NEWS FROM THE LAB - Wednesday, December 28, 2011

Suo Anteeksi: Polite Variant of ZeuS Posted by ThreatResearch @ 15:45 GMT

There's a run of ZeuS (aka Zbot) trojans currently targeting several Finnish banks. And naturally, our Threat Research team has been working on related cases. Interestingly, they've discovered some new ZeuS functionality that hints of SpyEye.

This version of ZeuS 2.x (Zbot.AVRC) has two new commands it will accept: user_activate_imodule and user_restart_imodule.

Zbot.AVRC Commands
SHA1: bf4fc1fb3bf98e1e783fb974f0b3ba622cd4b267

When it receives the command user_activate_imodule, Zbot.AVRC will start a thread that attempts to load a certain DLL from disk, and if the DLL does not exists, it will be downloaded from a remote server. The trojan then fetches the addresses for three different functions that are exported by the DLL: TakeBotGuid, Init, and Start. The DLL is then started by creating a thread that runs code from the DLL.

User_restart_imodule simply calls the function named "Start" from the loaded DLL.

It is interesting to see that the names of the functions used from the loaded DLL are the same as those being used by SpyEye trojan components. The names of commands related to this could also be interpreted to refer to SpyEye (imodule = eyemodule?).

The full list of commands for this variant of ZeuS/Zbot.AVRC:

  •  os_shutdown
  •  os_reboot
  •  bot_uninstall
  •  bot_update
  •  bot_bc_add
  •  bot_bc_remove
  •  bot_httpinject_disable
  •  bot_httpinject_enable
  •  fs_path_get
  •  fs_search_add
  •  fs_search_remove
  •  user_destroy
  •  user_logoff
  •  user_execute
  •  user_cookies_get
  •  user_cookies_remove
  •  user_certs_get
  •  user_certs_remove
  •  user_url_block
  •  user_url_unblock
  •  user_homepage_set
  •  user_flashplayer_get
  •  user_flashplayer_remove
  •  user_activate_imodule
  •  user_restart_imodule

He who has seen more than his fair share of ZeuS bots, sorry for him, will notice that two often seen commands are not present; namely the commands for stealing passwords stored to FTP (user_ftpclients_get) and e-mail clients (user_emailclients_get).

Another notable detail of this ZeuS run is the quality of the Finnish used.

Here's an example:

Zbot.AVRC Error Message

After a customer has started their banking session, they'll be prompted by this message:

"Suo anteeksi, teknillinen palvelu tiet�� virheest� ja korjaa sit�."

This basically translates to something such as: we're sorry, there's an error and we're working to fix it.

And while the grammar is really rather good, the tone is a bit… odd. Native Finnish speakers say that the sentence sounds something like "we beg your pardon, but there has been as error" et cetera. It's a little too polite for an error message.

We speculate the bank trojan gang outsourced their localization to professional translators, but didn't provide quite enough context.

Analysis by — Mikko ja Mikko