Presentation is loading. Please wait.

Presentation is loading. Please wait.

On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented.

Published byGabriel Todd Modified over 8 years ago

Similar presentations

Presentation on theme: "On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented."— Presentation transcript:

1 On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented by Anh Ho

2 Overview What is Zeus? Who are the Researchers? What did they find? Conclusion Questions?

3 What is Zeus? Botnet for hire “King of the Underground Crimeware Toolkits” – Symantec 3.6 million US infections – Damballa, July 2009 User friendly Interface Competitive price

4 The Researchers National Cyber Forensics and Training Alliance Canada Computer Security Laboratory, Concordia University

5 Command and Control Server Control Panel – PHP scripts to monitor the botnet MySQL Database – Collects the stolen information for the botmaster

6 Different Parts of Zeus Config.txt – Configuration file Webinjects.txt – List of websites and injection rules Config.bin – Encrypted configuration parameters Bot.exe – Malicious binary customized to the C&C server

7 Zeus Builder Building the Configuration File Functionality – Encoding clear text configurations – RC4 encryption Building the Malware Binary File Functionality – Building the customized malware binary – Reads from the config file for parameters Malware Infection Removal Functionality – Determines the presence of Zeus and removes it – Checks specific registry keys and files

8 Files Created During Infection

9 Communications Pattern Infected Client sends a GET /config.bin to the C&C C&C gives the encrypted config.bin file Client Receives and decrypts it – The key is embedded inside bot.exe The bot reports to the C&C through POST /gate.php

10 Communications Pattern Cont.

11 De-obfuscation Process Round 1 – 4 byte decryption key, 1 byte seed – Decrypts a section from Text/Code and writes it into virtual memory

12 De-obfuscation Process Cont.

13 Round 2 – Copies two binary blocks from Text/Code – Concatenates them – Writes it into virtual memory – Fills “holes” or zero bytes with filler text

14 De-obfuscation Process Cont.

15 Round 3 – Decrypts the output of the second de-obfuscation with the 8 byte key by XOR

16 De-obfuscation Process Cont.

17 Round 4 – Uses the previously decrypted bytes to modify the rest of the Text/Code

18 Installation De-obfuscation Transforms arbitrarily long strings into readable text Round 1 – De-obfuscates DLL libraries and function names Round 2 – Decrypts URLs in the configuration file

19 Installation De-obfuscation Cont.

20 Installation Process Loads the LoadLibrary and GetProcAddress from Kernel32.dll Decrypts strings shown before LoadLibrary and GetProcAddress loads more methods from the Windows DLLs Checks the process table for Outpost.exe (Agnitum Security) Checks for zlclient.exe (Zonelabs Internet Security)

21 Installation Process Cont. Appends path – C:/Windows/System32/sdra64.exe to HKEY_LOCAL_MACHINE/SOFTWARE/Microsoft/WindowsNT/CurrentVe rsion/Winlogon/Userinit – Allows for persistence on startup Injects the Zeus binary into the virtual memory of winlogon.exe

22 On First Installation Makes a copy of itself and stores it in: – C:/Windows/System32/sdra64.exe – Evades signature detection by appending random bytes to the end Duplicates the Modification, Access, and Creation times to alter it’s creation date

23 First Installation Cont. Creates a folder at: – C:/Windows/System32/lowsec Two new files: – User.ds Stores the dynamic config file – Local.ds Stores the stolen information until ready to send to the drop location

24 List of Zeus Malware Commands

25 Conclusion Designed a tool for the automated recovery of the encryption key Able to inject falsified information into the botnet in order to defame the business model

26 Questions?

Download ppt "On the Analysis of the Zeus Botnet Crimeware Toolkit H. Binsalleeh, T. Ormerod, A. Boukhtouta, P. Sinha, A. Youssef, M. Debbabi, and L. Wang Presented."

Similar presentations

WordPress Installation for Beginners Sheila Bergman

WordPress Installation for Beginners Sheila Bergman
What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.

What is code injection? Code injection is the exploitation of a computer bug that is caused by processing invalid data. Code injection can be used by.
Introduction to PHP MIS 3501, Fall 2014 Jeremy Shafer

Introduction to PHP MIS 3501, Fall 2014 Jeremy Shafer
Operating System Security : David Phillips A Study of Windows Rootkits.

Operating System Security : David Phillips A Study of Windows Rootkits.
Day 4-1-1 anti-virus 3-3-1.anti-virus 1 detecting a malicious file malware, detection, hiding, removing.

Day anti-virus anti-virus 1 detecting a malicious file malware, detection, hiding, removing.
Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,

Automated Web Patrol with Strider Honey Monkeys: Finding Web Sites That Exploit Browser Vulnerabilities AUTHORS: Yi-Min Wang, Doug Beck, Xuxian Jiang,
ZeuS: God of All Cyber-Theft

ZeuS: God of All Cyber-Theft
MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.

MOSQUITO BREEDING ATTACK: Spread of bots using Peer To Peer INSTRUCTOR: Dr.Cliff Zou PRESENTED BY : BHARAT SOUNDARARAJAN & AMIT SHRIVATSAVA.
DESIGNING A PUBLIC KEY INFRASTRUCTURE

DESIGNING A PUBLIC KEY INFRASTRUCTURE
Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.

Security Internet Management & Security 06 Learning outcomes At the end of this session, you should be able to: –Describe the reasons for having system.
Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.

Botnets Abhishek Debchoudhury Jason Holmes. What is a botnet? A network of computers running software that runs autonomously. In a security context we.
ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.

ASP.NET 2.0 Chapter 6 Securing the ASP.NET Application.
Operating System & Application Files BACS 371 Computer Forensics.

Operating System & Application Files BACS 371 Computer Forensics.
1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.

1 E LECTRICAL E NGINEERING AND C OMPUTER S CIENCES U NIVERSITY OF C ALIFORNIA Berkeley Combating Stealth Malware and Botnets in Higher Education Educause.
OS and Application Files BACS 371 Computer Forensics.

OS and Application Files BACS 371 Computer Forensics.
Automated Malware Analysis

Automated Malware Analysis
Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.

Chapter 9 Collecting Data with Forms. A form on a web page consists of form objects such as text boxes or radio buttons into which users type information.
MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.
Operating Systems Operating System

Operating Systems Operating System
Www.SecurityXploded.com. Disclaimer The Content, Demonstration, Source Code and Programs presented here is AS IS without any warranty or conditions.

Disclaimer The Content, Demonstration, Source Code and Programs presented here is "AS IS" without any warranty or conditions.

Similar presentations

Ads by Google