Seemingly risky pictures: in-depth analysis of malicious code of Zeus/Zbot online banking Trojan

 

As one of the most notorious online banking Trojans in history, Zeus/Zbot has produced many variants and counterfeits. Of course, the biggest feature of Zeus is its man-in-the-browser behavior ). Based on this, cyber fishermen can collect their personal information without disturbing victims and use it for concealed online transactions. Recently, a new variant came out again. Its name is ZeusVM.

ZeusVM trojan uses images as bait and retrieves configuration files, which is also an important prerequisite for its success. A few weeks ago, French security researcher Xylitol pointed out some strange malicious advertising activities. The most pitfall is that it will obtain the hosted JPG image from the same host.

Later, he told MalwareBytes.org that the new variant uses the "concealed write technology", which disguises malicious data in existing files without damaging the host file.

In the next few weeks, we exchanged several emails and Xylitol found several other similar works. Out of curiosity, we have studied this trick in depth.

For example, what you don't know is that it is a sunset photo, but what you don't know is the "killer" hidden in its beautiful appearance-malicious code used to steal money!

We have many options for image analysis tools. But first, let's find the exact copy of the product ". Then, let's make a careful comparison.

(Thanks to the omnipotent Google and Image Search)

After finding the matching item, we can select an image with the same width and height to start comparison. Then let's put the two images together ......

Did you notice something strange?

Through the comparison in bitmap mode, we can find that there are actually slight differences between the two. This is most likely the result of malicious code injection (additional data ).

Then, let's switch to the hexadecimal viewer-the hidden data is immediately displayed. Of course, this data is not for people. Let's look at the text format again.

We are shocked that in order to prevent reading, this product uses Base64, RC4, and XOR to encrypt the code. Of course, it is also possible to reverse it (such as using the OllyDbg debugger or using the leaked Zeus source code to create a data extraction module ).

The decrypted configuration file is shown above, showing some banks and financial institutions that are targeted by them.

Among these goals, Deutsche Bank is eye-catching. Is the logon page of the row (we will take it as an example ). When a user operates on an infected computer, the trojan begins to play the "man-in-the-middle" trick.

The most hateful thing is that banks cannot tell whether these funds are illegally transferred because the customer is "correctly verified and passed" by the system ".

Of course, this is not the first time we have seen malware embed data in irrelevant files. Not long ago, website security company Sucuri also disclosed "how a seemingly innocent PNG file contains malicious instructions in metadata ".

In this way, hidden malicious code can even bypass signature-based intrusion detection systems and even anti-virus software. Generally, from the perspective of a website administrator, "what is the problem with a picture that can be viewed normally ?"

However, the reality is so cruel and things are so simple. Whether it is a seemingly legal picture, song, or movie file, it may be no! Ann! All! Of! (Difficult to defend)

Interestingly, implicit writing is a very old practice. In ancient Greece, many people were fooled by the real use of lettering on wood and wax seals.

From this point of view, bad people actually do not have much innovation. They just react in a seemingly modern way.

[Compiled from: MalwareBytes. Org, via: @ jeromesegura]