Thursday, October 22, 2009

Zbot

Downloaded a sample of "Zbot" from Offensive Computing's site. I'm no reverse engineering guru but decided to give it a go at analysing this nasty piece of malware. Fired up "Regshot" to detect modifications made to my virtual machine.
The following registry keys were added.

HKLM\SOFTWARE\Classes\.exe HKLM\SOFTWARE\Classes\.exe \PersistentHandler HKLM\SOFTWARE\Microsoft\DownloadManager HKLM\SOFTWARE\XTB

Corresponding values that were added.

HKLM\SOFTWARE\Classes\.exe \PersistentHandler\: "{098f2470-bae0-11cd-b579-08002b30bfeb}"
HKLM\SOFTWARE\Classes\.exe \: "exefile"

HKLM\SOFTWARE\Classes\.exe \Content Type: "application/x-msdownload"
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows: "C:\WINDOWS\explorer.exe "
HKLM\SOFTWARE\XTB\httpaddr: "http://server.xyz/drss,jpg"

HKLM\SOFTWARE\XTB\xintr: "1440"

HKLM\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe : "C:\WINDOWS\explorer.exe :*:Enabled:explorer"

HKLM\SYSTEM\CurrentControlSet\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\AuthorizedApplications\List\C:\WINDOWS\explorer.exe : "C:\WINDOWS\explorer.exe :*:Enabled:explorer"

HKU\.DEFAULT\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"

HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ProxyEnable: 0x00000000

HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\DefaultConnectionSettings: 3C 00 00 00 02 00 00 00 01 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 04 00 00 00 00 00 00 00 10 8A 55 3E 84 54 CA 01 01 00 00 00 C0 A8 DC 89 00 00 00 00 00 00 00 00

HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections\SavedLegacySettings: 3C 00 00 00 02 00 00 00 09 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\Documents and Settings\tester\Desktop\malware.exe: "malware"

HKU\S-1-5-21-299502267-448539723-839522115-1003\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"
HKU\S-1-5-18\Software\Microsoft\Windows\ShellNoRoam\MUICache\C:\WINDOWS\explorer.exe : "explorer"


The following files were added.

C:\WINDOWS\Prefetch\EXPLORER.EXE -2F6C44D8.pf
C:\WINDOWS\Prefetch\MALWARE.EXE-17DA0AE5.pf
C:\WINDOWS\Prefetch\RUNDLL32.EXE-4912BB30.pf
C:\WINDOWS\system32\wbem\Logs\wmiprov.log
C:\WINDOWS\explorer.exe

Files were modified.

C:\Documents and Settings\tester\Cookies\index.dat
C:\Documents and Settings\tester\Local Settings\History\History.IE5\index.dat
C:\Documents and Settings\tester\Local Settings\Temporary Internet Files\Content.IE5\index.dat
C:\Documents and Settings\tester\ntuser.dat.LOG
C:\WINDOWS\system32\config\default.LOG
C:\WINDOWS\system32\config\software
C:\WINDOWS\system32\config\software.LOG
C:\WINDOWS\system32\config\system.LOG

As seen by the registry values added, the malware creates a backdoor into the victim's system. A pop-up was triggered by the malware and by clicking on "Unblock", the hacker has access to the system by adding a permit rule in "Windows Firewall". 2 Explorer processes can be seen from "Task Manager". The malware creates a file "explorer.exe " in "C:\Windows". Note that the fake Explorer does not replace the authentic one native in Windows because the hacker adds a space behind the extension. 2 Explorer processes are seen in "Task Manager" and one of them is the backdoor. "Active Ports" and "netstat" (with the -nab switch) confirm that the backdoor listens on TCP port 113 and UDP port 1025.

The malware requests a fake resource, drss,jpg, from a server presumably controlled by the hacker. This is not a typo as the hacker intentionally uses a comma instead of a fullstop. I hypothesize that the hacker uses this fake request to capture the victim's IP address so that he knows which IP address to connect to.

Besides "0wning" bots, I believe that the hacker is after the victim's surfing history and logs based on the files modified.
Launched "Capture BAT" to verify the findings from "Regshot". "Capture BAT" confirms that the same registry keys and values were added. It also confirms the spawning of the fake Explorer process. The packet capture by "Capture BAT" also confirms the HTTP request to "server.xyz".

No comments:

Post a Comment