At work, I got a few reports from users regarding a suspicious email. After looking at it, I had to admit, it was pretty convincing. They spoofed the sender to be [administrator@ourdomainname.tld] and they targeted very specific users within our organization. The actual text was well done as well, describing that we have received a fax titled our "June Payroll", and providing a link to "View this file online".
I did some checking into the headers and noticed that they were using a compromised mail server of a manufacturing company out in Illinois. After notifying the company, I span up a VM and decided to check out the link for my self.
The webpage it linked to wasn't anything impressive, pretty much just a standard "you have to update your flash player to view this document" then linked to a totally-not-malicious executable called "update_flash_player.exe". I ran it through VirusTotal and surprisingly enough, got no hits back. So I launched it in the VM and watched the traffic as it called out. Right away, I noticed it pulling down 5 seperate executables.
|
I didn't want to blank the ip addresses, but its for the best |
After pulling them down and launching them, the VM started to make DNS quieres to what tried to look like a webmail server. From there, the VM kept talking to it, so I assumed that this was the C&C.
|
Blocking out my DNS server |
Recently, I came across an interesting site called
urlquery.net. From the website:
"urlQuery is a free online service for testing and analyzing URLs, helping with identification of malicious content on websites. The main focus of urlQuery is to find and detect suspicious and malicious content on webpages, to help improve the security industry and make the internet a safer place."
So I ran the URL through urlQuery, and it gave me an interesting hit.
|
Seriously, urlQuery is awesome. Give it a try. |
The fact that there was a webserver running on 8080 did not surprise me, but what caught my eye was "gate.php". I remembered that "gate.php" is the name of the php page that Zeus bots use to talk to their C&C. Curious to see of I could get access to the control panel, I took a look at the default Zeus pages.
cp.php is the control panel for Zeus, but trying that failed.
Of course, even cyber-criminals are predictable, so after trying admin.php, I was presented with a lovely Russian login page.
|
Bingo! |
BK Rios had written a tool for Zeus C&C takeovers, but I had no way of verifying the version number of this C&C. If anyone has any way of identifying this, please let me know in the comments below. Either way, it was at least worth a peek, only problem is, I would have to extract the RC4 encrpytion key from the bot. I'm not very good (read: never attempted before) at memory forensics, so this presented a challenge. Thankfully, there's a lovely framework called
Volatlity that makes memory forensics really easy.
First, I did a connection scan to look at outgoing connections from my VM's memory dump.
Then I cross referenced the PID to the running processes.
Finally, I pulled additional details on that process.
Unfortunately, the C&C page went back to normal, and now looks like a legitimate website. The control panel is no longer accessible.
MD5 hashes of the binaries that were pulled down:
f2kr.exe:7F87B186C01BA3B107864604B967395B
DH8xSJxy.exe:DAFBE310C26ED5EC1EF5FCD0A0A3FECE