{"id":1411,"date":"2012-10-26T17:11:28","date_gmt":"2012-10-26T17:11:28","guid":{"rendered":"http:\/\/www.hexacorn.com\/blog\/?p=1411"},"modified":"2012-11-06T12:57:56","modified_gmt":"2012-11-06T12:57:56","slug":"zeus-trivia","status":"publish","type":"post","link":"https:\/\/www.hexacorn.com\/blog\/2012\/10\/26\/zeus-trivia\/","title":{"rendered":"Zeus trivia"},"content":{"rendered":"<p><strong>Update<\/strong><\/p>\n<p>After another chat (with @push_pnx, Thanks!), one more clarification &#8211; it appears to be a sample from a Citadel family &#8211; a spinoff from Zeus src code that is developed further by most likely a different programming group.<\/p>\n<p>Interestingly, the distinction between families is not easy as &#8216;Brian Krebs&#8217; string is often associated with Zeus\/Zbot. VirusTotal <a href=\"https:\/\/www.virustotal.com\/file\/c5b70adfa23ae3802e8b51560c64635911869b412cc1e8c1f6e1904334c0abe9\/analysis\/1352205984\/\">scan<\/a> of the sample is associating it with these two as well. Go figure \ud83d\ude42<\/p>\n<p><strong>Update<\/strong><\/p>\n<p>After I posted this entry Twitter chat with Malware Crusaders \u200f@MalwareMustDie (Thanks!) allowed me to fill-in some blanks\u00a0 + I also did a bit more code analysis myself, so entry below is updated with more details.<\/p>\n<p><strong>Old post (with updates)<br \/>\n<\/strong><\/p>\n<p>Looking at one of recent Zeus samples I noticed the following:<\/p>\n<ul>\n<li>lots of strings decrypted during runtime &#8211; see below<\/li>\n<li>zeus accepts command line arguments (this has been highlighted previously by Karthik Selvaraj in his 2010 article\u00a0 <a href=\"http:\/\/www.symantec.com\/connect\/blogs\/brief-look-zeuszbot-20\">A Brief Look at Zeus\/Zbot 2.0<\/a>)<\/li>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_1.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1412\" title=\"zeus_1\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_1-300x136.png\" alt=\"\" width=\"300\" height=\"136\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_1-300x136.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_1.png 930w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<ul>\n<ul>\n<li>-n &#8211; prevents dropper&#8217;s self-deletion; this is achieved by not executing the temporary batch file with the following content:<\/li>\n<\/ul>\n<\/ul>\n<p style=\"text-align: center;\"><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_4.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter  wp-image-1421\" title=\"zeus_4\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_4.png\" alt=\"\" width=\"172\" height=\"32\" \/><\/a><\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_51.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1423\" title=\"zeus_5\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_51-300x45.png\" alt=\"\" width=\"300\" height=\"45\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_51-300x45.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_51.png 967w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<ul>\n<ul>\n<li>-z &#8211; shows messagebox with a familiar info on Brian Krebs &#8211; see screenshot above<\/li>\n<\/ul>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_3.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1418\" title=\"zeus_3\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_3.png\" alt=\"\" width=\"353\" height=\"107\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_3.png 353w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_3-300x90.png 300w\" sizes=\"(max-width: 353px) 100vw, 353px\" \/><\/a><\/p>\n<ul>\n<ul>\n<li>-v &#8211; starts VNC server<\/li>\n<li>-f &#8211; as per Symantec, it alters Registry operations (I am not sure how yet); from the code I see that it introduces a call to Sleep function before a call to hooked GetFileAttributesExW API which is executed with the magic values normally used by a bot builder to communicate with a client<\/li>\n<\/ul>\n<\/ul>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_6.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-full wp-image-1425\" title=\"zeus_6\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_6.png\" alt=\"\" width=\"277\" height=\"71\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<p>The original Zeus source code refers to the following command line options:<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_7.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1431\" title=\"zeus_7\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_7-300x107.png\" alt=\"\" width=\"300\" height=\"107\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_7-300x107.png 300w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_7.png 793w\" sizes=\"(max-width: 300px) 100vw, 300px\" \/><\/a><\/p>\n<p>&nbsp;<\/p>\n<ul>\n<li>-i &#8211; provide information about the bot &#8211; this option has been changed to -z in a newer version<\/li>\n<li>-n &#8211; don&#8217;t remove the dropper<\/li>\n<li>-f &#8211; force update of a client disregarding the bot versions (the delay has been added in a newer version)<\/li>\n<li>-v &#8211; run as VNC<\/li>\n<\/ul>\n<p>As it seems, sometimes it&#8217;s easier to just read the source code \ud83d\ude09<\/p>\n<p>Strings decrypted during runtime (good for memory searches &#8211; notice info stealing stuff):<\/p>\n<ul>\n<li>&#8220;Module: %u\\r\\nType: %s\\r\\nTitle: %s\\r\\nInfo: %s\\r\\n&#8221;<\/li>\n<li>&#8220;ERROR&#8221;<\/li>\n<li>&#8220;FAILURE&#8221;<\/li>\n<li>&#8220;SUCCESS&#8221;<\/li>\n<li>&#8220;UNEXPECTED&#8221;<\/li>\n<li>&#8220;UNKNOWN&#8221;<\/li>\n<li>&#8220;rurl&#8221;<\/li>\n<li>&#8220;surl&#8221;<\/li>\n<li>&#8220;furl&#8221;<\/li>\n<li>&#8220;uid&#8221;<\/li>\n<li>&#8220;mask&#8221;<\/li>\n<li>&#8220;post&#8221;<\/li>\n<li>&#8220;extensions&#8221;<\/li>\n<li>&#8220;rules&#8221;<\/li>\n<li>&#8220;patterns&#8221;<\/li>\n<li>&#8220;%tokenspy%&#8221;<\/li>\n<li>&#8220;url&#8221;<\/li>\n<li>&#8220;buid&#8221;<\/li>\n<li>&#8220;ruid&#8221;<\/li>\n<li>&#8220;puid&#8221;<\/li>\n<li>&#8220;session&#8221;<\/li>\n<li>&#8220;data&#8221;<\/li>\n<li>&#8220;get_status&#8221;<\/li>\n<li>&#8220;status&#8221;<\/li>\n<li>&#8220;status_cache_time&#8221;<\/li>\n<li>&#8220;Can&#8217;t compile tokenspy rules.&#8221;<\/li>\n<li>&#8220;fileName=[%S], fileSize=[%u], fileCRC32=[0x%08X].&#8221;<\/li>\n<li>&#8220;set_url&#8221;<\/li>\n<li>&#8220;data_before\\r\\n&#8221;<\/li>\n<li>&#8220;data_inject\\r\\n&#8221;<\/li>\n<li>&#8220;data_after\\r\\n&#8221;<\/li>\n<li>&#8220;data_end\\r\\n&#8221;<\/li>\n<li>&#8220;%webinject%&#8221;<\/li>\n<li>&#8220;Can&#8217;t compile webinjects.&#8221;<\/li>\n<li>&#8220;fileName=[%S], fileSize=[%u], fileCRC32=[0x%08X], processedInjects=[%u].&#8221;<\/li>\n<li>&#8220;Webinjects has been compiled.&#8221;<\/li>\n<li>&#8220;result=[%u], fileName=[%S], fileSize=[%u], fileCRC32=[0x%08X], processedInjects=[%u].&#8221;<\/li>\n<li>&#8220;*vmware*&#8221;<\/li>\n<li>&#8220;*sandbox*&#8221;<\/li>\n<li>&#8220;*virtualbox*&#8221;<\/li>\n<li>&#8220;*geswall*&#8221;<\/li>\n<li>&#8220;*bufferzone*&#8221;<\/li>\n<li>&#8220;*safespace*&#8221;<\/li>\n<li>&#8220;*.ru&#8221;<\/li>\n<li>&#8220;*.con.ua&#8221;<\/li>\n<li>&#8220;*.by&#8221;<\/li>\n<li>&#8220;*.kz&#8221;<\/li>\n<li>&#8220;cmd.exe&#8221;<\/li>\n<li>&#8220;powershell.exe&#8221;<\/li>\n<li>&#8220;\\r\\nexit\\r\\n&#8221;<\/li>\n<li>&#8220;\\r\\nprompt $Q$Q$Q$Q$Q$Q$Q$Q$Q$Q[ $P ]$G\\r\\n&#8221;<\/li>\n<li>&#8220;screenshots\\\\%s\\\\%04x_%08x.jpg&#8221;<\/li>\n<li>&#8220;unknown&#8221;<\/li>\n<li>&#8220;image\/jpeg&#8221;<\/li>\n<li>&#8220;Software\\\\Microsoft\\\\Windows\\\\Currentversion\\\\Run&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion\\\\ProfileList\\\\%s&#8221;<\/li>\n<li>&#8220;ProfileImagePath&#8221;<\/li>\n<li>&#8220;unknown\\\\unknown&#8221;<\/li>\n<li>&#8220;:d\\r\\nrd \/S \/Q \\&#8221;%s\\&#8221;\\r\\nrd \/S \/Q \\&#8221;%s\\&#8221;\\r\\nrd \/S \/Q \\&#8221;%s\\&#8221;\\r\\nif exist \\&#8221;%s\\&#8221; goto d\\r\\nif exist \\&#8221;%s\\&#8221; goto d\\r\\nif exist \\&#8221;%s\\&#8221; goto d&#8221;<\/li>\n<li>&#8220;videos\\\\%S_%02u_%02u_%02u_(%02u-%02u).webm&#8221;<\/li>\n<li>&#8220;grabbed\\\\%S_%02u_%02u_%02u.txt&#8221;<\/li>\n<li>&#8220;Grabbed data from: %s\\n\\n%S&#8221;<\/li>\n<li>&#8220;%s%s\\nUser-Agent: %S\\nCookie: %S\\nAccept-Language: %S\\nAccept-Encoding: %S\\nScreen(w:h): %u:%u\\nReferer: %S\\nUser input: %s\\n%sPOST data:\\n\\n%S&#8221;<\/li>\n<li>&#8220;*EMPTY*&#8221;<\/li>\n<li>&#8220;*UNKNOWN*&#8221;<\/li>\n<li>&#8221; *BLOCKED*&#8221;<\/li>\n<li>&#8220;Content-Type: %s\\r\\n&#8221;<\/li>\n<li>&#8220;ZCID: %S\\r\\n&#8221;<\/li>\n<li>&#8220;application\/x-www-form-urlencoded&#8221;<\/li>\n<li>&#8220;HTTP authentication: username=\\&#8221;%s\\&#8221;, password=\\&#8221;%s\\&#8221;\\n&#8221;<\/li>\n<li>&#8220;HTTP authentication (encoded): %S\\n&#8221;<\/li>\n<li>&#8220;%s:\/\/%s:%s@%s\/&#8221;<\/li>\n<li>&#8220;ftp&#8221;<\/li>\n<li>&#8220;pop3&#8221;<\/li>\n<li>&#8220;anonymous&#8221;<\/li>\n<li>&#8220;Software\\\\Microsoft\\\\Internet Explorer\\\\Main&#8221;<\/li>\n<li>&#8220;Start Page&#8221;<\/li>\n<li>&#8220;Software\\\\Microsoft\\\\Internet Explorer\\\\PhishingFilter&#8221;<\/li>\n<li>&#8220;Enabled&#8221;<\/li>\n<li>&#8220;EnabledV8&#8221;<\/li>\n<li>&#8220;Software\\\\Microsoft\\\\Internet Explorer\\\\Privacy&#8221;<\/li>\n<li>&#8220;CleanCookies&#8221;<\/li>\n<li>&#8220;Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Internet Settings\\\\Zones\\\\%u&#8221;<\/li>\n<li>&#8220;1406&#8221;<\/li>\n<li>&#8220;1609&#8221;<\/li>\n<li>&#8220;Accept-Encoding: identity\\r\\n&#8221;<\/li>\n<li>&#8220;TE:\\r\\n&#8221;<\/li>\n<li>&#8220;If-Modified-Since:\\r\\n&#8221;<\/li>\n<li>&#8220;\\nPath: %s\\n&#8221;<\/li>\n<li>&#8220;%s=%s\\n&#8221;<\/li>\n<li>&#8220;*@*.txt&#8221;<\/li>\n<li>&#8220;Low&#8221;<\/li>\n<li>&#8220;Wininet(Internet Explorer) cookies:\\n%S&#8221;<\/li>\n<li>&#8220;Empty&#8221;<\/li>\n<li>&#8220;*.sol&#8221;<\/li>\n<li>&#8220;Mozilla\\\\Firefox&#8221;<\/li>\n<li>&#8220;user.js&#8221;<\/li>\n<li>&#8220;profiles.ini&#8221;<\/li>\n<li>&#8220;Profile%u&#8221;<\/li>\n<li>&#8220;IsRelative&#8221;<\/li>\n<li>&#8220;Path&#8221;<\/li>\n<li>&#8220;user_pref(\\&#8221;network.cookie.cookieBehavior\\&#8221;, 0);\\r\\nuser_pref(\\&#8221;privacy.clearOnShutdown.cookies\\&#8221;, false);\\r\\nuser_pref(\\&#8221;security.warn_viewing_mixed\\&#8221;, false);\\r\\nuser_pref(\\&#8221;security.warn_viewing_mixed.show_once\\&#8221;, false);\\r\\nuser_pref(<\/li>\n<li>&#8220;user_pref(\\&#8221;browser.startup.homepage\\&#8221;, \\&#8221;%s\\&#8221;);\\r\\nuser_pref(\\&#8221;browser.startup.page\\&#8221;, 1);\\r\\n&#8221;<\/li>\n<li>&#8220;Mozila(Firefox) cookies:\\n\\n%S&#8221;<\/li>\n<li>&#8220;Empty&#8221;<\/li>\n<li>&#8220;Macromedia\\\\Flash Player&#8221;<\/li>\n<li>&#8220;flashplayer.cab&#8221;<\/li>\n<li>&#8220;*.sol&#8221;<\/li>\n<li>&#8220;Windows Address Book&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\Microsoft\\\\WAB\\\\DLLPath&#8221;<\/li>\n<li>&#8220;WABOpen&#8221;<\/li>\n<li>&#8220;Windows Contacts&#8221;<\/li>\n<li>&#8220;A8000A&#8221;<\/li>\n<li>&#8220;1.0&#8221;<\/li>\n<li>&#8220;EmailAddressCollection\/EmailAddress[%u]\/Address&#8221;<\/li>\n<li>&#8220;Windows Mail Recipients&#8221;<\/li>\n<li>&#8220;Outlook Express Recipients&#8221;<\/li>\n<li>&#8220;Outlook Express&#8221;<\/li>\n<li>&#8220;account{*}.oeaccount&#8221;<\/li>\n<li>&#8220;Software\\\\Microsoft\\\\Windows Mail&#8221;<\/li>\n<li>&#8220;Software\\\\Microsoft\\\\Windows Live Mail&#8221;<\/li>\n<li>&#8220;Store Root&#8221;<\/li>\n<li>&#8220;Salt&#8221;<\/li>\n<li>&#8220;0x%s&#8221;<\/li>\n<li>&#8220;Windows Mail&#8221;<\/li>\n<li>&#8220;Windows Live Mail&#8221;<\/li>\n<li>&#8220;MessageAccount&#8221;<\/li>\n<li>&#8220;Account_Name&#8221;<\/li>\n<li>&#8220;SMTP_Email_Address&#8221;<\/li>\n<li>&#8220;%sAccount name: %s\\nE-mail: %s\\n&#8221;<\/li>\n<li>&#8220;%s:\\n\\tServer: %s:%u%s\\n\\tUsername: %s\\n\\tPassword: %s\\n&#8221;<\/li>\n<li>&#8220;%s_Server&#8221;<\/li>\n<li>&#8220;%s_User_Name&#8221;<\/li>\n<li>&#8220;%s_Password2&#8221;<\/li>\n<li>&#8220;%s_Port&#8221;<\/li>\n<li>&#8220;%s_Secure_Connection&#8221;<\/li>\n<li>&#8220;SMTP&#8221;<\/li>\n<li>&#8220;POP3&#8221;<\/li>\n<li>&#8220;IMAP&#8221;<\/li>\n<li>&#8221; (SSL)&#8221;<\/li>\n<li>&#8220;ftp:\/\/%s:%s@%s:%u\\n&#8221;<\/li>\n<li>&#8220;ftp:\/\/%s:%s@%s\\n&#8221;<\/li>\n<li>&#8220;ftp:\/\/%S:%S@%S:%u\\n&#8221;<\/li>\n<li>&#8220;yA36zA48dEhfrvghGRg57h5UlDv3&#8221;<\/li>\n<li>&#8220;sites.dat&#8221;<\/li>\n<li>&#8220;quick.dat&#8221;<\/li>\n<li>&#8220;history.dat&#8221;<\/li>\n<li>&#8220;IP&#8221;<\/li>\n<li>&#8220;port&#8221;<\/li>\n<li>&#8220;user&#8221;<\/li>\n<li>&#8220;pass&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\FlashFXP\\\\3&#8221;<\/li>\n<li>&#8220;datafolder&#8221;<\/li>\n<li>&#8220;*flashfxp*&#8221;<\/li>\n<li>&#8220;FlashFXP&#8221;<\/li>\n<li>&#8220;wcx_ftp.ini&#8221;<\/li>\n<li>&#8220;connections&#8221;<\/li>\n<li>&#8220;default&#8221;<\/li>\n<li>&#8220;host&#8221;<\/li>\n<li>&#8220;username&#8221;<\/li>\n<li>&#8220;password&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\Ghisler\\\\Total Commander&#8221;<\/li>\n<li>&#8220;ftpininame&#8221;<\/li>\n<li>&#8220;installdir&#8221;<\/li>\n<li>&#8220;*totalcmd*&#8221;<\/li>\n<li>&#8220;*total*commander*&#8221;<\/li>\n<li>&#8220;*ghisler*&#8221;<\/li>\n<li>&#8220;Total Commander&#8221;<\/li>\n<li>&#8220;ws_ftp.ini&#8221;<\/li>\n<li>&#8220;_config_&#8221;<\/li>\n<li>&#8220;HOST&#8221;<\/li>\n<li>&#8220;PORT&#8221;<\/li>\n<li>&#8220;UID&#8221;<\/li>\n<li>&#8220;PWD&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\ipswitch\\\\ws_ftp&#8221;<\/li>\n<li>&#8220;datadir&#8221;<\/li>\n<li>&#8220;*ipswitch*&#8221;<\/li>\n<li>&#8220;WS_FTP&#8221;<\/li>\n<li>&#8220;*.xml&#8221;<\/li>\n<li>&#8220;\/*\/*\/Server&#8221;<\/li>\n<li>&#8220;Host&#8221;<\/li>\n<li>&#8220;Port&#8221;<\/li>\n<li>&#8220;User&#8221;<\/li>\n<li>&#8220;Pass&#8221;<\/li>\n<li>&#8220;*filezilla*&#8221;<\/li>\n<li>&#8220;FileZilla&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\Far\\\\Plugins\\\\ftp\\\\hosts&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\Far2\\\\Plugins\\\\ftp\\\\hosts&#8221;<\/li>\n<li>&#8220;hostname&#8221;<\/li>\n<li>&#8220;username&#8221;<\/li>\n<li>&#8220;user&#8221;<\/li>\n<li>&#8220;password&#8221;<\/li>\n<li>&#8220;FAR manager&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\martin prikryl\\\\winscp 2\\\\sessions&#8221;<\/li>\n<li>&#8220;hostname&#8221;<\/li>\n<li>&#8220;portnumber&#8221;<\/li>\n<li>&#8220;username&#8221;<\/li>\n<li>&#8220;password&#8221;<\/li>\n<li>&#8220;WinSCP&#8221;<\/li>\n<li>&#8220;ftplist.txt&#8221;<\/li>\n<li>&#8220;;server=&#8221;<\/li>\n<li>&#8220;;port=&#8221;<\/li>\n<li>&#8220;;user=&#8221;<\/li>\n<li>&#8220;;password=&#8221;<\/li>\n<li>&#8220;ftp*commander*&#8221;<\/li>\n<li>&#8220;FTP Commander&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\ftpware\\\\coreftp\\\\sites&#8221;<\/li>\n<li>&#8220;host&#8221;<\/li>\n<li>&#8220;port&#8221;<\/li>\n<li>&#8220;user&#8221;<\/li>\n<li>&#8220;pw&#8221;<\/li>\n<li>&#8220;CoreFTP&#8221;<\/li>\n<li>&#8220;*.xml&#8221;<\/li>\n<li>&#8220;FavoriteItem&#8221;<\/li>\n<li>&#8220;Host&#8221;<\/li>\n<li>&#8220;Port&#8221;<\/li>\n<li>&#8220;User&#8221;<\/li>\n<li>&#8220;Password&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\smartftp\\\\client 2.0\\\\settings\\\\general\\\\favorites&#8221;<\/li>\n<li>&#8220;personal favorites&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\smartftp\\\\client 2.0\\\\settings\\\\backup&#8221;<\/li>\n<li>&#8220;folder&#8221;<\/li>\n<li>&#8220;SmartFTP&#8221;<\/li>\n<li>&#8220;userinit.exe&#8221;<\/li>\n<li>&#8220;pass&#8221;<\/li>\n<li>&#8220;certs\\\\%s\\\\%s_%02u_%02u_%04u.pfx&#8221;<\/li>\n<li>&#8220;grabbed&#8221;<\/li>\n<li>&#8220;os_shutdown&#8221;<\/li>\n<li>&#8220;os_reboot&#8221;<\/li>\n<li>&#8220;url_open&#8221;<\/li>\n<li>&#8220;bot_uninstall&#8221;<\/li>\n<li>&#8220;bot_update&#8221;<\/li>\n<li>&#8220;bot_transfer&#8221;<\/li>\n<li>&#8220;dns_filter_add&#8221;<\/li>\n<li>&#8220;dns_filter_remove&#8221;<\/li>\n<li>&#8220;bot_bc_add&#8221;<\/li>\n<li>&#8220;bot_bc_remove&#8221;<\/li>\n<li>&#8220;bot_httpinject_disable&#8221;<\/li>\n<li>&#8220;bot_httpinject_enable&#8221;<\/li>\n<li>&#8220;fs_path_get&#8221;<\/li>\n<li>&#8220;fs_search_add&#8221;<\/li>\n<li>&#8220;fs_search_remove&#8221;<\/li>\n<li>&#8220;user_destroy&#8221;<\/li>\n<li>&#8220;user_logoff&#8221;<\/li>\n<li>&#8220;user_execute&#8221;<\/li>\n<li>&#8220;user_cookies_get&#8221;<\/li>\n<li>&#8220;user_cookies_remove&#8221;<\/li>\n<li>&#8220;user_certs_get&#8221;<\/li>\n<li>&#8220;user_certs_remove&#8221;<\/li>\n<li>&#8220;user_url_block&#8221;<\/li>\n<li>&#8220;user_url_unblock&#8221;<\/li>\n<li>&#8220;user_homepage_set&#8221;<\/li>\n<li>&#8220;user_ftpclients_get&#8221;<\/li>\n<li>&#8220;user_emailclients_get&#8221;<\/li>\n<li>&#8220;user_flashplayer_get&#8221;<\/li>\n<li>&#8220;user_flashplayer_remove&#8221;<\/li>\n<li>&#8220;module_execute_enable&#8221;<\/li>\n<li>&#8220;module_execute_disable&#8221;<\/li>\n<li>&#8220;module_download_enable&#8221;<\/li>\n<li>&#8220;module_download_disable&#8221;<\/li>\n<li>&#8220;info_get_software&#8221;<\/li>\n<li>&#8220;info_get_antivirus&#8221;<\/li>\n<li>&#8220;info_get_firewall&#8221;<\/li>\n<li>&#8220;search_file&#8221;<\/li>\n<li>&#8220;upload_file&#8221;<\/li>\n<li>&#8220;download_file&#8221;<\/li>\n<li>&#8220;ddos_start&#8221;<\/li>\n<li>&#8220;ddos_stop&#8221;<\/li>\n<li>&#8220;webinjects_update&#8221;<\/li>\n<li>&#8220;tokenspy_update&#8221;<\/li>\n<li>&#8220;tokenspy_disable&#8221;<\/li>\n<li>&#8220;close_browsers&#8221;<\/li>\n<li>&#8220;Not enough memory.&#8221;<\/li>\n<li>&#8220;Script already executed.&#8221;<\/li>\n<li>&#8220;Failed to load local configuration.&#8221;<\/li>\n<li>&#8220;Failed to save local configuration.&#8221;<\/li>\n<li>&#8220;Failed to execute command at line %u.&#8221;<\/li>\n<li>&#8220;Unknown command at line %u.&#8221;<\/li>\n<li>&#8220;OK.&#8221;<\/li>\n<li>&#8220;firefox.exe&#8221;<\/li>\n<li>&#8220;*Mozilla*&#8221;<\/li>\n<li>&#8220;iexplore.exe&#8221;<\/li>\n<li>&#8220;*Microsoft*&#8221;<\/li>\n<li>&#8220;chrome.exe&#8221;<\/li>\n<li>&#8220;*Google*&#8221;<\/li>\n<li>&#8220;Winsta0&#8221;<\/li>\n<li>&#8220;default&#8221;<\/li>\n<li>&#8220;dwm.exe&#8221;<\/li>\n<li>&#8220;taskhost.exe&#8221;<\/li>\n<li>&#8220;taskeng.exe&#8221;<\/li>\n<li>&#8220;wscntfy.exe&#8221;<\/li>\n<li>&#8220;ctfmon.exe&#8221;<\/li>\n<li>&#8220;rdpclip.exe&#8221;<\/li>\n<li>&#8220;explorer.exe&#8221;<\/li>\n<li>&#8220;V\\t%08X\\r\\nC\\t%08X\\r\\nPS\\t%08X&#8221;<\/li>\n<li>&#8220;BOT NOT CRYPTED!&#8221;<\/li>\n<li>&#8220;SOFTWARE\\\\Microsoft\\\\Windows NT\\\\CurrentVersion&#8221;<\/li>\n<li>&#8220;InstallDate&#8221;<\/li>\n<li>&#8220;DigitalProductId&#8221;<\/li>\n<li>&#8220;%s_%08X%08X&#8221;<\/li>\n<li>&#8220;fatal_error&#8221;<\/li>\n<li>&#8220;unknown&#8221;<\/li>\n<li>&#8220;wtsapi32.dll&#8221;<\/li>\n<li>&#8220;WTSEnumerateSessionsW&#8221;<\/li>\n<li>&#8220;WTSFreeMemory&#8221;<\/li>\n<li>&#8220;WTSQueryUserToken&#8221;<\/li>\n<li>&#8220;userenv.dll&#8221;<\/li>\n<li>&#8220;GetDefaultUserProfileDirectoryW&#8221;<\/li>\n<li>&#8220;user32.dll&#8221;<\/li>\n<li>&#8220;MessageBoxW&#8221;<\/li>\n<li>&#8220;ntdll.dll&#8221;<\/li>\n<\/ul>\n<p>The strings are decrypted in various places in a whole code by a procedure that takes 2 arguments: ID of the string + offset to a destination buffer. In case you are wondering how I decrypted all of them in one go, I did a quick and dirty patch to a call that calls a decryption routine. The patch is easy to write in OllyDbg and to preserve info on all decrypted strings, I put a conditional breakpoint without pausing with an option to log all decrypted strings to the Olly Log Window. I then run this piece of code incrementing ID in each iteration until I got an access violation: simple, but effective trick w\/o writing dedicated decrypter (a.k.a. lazy reversing :)).<\/p>\n<p><a href=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_2.png\"><img decoding=\"async\" loading=\"lazy\" class=\"aligncenter size-medium wp-image-1414\" title=\"zeus_2\" src=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_2-234x300.png\" alt=\"\" width=\"234\" height=\"300\" srcset=\"https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_2-234x300.png 234w, https:\/\/www.hexacorn.com\/blog\/wp-content\/uploads\/2012\/10\/zeus_2.png 644w\" sizes=\"(max-width: 234px) 100vw, 234px\" \/><\/a><\/p>\n<p>The original source code of ZeuS 2.0.8.9 version contains most of these encrypted strings in a source\\client\\cryptedstrings.txt file; a diff between the list pasted above and the list from the ZeuS 2.0.8.9 allows to generate a list of new strings\u00a0 &#8211; indicative of a new functionality<\/p>\n<ul>\n<li>anti-vm<\/li>\n<li>more info stealing capabilities<\/li>\n<li>modification of firefox privacy settings<\/li>\n<\/ul>\n<p>The new added strings are:<\/p>\n<ul>\n<li>Module: %u\\r\\nType: %s\\r\\nTitle: %s\\r\\nInfo: %s\\r\\n<\/li>\n<li>ERROR<\/li>\n<li>FAILURE<\/li>\n<li>SUCCESS<\/li>\n<li>UNEXPECTED<\/li>\n<li>rurl<\/li>\n<li>surl<\/li>\n<li>furl<\/li>\n<li>mask<\/li>\n<li>post<\/li>\n<li>extensions<\/li>\n<li>rules<\/li>\n<li>patterns<\/li>\n<li>%tokenspy%<\/li>\n<li>url<\/li>\n<li>buid<\/li>\n<li>ruid<\/li>\n<li>puid<\/li>\n<li>session<\/li>\n<li>data<\/li>\n<li>get_status<\/li>\n<li>status<\/li>\n<li>status_cache_time<\/li>\n<li>Can\u2019t compile tokenspy rules.<\/li>\n<li>fileName=[%S], fileSize=[%u], fileCRC32=[0x%08X].<\/li>\n<li>set_url<\/li>\n<li>data_before\\r\\n<\/li>\n<li>data_inject\\r\\n<\/li>\n<li>data_after\\r\\n<\/li>\n<li>data_end\\r\\n<\/li>\n<li>%webinject%<\/li>\n<li>Can\u2019t compile webinjects.<\/li>\n<li>fileName=[%S], fileSize=[%u], fileCRC32=[0x%08X], processedInjects=[%u].<\/li>\n<li>Webinjects has been compiled.<\/li>\n<li>result=[%u], fileName=[%S], fileSize=[%u], fileCRC32=[0x%08X], processedInjects=[%u].<\/li>\n<li>*vmware*<\/li>\n<li>*sandbox*<\/li>\n<li>*virtualbox*<\/li>\n<li>*geswall*<\/li>\n<li>*bufferzone*<\/li>\n<li>*safespace*<\/li>\n<li>*.ru<\/li>\n<li>*.con.ua<\/li>\n<li>*.by<\/li>\n<li>*.kz<\/li>\n<li>cmd.exe<\/li>\n<li>powershell.exe<\/li>\n<li>\\r\\nexit\\r\\n<\/li>\n<li>\\r\\nprompt $Q$Q$Q$Q$Q$Q$Q$Q$Q$Q[ $P ]$G\\r\\n<\/li>\n<li>:d\\r\\nrd \/S \/Q \\&#8221;%s\\&#8221;\\r\\nrd \/S \/Q \\&#8221;%s\\&#8221;\\r\\nrd \/S \/Q \\&#8221;%s\\&#8221;\\r\\nif exist \\&#8221;%s\\&#8221; goto d\\r\\nif exist \\&#8221;%s\\&#8221; goto d\\r\\nif exist \\&#8221;%s\\&#8221; goto d<\/li>\n<li>videos\\\\%S_%02u_%02u_%02u_(%02u-%02u).webm<\/li>\n<li>Grabbed data from: %s\\n\\n%S<\/li>\n<li>%s%s\\nUser-Agent: %S\\nCookie: %S\\nAccept-Language: %S\\nAccept-Encoding: %S\\nScreen(w:h): %u:%u\\nReferer: %S\\nUser input: %s\\n%sPOST data:\\n\\n%S<\/li>\n<li>&#8221; *BLOCKED*<\/li>\n<li>Content-Type: %s\\r\\n<\/li>\n<li>ZCID: %S\\r\\n<\/li>\n<li>application\/x-www-form-urlencoded<\/li>\n<li>HTTP authentication: username=\\%s\\&#8221;&#8221;, password=\\&#8221;&#8221;%s\\&#8221;&#8221;\\n&#8221;<\/li>\n<li>Profile%u<\/li>\n<li>user_pref(\\&#8221;network.cookie.cookieBehavior\\&#8221;, 0);\\r\\nuser_pref(\\&#8221;privacy.clearOnShutdown.cookies\\&#8221;, false);\\r\\nuser_pref(\\&#8221;security.warn_viewing_mixed\\&#8221;, false);\\r\\nuser_pref(\\&#8221;security.warn_viewing_mixed.show_once\\&#8221;, false);\\r\\nuser_pref(<\/li>\n<li>user_pref(\\&#8221;browser.startup.homepage\\&#8221;, \\&#8221;%s\\&#8221;);\\r\\nuser_pref(\\&#8221;browser.startup.page\\&#8221;, 1);\\r\\n<\/li>\n<li>Mozila(Firefox) cookies:\\n\\n%S<\/li>\n<li>Outlook Express Recipients<\/li>\n<li>%s_Server<\/li>\n<li>%s_User_Name<\/li>\n<li>%s_Password2<\/li>\n<li>%s_Port<\/li>\n<li>%s_Secure_Connection<\/li>\n<\/ul>\n<p>&nbsp;<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>Update After another chat (with @push_pnx, Thanks!), one more clarification &#8211; it appears to be a sample from a Citadel family &#8211; a spinoff from Zeus src code that is developed further by most likely a different programming group. Interestingly, &hellip; <a href=\"https:\/\/www.hexacorn.com\/blog\/2012\/10\/26\/zeus-trivia\/\">Continue reading <span class=\"meta-nav\">&rarr;<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":[],"categories":[9],"tags":[],"_links":{"self":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1411"}],"collection":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/comments?post=1411"}],"version-history":[{"count":22,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1411\/revisions"}],"predecessor-version":[{"id":1419,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/posts\/1411\/revisions\/1419"}],"wp:attachment":[{"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/media?parent=1411"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/categories?post=1411"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.hexacorn.com\/blog\/wp-json\/wp\/v2\/tags?post=1411"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}