The Zeus malware, a.k.a. Zbot, is a bot that is capable of stealing private and sensitive information including personal passwords and banking information from infected hosts. Its command-and-control (C&C) server can also control the action of its remote bots by sending various command strings, such as updating malware, executing other malware files, and so on.
Recently, we have discovered a new variant of this malware that we are calling Lite Zeus. Aside from being shorter with fewer functionalities, it has several other distinct differences when compared with P2P Zeus (GameOver Zeus), such as network communication, encryption/decryption method, and command-and-control mechanism.
Through our initial analysis, we discovered that this variant uses only TCP communication to send or acquire information from the remote server. The initial server list and packet cipher key are hardcoded in the malware body.
Once the Zeus binary is injected into the explorer.exe process, it would start querying the server list from the initial hardcoded C&C server.
The TCP packets that are sent and received use the following structure:
The following figure shows the request packet that was sent. Here, we can see the payload which contains the local host computer name, GUID, system version, and so on. This is sent to register itself to the remote server.
The following figure shows an example of the response packet that is received.
As we can see in Figure 3 above, the response packet contains three payloads. The third payload (payload index 0x2EE3) is further encrypted. Figure 4 below shows the decrypted version of payload 0x2EE3 which contains the C&C server list.
After acquiring more C&C server URLs, it would start another POST request to all the C&C servers in the list sequentially for module binary data which is a PE file with export functions. The response packet that is received is similar to the one in Figure 3, but with a PE binary file as payload 0x2ee3. The figure below shows an example of the decrypted payload with the PE file.
The PE file that is received contains some export functions which would be compared with the hardcoded strings in the bot's body, and then executed accordingly. The following figure shows these hardcoded strings.
As we can see, the names that are checked are Unint, Init, Exec, Stop, and Start, which are good indicators of what this bot is capable of. With these functions, this new variant of Zeus would be able to perform any malicious activity that the remote controller wants it to.
The following is an example of the code that calls Init, one of these export functions.
Occasionally, the infected host would receive an encrypted packet with command strings. The bot first compares the strings with some hardcoded data and then performs various actions accordingly. The following figure shows an example of a decrypted command string that was received, which is loader_update.
Based on the hardcoded and the encrypted data in the bot's body, we have also found that this Zeus variant is capable of performing other commands, such as os_shutdown, os_reboot, user_execute, mod_exec, bot_update, and so on.
In many other Zeus variants, RC4 has been widely used in data encryption and decryption due to its fast speed and easy implementation. Surprisingly, this Zeus variant does not use RC4, but implements AES-128 instead.
For P2P Zeus, each infected host uses its own peerID to decrypt any incoming packet and the destination peerID to encrypt any outgoing packet. However, this new variant uses a hardcoded 0x10-byte AES key (see Figure 1) to encrypt and decrypt all incoming and outgoing data for all the C&C servers that were returned from the initial server list request.
There are two layers of encryption for this Zeus variant. The actual information would be initially encrypted using a simple byte-to-byte XOR algorithm; the encrypted data is then further encrypted using AES-128. The decryption works exactly the other way around. However, if the received payload contains a C&C server list or PE binary data, the received data is decrypted once more with the AES-128 algorithm using the same hardcoded 0x10-byte key.
Even though it is shorter, this new version of Zeus is capable of performing sophisticated tasks that could cause great harm to the infected host. The PE module and C&C execution mechanism gives this variant high flexibility in that many malicious functions could be downloaded and executed from the remote servers.
Through our initial analysis of Lite Zeus, we have uncovered several differences between this and other variants. We will continue to reverse this malware and monitor its botnet activities to help provide more advanced protection against Zeus.