Analysis by: Karl Dominguez

 PLATFORM:

Windows 2000, Windows XP, Windows Server 2003

 OVERALL RISK RATING:
 REPORTED INFECTION:
 SYSTEM IMPACT RATING:
 INFORMATION EXPOSURE:

  • Threat Type: Spyware

  • Destructiveness: No

  • Encrypted:

  • In the wild: Yes

  OVERVIEW

Infection Channel: Spammed via email, Dropped by other malware, Downloaded from the Internet

ZEUS variants may be downloaded unknowingly from malicious websites or dropped by other malware onto the systems of unsuspecting users. They may also arrive on a system via spammed messages.

Variants may connect to a remote site to download a configuration file to determine the targeted sites. ZEUS variants also have rootkit capabilities. Upon installation, they create folders with attributes to System and Hidden to prevent users from discovering and removing its components.

The ZEUS malware family is used for data theft. Variants monitor the user's Web browsing activities using the browser window titles or address bar URLs as triggers for its attack. Variants insert JavaScript codes into legitimate banks’ web pages. It sends the gathered information via HTTP POST to remote URLs. Cybercriminals may then use this information for their malicious activities. Cybercriminals may either steal money directly from the victim or they may sell the information in underground markets.

ZEUS variants are capable of disabling Windows Firewall and of injecting themselves into processes to become memory-resident. It also terminates itself if certain known firewall processes are found on the system. Variants add registry entries to ensure automatic execution at every system startup.

As mentioned earlier, ZEUS variants are designed for data theft or to steal account information. The account information may come from various sites like online banking, social networking, and e-commerce sites.

  TECHNICAL DETAILS

Memory Resident: Yes
Payload: Connects to URLs/IPs, Steals information

Installation

This spyware drops the following files:

  • %System Root%\Recycle.Bin\Recycle.Bin.exe
  • %System Root%\Recycle.Bin\config.bin
  • {malware folder}\mxwqp.exe

(Note: %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

It drops the following copies of itself into the affected system:

  • %System%\sdra64.exe

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.)

It creates the following folders:

  • %User Profile%\Application Data\VMware
  • %System Root%\Recycle.Bin

(Note: %User Profile% is the current user's profile folder, which is usually C:\Documents and Settings\{user name} on Windows 2000, XP, and Server 2003, or C:\Users\{user name} on Windows Vista and 7.. %System Root% is the root folder, which is usually C:\. It is also where the operating system is located.)

Autostart Technique

This spyware modifies the following registry entries to ensure it automatic execution at every system startup:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Winlogon
userinit = "%System%\userinit.exe, %System%\sdra64.exe,"

(Note: The default value data of the said registry entry is %System%\userinit.exe,.)

Other System Modifications

This spyware deletes the following files:

  • %System%\sdra64.exe
  • %Windows%\SoftwareDistribution\DataStore\Logs\edbtmp.log

(Note: %System% is the Windows system folder, which is usually C:\Windows\System32.. %Windows% is the Windows folder, which is usually C:\Windows.)

It adds the following registry keys:

HKEY_CURRENT_USER\SOFTWARE\Microsoft Windows

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{3446AF26-B8D7-199B-4CFC-6FD764CA5C9F}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{4776C4DC-E894-7C06-2148-5D73CEF5F905

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{5ECCBACD-C6EF-355D-5A40-82CE4647642B}

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
opera.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
navigator.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safari.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
chrome.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
userinit.exe

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows\CurrentVersion\Internet Settings\
wiyuwieetq

It adds the following registry entries as part of its installation routine:

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
{3039636B-5F3D-6C64-6675-696870667265} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
{33373039-3132-3864-6B30-303233343434} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{43BF8CD1-C5D5-2230-7BB2-98F22C2B7DC6}
{6E633338-267E-2A79-6830-386668666866} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{4776C4DC-E894-7C06-2148-5D73CEF5F905}
{3039636B-5F3D-6C64-6675-696870667265} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{4776C4DC-E894-7C06-2148-5D73CEF5F905}
{33373039-3132-3864-6B30-303233343434} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{4776C4DC-E894-7C06-2148-5D73CEF5F905}
{6E633338-267E-2A79-6830-386668666866} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{3446AF26-B8D7-199B-4CFC-6FD764CA5C9F}
{3039636B-5F3D-6C64-6675-696870667265} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{3446AF26-B8D7-199B-4CFC-6FD764CA5C9F}
{33373039-3132-3864-6B30-303233343434} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{3446AF26-B8D7-199B-4CFC-6FD764CA5C9F}
{6E633338-267E-2A79-6830-386668666866} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{5ECCBACD-C6EF-355D-5A40-82CE4647642B}
{3039636B-5F3D-6C64-6675-696870667265} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{5ECCBACD-C6EF-355D-5A40-82CE4647642B}
{33373039-3132-3864-6B30-303233343434} = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft\
Windows\CurrentVersion\Explorer\
{5ECCBACD-C6EF-355D-5A40-82CE4647642B}
{6E633338-267E-2A79-6830-386668666866} = "{random values}"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
opera.exe
Debugger = "%Program Files%\Internet Explorer\iexplore.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
navigator.exe
Debugger = "%Program Files%\Internet Explorer\iexplore.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
safari.exe
Debugger = "%Program Files%\Internet Explorer\iexplore.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
chrome.exe
Debugger = "%Program Files%\Internet Explorer\iexplore.exe"

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
Windows NT\CurrentVersion\Image File Execution Options\
userinit.exe
Debugger = "mxwqp.exe"

HKEY_CURRENT_USER\Software\Microsoft Windows
0000002B3FF26F90 = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft Windows
0000003547893DD5 = "{random values}"

HKEY_CURRENT_USER\Software\Microsoft Windows
0000002FD0CD8A17 = "{random values}"

Other Details

This spyware connects to the following possibly malicious URL:

  • http://{BLOCKED}c.com/images/p1.ogg
  • http://{BLOCKED}sound.com/fonts/base61.dat
  • http://{BLOCKED}a.com/commonfiles/newcfg.bin
  • http://{BLOCKED}form.com/cnf/vivi.jpg
  • http://{BLOCKED}xi.cn/nob/arr.76?rnd=-1156698047
  • http://{BLOCKED}xi.cn/nob/arr.76?rnd=-1857025564
  • http://{BLOCKED}xi.cn/nob/arr.76?rnd=-186421436
  • http://{BLOCKED}xi.cn/nob/arr.76?rnd=15495833700
  • http://{BLOCKED}xi.cn/nob/arr.76?rnd=1658221275
  • http://{BLOCKED}xi.cn/nob/arr.76?rnd=703525406