Thursday, September 9, 2010

A little more love for DEFCON 18

DEFCON featured a number of talks about the Zeus trojan and for good reason. I think it's the most sophisticated mass-use malware ever written.  It can keylog, hoard your credit card numbers and even join you to a global botnet. Fun stuff huh?

It's current known variants are  ZbotPRGWsnpoemGorhax and Kneber.  

It can be very difficult to detect and remove because, every time you infect a machine, the signature changes. It's mass customization for malware!  The full package comes with a command and control php and sql webcenter for managing your unruly botnet as well as software for generating your very own custom malware. How much would you pay for this crystal-clear wonder? $4999? $3999?  Nope it can be yours for the low,low price of $500-$700 on the software black-market. (It should be noted that the latest version may cost you a few thousand).

So why do we care as forensic analysts?  

There are a couple pieces here:

1. It steals credentials and credit card data. Steal enough credit card data and the Feds will be hunting for you. This may lead to a forensic analysis of a host and Zeus is being found in the wild at credit card breaches. (I have it from an excellent source....)

2. Most commercial antivirus scanners will not detect or remove Zeus from an infected machine. These scanners are signature based (for the most part) and as I said before "every time you infect a machine, the signature changes".  

So now what? 

Forensic tools to the rescue!  

There are a number of ways to detect Zeus using a fairly common suite of forensic tools. I am not going to rehash someone elses work here. Kevin Stevens and Don Jackson have a fantastic write up on Zeus and its variants at the SecureWorks website

There is also a forensic breakdown of infected keys and tool usage here.  Really nice job Tyler. Most of this paper is based on results from memory analysis using volatility.

And what blog would be complete without mentioning regripper?  There is a third-party plugin called userinit that was written to find "urlzone" trojans. As a side effect it parses the same hive that the sdra64 binary attaches itself to (userinit).

That's it for me. I'm spending a lot of time studying for the CISSP exam.

Exciting news next post......

Good Luck.