New tricks ship with Zeus packer

Zeus (a.k.a. ZBot) is a famous banking trojan which steals bank information and performs form grabbing. It was first identified in July 2007. A fully functioning Zeus bot could be sold for hundreds of dollars on the underground market. The bot’s development was very rapid, and it soon became one of the most widespread trojans in the world. In late 2010, the creator of Zeus, ‘Slavik’, announced his retirement and claimed that he had given the Zeus source code and the rights to sell the bot to his biggest competitor, the author of the SpyEye trojan. However, despite the retirement of its creator the total number of Zeus bots didn’t decrease. There are still many living Zeus bots in the wild. In particular, many new Zeus bots were discovered after its source code was leaked [1]. Some of them shipped with P2P capability [2], others could even infect Symbian, Windows Mobile, BlackBerry or Android phones [3].

Zeus spreads mainly via drive-by download or phishing schemes. Recently, we found that the Pony trojan (a.k.a. FareIt) had started to install a new Zeus sample on users’ machines. The Pony trojan (version 1.0) steals account information or credentials from compromised machines and sends them back to its remote server. At the same time, it downloads three pieces of malware and launches them automatically. The Pony trojan also attempts to brute force the current user’s password with a built-in password dictionary (see Listing 1) using the LoginUserA API.

.data:00414000    db ‘123456’,0
.data:00414007    db ‘password’,0
.data:00414010    db ‘phpbb’,0
.data:00414016    db ‘qwerty’,0
.data:0041401D    db ‘12345’,0
.data:00414023    db ‘jesus’,0
<removed>
.data:0041472C    db ‘gates’,0
.data:00414732    db ‘billgates’,0
.data:0041473C    db ‘ghbdtn’,0
.data:00414743    db ‘gfhjkm’,0
.data:0041474A    db ‘1234567890’,0

Listing 1: Pony’s built-in password dictionary.

In this article, we will focus on the new packer tricks that are used by this new Zeus sample.

Nowadays, most malware encrypts and/or compresses its core data to evade anti-virus detection. To make life harder for malware researchers and/or memory dump forensic tools (such as Volatility [4]), some malware families have evolved dynamic data encryption and decryption mechanisms. This kind of virus will only decrypt the important data when it plans to use it, and then re-encrypts the data afterwards. In this way, malware researchers can only see a little data when they perform dynamic analysis on such a sample.

The Zeus sample takes advantage of a trick which I call ‘binary code dynamic decryption and encryption’. The virus encrypts almost all important function calls. When one function is invoked, it will call a routine to decrypt part of the binary code (Figure 1). Before leaving this function, another routine will be called to re-encrypt the function code (Figure 2). Thus researchers will only see a few parts of code at a time when they examine the sample. As I recall, this trick can be traced back to the DOS era.

Figure 1. Decryption on entering function.

Figure 2. Encryption on leaving function.

Thread Local Storage (TLS) callback [5] has existed for many years, but until now, not many viruses have used the technology. However, ZeroAccess introduced this mechanism into its latest version and Zeus has followed suit. This version of Zeus uses a method which I call ‘dynamic TLS callback’.

When we researched this sample with static analysis, we didn’t find any malicious code in its entry point. But when we loaded it with a debugger, we found that the virus was already running when the debugger placed a break in its entry point (Figure 3).

Figure 3. Break in virus entry point.

We concluded that the virus uses TLS callback technology. Checking the file with PEiD confirmed our suspicions (Figure 4).

Figure 4. TLS table in PEiD.

We also checked the file with IDA, which showed that there is only one TLS callback routine, TlsCallback_0, in the TLS callback table (Figure 5).

Figure 5. TLS callback table.

If the TLS callback routine of this virus were used for self-protection or to execute the virus code directly, our story would end. However, this is not the case.

The first (and, until now, only) TLS callback routine is very simple. But there is a point that has grabbed our attention:

The instructions shown in the red rectangle in Figure 6 modify the TLS callback function table. When the TLS callback routine returns to the system, the system will query the next TLS callback stored in the table. If the next TLS callback routine is not ZERO, the system will invoke it and increase the counter. For now, as the next TLS callback routine has been set to ‘TlsCallback_1’, the system will call this function, as shown in Figure 7. We call this mechanism ‘dynamic TLS callback’.

Figure 6. Modify TLS callback table in TlsCallback_0.

Figure 7. OS calls next TLS callback routine.

We can see that the virus uses the same trick again in the TlsCallback_1 routine (Figure 8).

Figure 8. Modify TLS callback table in TlsCallback_1.

After completing the dynamic TLS callback trick twice, the virus will decrypt the real Zeus module and execute it in the TlsCallback_2 routine.

The virus inserts a lot of junk instructions in order to scramble the code [6]. These instructions are very simple, so we will not elaborate on the details.

The virus attempts to decrypt the real Zeus module with the Blowfish algorithm, as shown in Figure 9.

Figure 9. Zeus packer payload.

The decryption key follows the string ‘n3s(#,pSvW?y}A%LBk<’. After decryption, the virus will create a clone process with the CREATE_SUSPENDED flag. Then it loads and maps the real Zeus to a new process. Finally, we retrieve a complete, non-encrypted version of the Zeus sample.

In this article, we have demonstrated some unusual tricks in Zeus’s new armour. The use of these skills is simple, but often confuses new malware researchers. With the development of the virus, these tricks are likely to become much more complex and more difficult to detect, posing some challenges for malware researchers and anti-virus engines alike.