Decrypt Zeus 2.3.2.0 Config File
Today, i came across a good blog from Trend. http://blog.trendmicro.com/zeus-gets-another-update/
But, the “F5″ result is not that clear, so I decide to check it.
I get the sample from https://zeustracker.abuse.ch/monitor.php?host=xoophafiel.ru
Zbot version 2.3.2.0, thanks to its hardcoded parameter.
After unpacked the binary, it turns out that not so much routine changed except the encryption algorithm which mentioned in Trend’s blog.
So, I focused on that algorithm. :)
1. Need to locate that algorithm. I started with the routine which will search “DAVE” strings after decryption.
2. “sub_41BE9F”. After doing some re work on it, my guess is AES. But, where is the key? So, I traced back.
3. Key(16 bytes) is hardcoded in the binary at 405388. In order to verify my guess. I manually get the encrypted data(DAVE part, overlay of UPX packed binary, same as the old versions’) and wrote the following perl script to decrypt it.
use Crypt::Rijndael; $encrypted = $ARGV[0]; open KEY, "recv_key"; open ODATA, "$encrypted"; undef $/; $key = <KEY>; $block = <ODATA>; $cipher = Crypt::Rijndael->new( $key, Crypt::Rijndael::MODE_ECB() ); $de = $cipher->decrypt($block); open OUT,">recv_dec"; print OUT $de;
The “DAVE” part data key is:
After decryption:
Yes, “DAVE”….
4. After figured out its algorithm, the next step I went to the config file which downloaded by zbot. Just like the old version, it stores the config file decryption key in the hardcoded data which also encrypted via simply XOR. After some re works, i got the following key:
5. Also used that perl script and simply XOR on the downloaded config file, I got the following compressed data.
6. 2.3.2.0 doesn’t change its compress method, after de-compression.
That’s it.
-Kyle Yang