatted similar to config data – header with 2 data blocks

• Block ID 0x2725 – contains the login_key

• Block ID 0x2726 – file name from config URL:

￮ http://pubber.ru/images/greater/wisdom/file.php|file=config.dll

￮ Everything after the ‘|’ goes in the block data

POST data

34

Citadel

• Switch case based on DWORD value:

POST data custom permutation

35

Citadel

• Python:

POST data custom permutation

36

CitadelConfig file decryption

• RC4 key from StaticConfig

• login_key

• 128-bit config XOR key

37

Citadel

• Found in the AES routine:

Extra config key

38

Gameover/P2P

• Command strings used in the P2P protocol:￮ OPTIONS￮ PROPFIND￮ PROPPATCH￮ SEARCH￮ UNLOCK￮ REPORT￮ MKACTIVITY￮ CHECKOUT￮ M-SEARCH￮ NOTIFY￮ SUBSCRIBE￮ UNSUBSCRIBE

Identification

39

Gameover/P2P

• Static peer list￮ Each peer has its own RC4 key

• Connect to P2P network to retrieve config

• Zlib compression

• https://github.com/arbor/zeus_gameover-re

Modifications

40

KINS/VMZeus

• VM based StaticConfig decryption

• Embedded byte code determines which VM handler is executed on which byte of ciphertext

• Embedded opcode handler table

• Each element of bytecode is an index into the handler table

Modifications

41

KINS/VMZeus

• Find the entry to the VM handler:

Identification

42

KINS

• RC4 key is in the StaticConfig but now much harder to decrypt

• Need to replicate the handler sequence by running the bytecode through the handler table

• Leaked KINS source: source/common/configcrypt.cpp

• But handler table order is shuffled by the builder so we must work out the correct order dynamically for each sample

Key extraction

4343

Automation

44

Automation

• As part of sandbox analysis – e.g. cuckoo￮ Process dump￮ Key extraction and data decryption as part of a processing module￮ Analyzer module to perform the retrieval for non-executing samples

• Volatility￮ Key and data extraction from a memory dump￮ https://code.google.com/p/volatility/source/browse/trunk/contrib/

plugins/malware/zeusscan.py

4545

Conclusion

46

Conclusion

• Many successful and widespread variants spawned from Zeus code

• More builders and source code leaked, many variants still being actively developed

• Despite some significant modifications, new variants are incremental

• Tools can be updated relatively easy for modifications

47© Sophos Ltd. All rights reserved.