The RSA Research Lab investigates and monitors a large number of malicious cybercrime servers operating in the wild. One of the Lab’s most significant findings was kept under wraps as the Research team investigated its server-side and the general background of the gang standing behind this clandestine control central.
What our researchers discovered was nothing less than the robust mercenary workings of a virtual heist machine, one that has been operational on an ongoing basis, militating and robbing financial data from hundreds of thousands of infected users all over the world. The tool of choice—Zeus v18.104.22.168, the most advanced variant of Zeus to date. The end result: endless logs of compromised financial data and untold numbers of wire-fraud transactions.
A Privately Developed Zeus Upgrade
Unlike the large majority of banking Trojan, the Zeus Trojan has always been a commercial code, sold by its creator to those who could afford an advanced fraud tool and understood how to use it. With time, Zeus became the most infamous and most propagated Trojan in cybercrime history. In October 2010, nearly one year ago, the bequeathing of the Zeus Trojan’s source code by its owner “Slavik”, to his then biggest rival, the SpyEye Trojan’s coder (“Harderman”), united the future of 2 giant commercial codes and threw a Zeus-faced wildcard into the game when its entire source code was leaked in March 2011.
But it was nearly two months before the announcement of the code ‘merger’ was even made that RSA researchers were already looking at a rather special upgrade of the Zeus Trojan: Zeus v2.1. A surprising and rare new version which included some of the most sophisticated additions to the Zeus code seen in recent times, making it more impervious and hardened thus shutting-out a lot of potential interference with this variant’s configuration and its communication patterns.
At the time (early September 2010), our team was in the possession of a single variant of this upgrade and was not entirely sure what it represented as yet. The interesting part of the upgrade was its low propagation numbers and the time lapse it took for the Lab to see more of it in the wild. True Zeus 22.214.171.124 variants were not being sold in underground forums. These two initial observations already suggested that the new upgrade was the property of one cybercriminal or a single cybercrime gang.
Within six months, Zeus 126.96.36.199 was being detected more and more often, and although the number of variants kept growing, the trigger list in each and every one of them was identical – a rare case for Zeus variants in which each operator updates his own list of triggers. This was the third sign pointing to a single operations team for Zeus 188.8.131.52.
June 2011 – a sharp peak in Zeus 184.108.40.206 attacks resulted from the propagation of hundreds of variants of this upgraded version. To date, the RSA Research Lab detected 414 different variants, and yet, each and every variant still went after the exact same trigger list. At this point it was clear that Zeus 220.127.116.11 belongs to one gang who had the Zeus source code way before the merger, way prior to the code leak and before anyone even imagined what would become of Zeus.
This gang developed their own Zeus Trojan using Zeus’ source codes and its mainframe; this gang operates Zeus 18.104.22.168 without sharing their malevolent creation with outsiders.
Zeus 22.214.171.124 Has its Own Techniques
More than the actual upgrade of the Trojan code, the new Zeus 126.96.36.199 behaved in a new way, unlike the one observed in other Zeus variants. Unlike other advance Trojans who contact the mothership through reverse proxies, fast flux networks, or those who use their own botnet as proxies – Zeus 188.8.131.52 never communicates directly with the mothership.
This special variant further uses another obfuscation technique for cases where it fails to find a live update point. In order to make sure the botnet always ‘calls home’ Zeus 184.108.40.206’s operators programmed a randomized, on-the-fly domain name generator, based on a constant algorithm the Trojan’s configuration dictates. The algorithm creates 1,020 domain names (URLs) per day. Each new and unique domain name is a string of letters. The suffix “/news” or “/forum” follows the domain name when it is used for the Trojan’s update and drop communications.
The cybercriminal operation team behind the scenes has the same algorithm. They know exactly when the whole botnet will attempt to communicate with a specific new domain name, and then simply go and buy that domain name, hosting each one through facilities located all over the world. At that point, the whole botnet queries the new domain with a request for the update file – and receives it, and the C&C queries its bots for the stolen data they have in store – and receives it. Mission accomplished.
This all happens without anyone outside the gang knowing their algorithm or being able to guess which communication channel they will choose for their botnet next. Even if an external party was to attempt to solve the algorithm, they would have to buy the domains before the gang does, thus engaging in a race against time and paying for numerous domain registrations every hour (!). No matter how many domains an adversary buys, the bot masters will eventually buy one and the botnet will end up communicating with it.
Figure 1: Zeus 220.127.116.11 Domain Randomization (Example)
The communication through randomized domains generated by the Trojan is directed through a list of legitimate VPS and legitimate cloud services used as a proxy. This raptures any further tracking possibilities of the true motherships which militate the immense botnet.
Zeus 18.104.22.168’s behavior pattern has never been used in Zeus or SpyEye variants, but it sure is identical to another Trojan’s sophisticated and diuturnal operations – Sinowal. A long standing, privately owned Trojan, operated by an organized cybercrime gang based out of Russia, Sinowal is perhaps one of the most persevering private banking Trojans; one whose nefarious nature has been the intrigue of many security researchers since as early as 2006.
It was initially somewhat surprising to see that Zeus 22.214.171.124 was not only a private version of Zeus, it also behaves exactly in the same manner as Sinowal similarly held by Russian-speaking cybercriminals. These common denominators raised a logical suspicion as to the possibility of the two sharing some links if not operated by the same gang altogether.
Behold, a Mothership in the Cloud
The motherships of Zeus 126.96.36.199 are somewhat of an enigma which has never been detected before or traced by security researchers. Nonetheless, in one of their research projects, the RSA Research Lab’s team has managed to finally locate one of the best concealed C&C servers operating in the wild.
The Lab’s findings have confirmed everything they saw in Zeus 188.8.131.52’s Trojan configuration and provided for a rare glimpse into the workings of a very methodic crime gang. It was no surprise to see that both Sinowal and Zeus 184.108.40.206 variants manage to amass and manage staggering amounts of infected bots; their crimeware codes’ tenacious nature and the clever way in which they keep the enemy guessing have been their strongest allies. RSA was looking at a the gang’s server and concluded that it contained over 200GB of filtered compromised financial information—immense by any measure.
Zeus 220.127.116.11 – A Rare Server-Side View
Once inside the Zeus 18.104.22.168 mothership, RSA researchers have been able to confirm that a portion of 42% of all infections on this botnet took hold of USA-based machines. Large infection numbers followed for other countries as well; the top 10 being Spain, Italy, Canada, India, Mexico, France, Russia, the UK and Brazil, all in considerably lower portions. This massive botnet has managed to amass 45,802 new infected machines in only one day in February 2011!
Some of the most interesting features of this Zeus 22.214.171.124 panel only exist for this variant and do not appear in other Zeus control panels. It is once again evident that the gang operating this botnet had their own ideas as to how they wanted their malware to facilitate their crimes.
- Server-Side Trigger List
- VNC + SOCKS5 + Jabber Notification Set Up = MITM. The MiTM trinity; remote access, SOCKS5 and an instant messaging are all tools used by fraudsters who commit real-time fraud. These plugins are part of a session hijacking scenario and are rather telling of the type of operations carried out by Zeus 126.96.36.199’s perpetrators. What this spells out is manual MiTM.
- Bot Comments
- Botnet Scripts
- “SetHome” A seemingly innocent script sets a new Home page on all the bots’ internet browsers. This script was executed on batches of tens of thousands of zombie bots. Why so popular? How about setting a drive-by-download page and making it the first page every victim opens as soon as they launch Internet explorer, thus updating the Trojan on those bots.
- Block URL
- Private Key The private key is a PEM file designed to apply the encryption key for Zeus 188.8.131.52’s configuration. Data sent from the mothership to the infected bots is signed using this private key.
- Popular URLs What are the URLs most often browsed by victims? By logging a list of the most popular URLs the Trojan’s operator may choose to target a new entity.
- Search Inside Data Log
- Bot Info
Following the investigation into this cybercrime operation, the RSA FraudAction Research Lab has contacted several law enforcement agencies to inform them of these findings.
 VPS: Virtual Private Server