As my colleague Kazumasa Itabashi outlined in this blog, TrojanZbot.B, a.k.a. Zeus Botnet, attempts to download files from URLs with random-looking domain names generated by the Trojan based on the system time.
When it accesses these domains with a path of /news/?s=[NUMBER], it downloads a configuration file, which is also digitally signed. The downloaded file looks like this:
Because the configuration file is encrypted, we have to decrypt it by applying RC4 followed by XOR-ing byte-wise from bottom to top with each preceding byte. Once the decryption and de-obfuscation has been applied we can now see a little more clearly the contents of the configuration file. The content now looks like the following:
Despite being decrypted and de-obfuscated you can see that the file content still appears to be all jumbled up. Many strings are split into separate pieces and many seem to be missing parts, while some others look intact. In fact, the configuration file is not a single contiguous text file, but is a structured binary data file. Each record in the file has a header and multiple configuration blocks.
At file offset 14h, a double word value 8FF9h specifies the size of the block, but the actual file size of this sample is 90FDh. The difference of 104h bytes can be explained by its digital signature at the bottom, which takes four bytes at the bottom denoting the length of the digitally signed message digest, which in-turn takes 100h bytes.
The first configuration block starts at file offset 30h. Each block has at least 10h bytes. The length of a block is calculated by the double word value at block + 0Ch added by 10h. In the image above, I have highlighted the borders of blocks in red. What differentiates the block of compressed from uncompressed is the least significant bit of the fourth byte of each block. The block starting at file offset 1A9h is compressed according to the bit. Trojan.Zbot.B accepts text as well as binary commands. Since this configuration file is a binary version that is used for monitoring and injecting into a Web browser, I will explain the commands contained in this configuration file.
Each configuration block may contain one or multiple records. Trojan.Zbot.B reads a block and executes commands defined by the record(s) in the block from top to bottom in a loop until it reaches the end of the configuration file.
Each record has the following format:
Double word: record size – Word: command – variable length of data
For example:
- 0000: Followed by Word: string ID. Definition of strings (URLs to monitor)
- 0001: Definition of URL
- 0004: Condition for HTML injection
- 0008: Body of injected HTML
- 0010: Condition of HTML data capture
- 0020: Text representation of captured HTML data
This is a sample of command 0000:
A record can contain more than one string. In all we have seen 47 records in the configuration files that we have downloaded. The records contain URL strings targeting a range of financial institutions and well-known websites for which the Trojan will monitor and collect data.
In my next blog, I will explore another command from the configuration file that will instruct the Trojan to inject HTML code into authentication forms to collect data from unsuspecting users.
A special thanks to Andrea Lelli for his technical assistance.