Since its emergence in 2007, ZBOT (also known as ZeuS) has become one of the most prevalent botnets and widely distributed banking Trojans. This malware family is widely known as a notorious credential stealing toolkit. It uses form-grabbing through web injection to steal user credentials from legitimate websites. It also has the capability to send out screenshots to bypass on-board keyboard authentications.

At the AVAR conference in Sydney, I discussed how to decrypt the configuration files associated with ZBOT, which is helpful in carrying out investigation into ZBOT-related activities.

The Evolution of ZBOT

Over the years, we have seen countless changes to this Trojan. These changes include improved methods of propagation, infection, and evasion.

For example, we saw ZBOT variants with the ability to self-propagate—a marked departure from its typical methods of arrival. Late last year, we made a connection between ZBOT and another notorious malware, Cryptolocker. We’ve also seen ZBOT variants that disable online banking security software in order to aid information theft.

ZBOT variants have been known to display behavior that might seem “out of character” for the malware. We have seen ZBOT malware whose main goal was income generation via pay-per-click model. The phrase “out of character” could also be applied to ZBOT variants that teamed up with file infectors.

ZBOT variants have also tried to change some of their underlying behavior to evade detection, including the use of random headers and different file extensions and changes to their encryption.

In addition, the way it connects to C&C servers has evolved over the years. New methods like the use of Tor or peer-to-peer networkshave been seen as well.

The Importance of Configuration Files

For an attacker, using the ZeuS toolkit allows them to easily configure servers and target banking websites using encrypted configuration files. From a security vendor or researcher’s perspective, gaining access to these files is important, as these can contain important data related to a particular campaign.

For example, the data found in configuration files can be used for identifying botnet administrators behind a ZeuS malware campaign.

Decrypting ZeuS Configuration Files

Because of this, we came up with a system that automates the decryption of ZeuS configuration files. This system extracts important data found on the configuration files and stores it in our database. The stored data can then be used later for correlation and, as mentioned earlier, for identifying botnet administrators behind a ZBOT malware campaign.

We grouped the samples we collected by ZBOT variant and the RC4 keys used to decrypt the downloaded configuration file. RC4 keys are generated from the encryption keys when creating a bot using the ZeuS builder.

Configuration files are comprised of static configuration and dynamic configuration. These two configurations contain information such as the string that specifies the name of the owner of bot malware, list of targeted URLs, and scripts used for form-grabbing.

Based on the behavior of ZBOT malware samples, there are four main steps we need to accomplish to successfully automate decryption of downloaded configuration file:

Unpack ZBOT malware

Decode static configuration

Get a copy of encrypted dynamic configuration

Decode dynamic configuration

Conclusion

We found that our system has a 79.44% of success rate in decrypting the configuration files from known ZBOT variants out of 905 identified samples. For the remaining 20.55%, we still lack the needed modules to fully decrypt their configuration files.

Having a system that automatically decrypts the configuration files of Zeus binaries can be helpful in the investigation of active administrators of ZeuS botnet. But of course, information acquired from decrypted configuration files will be worthless unless we correlate them with information from other systems.

For example, investigations targeting a cybercriminal/cybercrime group can start by looking for active bot administrators that have been using the same RC4 key. Information can also be used as an indicator on which banking websites are usually targeted by the ZBOT malware.