ZeuS, analysis of configuration file that attacked banking on Internet

Some days ago was spread a malware on the Internet, this malware belongs to the wide botnet family created with Zeus toolkit.

Zeus toolkit is a software that allows to any user with basic computer knowledge to create a group of zombies computers to carry out massive attacks, steal accounts of social networks, steal email accounts and in this case to steal users information from electronic banking. This toolkit is known as crimeware and is offered in underground forums and even by email at affordable prices.

The crimeware kit includes the following modules:

        A web interface to manage and control the botnet (ZeuS admin panel).

        A tool to create trojanized binaries and can be ciphered with a configuration file (Blue box).

        A configuration file (Red Box).

        A binary file which contains the latest ZeuS version (Green box).

        A webinjects file for advanced users. (Yellow box).

 
Online banking started immediately to send notifications to its users warning them about an alleged update or an information request to sign into their accounts.
 
 
UNAM CERT obtained the configuration file, which is loaded in the tool, ZeuS Builder, (point two of the crimeware kit mentioned above) for the creation of trojanized binary.

The provided file was improperly created, so that was needed to add lines to load it in the Builder, then will be explained the function of each module.

1) Static Settings. Describes the actions performed directly by ZeuS in the computer without the injection of other tools or user assistance. The actions can be stealing stored passwords in the computer, stealing cache information, emails, chats and much more. Within this section is the option url_config, which is very important because with this IP address is possible to change the dynamic configuration which will be mentioned after.

a. timer_logs. Time intervals to upload logs to the server.

b. timer_stats. Time intervals to upload statistics of infection to the server.

c. url_config. Server URL where will be read the configuration files.

d. encryption_key. Cipher key for communication between zombie computer and C&C server.

 
 
2) Dynamic configuration. It refers to the actions which Zeus will implement while interacts with the user. For example, it could be automated downloading of a file and execute it in the computer, inject codes in bank pages to steal access credentials or using attack techniques “man in the middle” to inject dynamic contents. ZeuS needs of url loader where is continuously stored the latest version of the binaries and url server where will be addressed the traffic downloaded by itself, known as “Command and Control Server”.

a. url_loader. URL where is hosted, the latest version of ZeuS botnet.botnet.

b. url_server. C&C Server.

c. file_webinjects. Parameter which has to contain the file name for the HTML code injection on the web pages.

d. AdvancedConfigs. URL where will search a file configuration copy.

 
 
 
3) Webfilters. It contains a URL list that can be monitored to catch and steal credentials.
 
 
4) TANGrabber. TAN (Transaction Authentication Number) Grabber is a Zeus characteristic which allows to specify to the botmaster bank sites to monitor specific patterns searching for banking transactions web sites. ZeuS will look for these patters and send them to the C&C server.
 
 
5) DNSMap. It addresses the requests to a specified site. In this case, the author's configuration file redirects all the requests to antivirus sites to localhost (127.0.0.1).
 
 
In the section DynamicConfig is the subsection file_injects, where is made reference, to a file called webinjects.txt which is located in the same directory, this file contains the code that will be injected on the web pages to accomplish the credentials theft.

In general, webinjects file is compound of three sections:

1) set_url. Indicates the page that will be injected with the HTML code.

2) data_before. Indicates before what text will inject the new HTML code.

3) data_after. Indicates after what text will inject the new HTML code.

4) data_inject: Injected code.

 

A simple example to explain the mentioned above was taken from the provided configuration file, it is shown as follows:

 
 
In this case after visiting the site banking.*/cgi/finanzstatus.cgi* (the symbol * represents text or number), before of the text “<body” and after of the text “>” it will inject the text style=”visibility:hidden”.

 

The provided webinjects file has 69 code injections to the following banks:

 
*.de/portal/portal/*
*bankinter.com*utils.js*
*bankinter.com*gzinflate.js.php*
*bankinter.com/www/es-es/cgi/*+home
http*caixacatalunya*Home*html
*cajaespana.net*
*ruralvia.com/isum/*login*
 
These files are loaded by ZeuS builder to create the binary executable. 
 
 
Webinjects file load. 
 
 

However, it was not possible for us accomplish the executable creation because we do not have with the web interface.

 

Analyzing Web Injects file

In Web Injects file we found complex code injections and obfuscated as the following, as well as simple HTML code injections.

The first HTML code injection is performed against HSBC, Mexican bank. The injected code was obfuscated three times to avoid detection.

 
 
The first obfuscation section turns into plain text in the function eval(xkxBlu), this function evaluates the content from the xkxBlu variable and executes it, was replaced in the eval function by document.write, to see the content of that variable.

The outcome from the previous actions was a new obfuscated code that generates the xmvEDf variable that is evaluated and executed with the function eval(xmvEDf).

 

 
It was needed again replace the eval(xmvEDf) function by a document.write(xmvEDf) to see the content in plain text.

The final outcome was the functions visualization, though these functions were written in hexadecimal. It was completely replaced the obfuscated code by the plain text code as shown as follows, the red boxes show some hexadecimal codes written by the author.

 
 
We begin to verify the content of each code substituting it by ASCII code, the previous action was carried out with a perl script that turns hexadecimal code into ASCII.
 
 
 
During the conversion is possible read the text “Please insert your complete data” and “Thank you very much, the information from your OTP has been received and in synchronization process is very important for that OTP can be successfully synchronized, do not try to access your HSBC account within the next 90 minutes. Thank you.”

Moreover the author validated the HSBC site to show the page. It is possible to see this in the code location.href.indexOf("https://www.hsbc.com.mx/1/2/!ut/p/kcxml/ y document.title ===   "HSBC M\u00E9xico - Home Banca Personal por Internet (HUBMIGRATION)"

 
The page is shown as follows.
 
 
Otros sitios en los cuales también se está realizando la inyección de HTML para robar información.
 
 
Submitted by Anónimo on Fri, 08/21/2015 - 12:45