PhoenixDzine

A little while ago it became clear that the ZeuS program design had been passed on to the creator of another competitor Trojan called SpyEye. Now everyone is waiting to see when these two spyware programs combine to create a monster. The author of SpyEye will most probably extract the most valuable things from ZeuS and implement them in SpyEye. Some researchers have already found a code piece from ZeuS in a SpyEye sample.

  Section of SpyEye code identical to that in ZeuS

We didn’t expect new modifications of ZeuS to appear after it had been transferred to the new owner. Of course, we are still seeing a steady stream of ZeuS samples, but virtually all of them are well known versions of the malicious program. The new variants are usually the result of rebuilding that can be carried out with minimum fuss using programs known as ZeuS Builder kits. But from time to time I come across some rather unusual variants of the Trojan and I now have very good reason to believe that ZeuS is still to some extent being maintained and developed.

Two months ago we noted that ZeuS had new functionality: it was checking to see if it was being launched on a test platform, e.g. in the sandbox of a research company. The launch of the Trojan was stopped if there were signs that it was being executed in an environment set up to analyze its behavior.

Here is an example of one such check – ZeuS verifies if it is being launched on a VMware system by opening a specific device for that virtual machine:

1st check to see if ZeuS is launched on a VMware virtual machine

2nd check to see if ZeuS is launched on a VMware virtual machine

A few weeks ago a different ZeuS variant appeared that displayed unusual behavior for that family. All the latest variants of ZeuS had the same algorithm to decrypt a section in their code which contained the Trojan’s initial internal settings (a link used to download the configuration file, traffic encryption key, etc.). In the new, unusual sample there was double encryption. First of all, data was decrypted using the standard algorithm, but the address to the configuration file was a fake. The genuine link to the configuration file, which contained the address of the botnet command center, was only revealed at the second decryption.

Below you can see what this looks like in practice. After the first decryption you can see the initial settings (highlighted in green), but the link at the bottom is a fake. The real link is hidden in the area highlighted in red that only appears after the second decryption.

Decryption section of primary data

A few days ago I found a ZeuS sample that also checks if it is being analyzed, for example, by antivirus companies. The functionality is basically the same but with minor modifications – another criterion for detecting a new test platform had been added.

In this variant of ZeuS there are also modifications to the structure in pieces of code, which had remained unchanged for over 6 months and been used in thousands of samples of the Trojan.

Modifications to a previously unchanged piece of ZeuS code

The changes to the code show that the sample was created using a new, recompiled version of the ZeuS Builder.

Functionality that is capable of detecting a test platform is unique. It looks like it was probably added to the standard ZeuS functionality as an optional extra. This suggests that technical support is still available for the last few VIP clients using ZeuS.

So, what exactly do we have here: the death throes of a ‘god’ or a reawakening? Maybe ZeuS will become less widespread, more exclusive, for a chosen few instead of the masses. No doubt, time will tell…

Yesterday my colleague Tim Armstrong wrote about the malware outbreak in the Android Market. In short, a number of legal apps were trojanized and uploaded to the Android Market. Let’s take a closer look into one of them.

As it was mentioned earlier, all the malicious apps we’ve seen so far were using the same exploits which are detected by Kaspersky as Exploit.AndroidOS.Lotoor.g and Exploit.AndroidOS.Lotoor.j. Both are well-known and work on all Android OS versions less than 2.3. This means that anyone who uses Gingerbread (Android 2.3) should be protected from these exploits.

So what exactly do these Trojans steal? Apparently, the attacker was keen on obtaining IMSI and IMEI numbers. Besides these, they are also harvesting information about the operating system and device type.

Here’s how the theft happens: inside the code, there is encrypted data block which is exactly 45 bytes in size. This block is encrypted using a simple XOR algorithm with a special key, which is stored in another data block called “KEYVALUE”. If you are curious, here’s how the decryption subroutine looks:

public static void crypt(byte abyte0[ ])      {      int i = 0;      int j = 0;      do           {           int k = abyte0.length;           if(j >= k)                return;           byte byte0 = abyte0[j];           byte byte1 = KEYVALUE[i];           byte byte2 = (byte)(byte0 ^ byte1);           abyte0[j] = byte2;           i++;           int l = keylen;           if(i == l)                i = 0;                j++;           }      while(true);      }

Hello everybody from CeBIT, one of the most important IT events in the whole world hosted in the nice city of Hannover.

Such an important event deserves our best, so as much as five virus analyst have been around mostly helping press understand some of the emergent threats we are facing today. You can follow our Roundtable on Corporate Malware Trends here.

However I would say what attracted everybody to our booth was the impressive Ferrari F1 in it!

Also an amazing emulator was available for you to try beating Fernando Alonso and Felipe Massa. As a side note I would say I totally failed.

Every day, we see more reports about malware in the Android Market. This time three developers known as MYOURNET, Kingmall2010, and we20090202, possibly the same person, were offering a number of Android apps for free download.

Many, if not all of the apps, were trojanized copies of legitimate apps from other developers.

I downloaded one app in particular called Super Guitar Solo. Upon reviewing the app, I found it contains the popular “rage against the cage” root exploit commonly used to “root” Android phones and gain superuser privileges. As any Linux guru will tell you, once you have superuser rights, you have full, administrator level access to the phone’s operating system. In this case the exploit is launched without the owner’s consent.

So what is the purpose of this Trojan? The application will attempt to gather product ID, device type, language, country, and userID among other things, and then upload them to a remote server. Unlike most of the other samples seen so far, there is no attempt at sending or receiving premium rate SMS messages.

This discovery is important because up until now most of the Android malware has been found outside of the Android Market, which requires a number of special steps to be taken in order to infect the phones. In this case, users are even able to install from the web with the new Android Market format. We have previously talked about this here: The Dark Side of the new Android Market

It’s also interesting to point out that, just as our researchers predicted last year, the cybercriminals have started taking advantage of jailbreaking tools as mentioned here: The Dangers of Jailbreaking

One of the important observations here is that it is likely that these are not the only live malware in the Android Market. Kaspersky recommends that you always check all the permission requests that an application is requesting at install time. This also highlights the dangers of jailbreaking or rooting your devices. This particular root exploit has been detected by Kaspersky as Exploit.AndroidOS.Lotoor.g and Exploit.AndroidOS.Lotoor.j since February 1st, so if you are a Kaspersky Mobile Security user, you are already protected.

Kaspersky will continue to examine this sample and update with any future information.

UPDATE: Google has now removed the malicious apps and the corresponding download page from the Android Market.