top of page

How to bypass Zeus Trojan’s self protection mechanism ~ by Raashid Bhat

Spammers are good when it comes to intimidating users to open the attachment . One of the recent pathetic and cruel one was

Hi

A Person from your office was found dead outside . Please open the picture to see if you know him .

Regards

Attachment is basically a Zip file consisting of an exe file named “image.scr” with a nice mspaint icon .

Quickly opening up in IDA will give us a hint that it is basically a VBpacker. VBPackers usually create a hallow suspended process , overwrite the memory and resume within .

zoc6xton99mw3w.jpg

After successfully unpacking and fixing the dump we get the following output

dnlvu3hvrwfnw_small.jpg

OEP the unpacked binary is enough to tell us that it is a Zeus Banking Trojan . Well this one is a different version of Zeus with self-protection which means unpacked ones wont run . This is usually done to “force” the bot masters to buy a Cryptor service .

If you double click the binary it will not run , It will simply exit. Now lets see where things are going wrong and how to bypass the protection.

For that purpose we will generate an API call Graph made by the unpacked binary to see the exit point of program .

s14beqgu1ljwdw.jpg

4znhlef7zvzvzq_small.jpg

So from this we got an idea that it is reading file buffer and performing some operations on it and now lets see what operation it is performing on it .

Now if we dig deeper we find out the file buffer is read and the some cryptography operations are performed .

36xhidfc9fpytw_small.jpg

And if go inside CheckSelfProtection() function we will observe that this function will RC4 the whole binary buffer with a static encryption key and will search for placeholder “DAVE”

In my case the RC4 Key was

izbd5bk1msjmew_small.jpg

Packer integrity

8pdyuunvwemoa_small.jpg

We can copy that 0x200 byte data from the packer into the overlay of our unpacked file. And if found it goes further on verifying the integrity of that data structure and decodes another payload using a 4 byte XOR key taken from that structure.

The Total size of the data Structure is 0x200 bytes and on the basis size, Installer and injector are decrypted . Let now understand the structure of that0x200 Data Structure.

During installation phase iSizeOfPacket bytes are copied from the data chunk into heap . And then later on used to decode installer subroutine using XOR cipher .

epd3vh9ymokrq.jpg

struct Zeus_packer_overlay

{

DWORD SIGNATURE;

SetBackColor( cRed );

DWORD Crc32HASH;

SetBackColor( cBlue );

WORD iSizeOfPacket;

unsigned int SizeOfDecodedData;

unsigned int Unknown1;

SetBackColor( cRed );

unsigned int XorKey;

}Zeus_Packer_OverLay;

Featured Posts
Recent Posts
Search By Tags
Follow Us
  • Facebook Classic
  • Twitter Classic
  • Google Classic

Subscribe for Updates

Congrats! You’re subscribed

Copyright © 2013,Malware-Analyzer. All rights reserved.

  • LinkedIn App Icon
  • Twitter App Icon
  • Facebook App Icon
  • Blogger App Icon
  • Google Classic
bottom of page