Monday, May 3, 2010

Adding Layers: Config Decryptor for ZeuS 2.0

Via ThreatExpert Blog -

ZeuS 2.0 kit release introduces a few tricks designed to complicate the analysis of its configuration files.

Apart from randomized side-effects that the new trojan leaves on a system, including its ability to morph in order to avoid hash-based detections (well, hash-based detections never worked against ZeuS anyway, given the sheer volume and frequency of the generated samples and the variety of used packers), it seems that this time a great care was taken in protecting its configuration files.

The trojan now uses more layers in order to decrypt its configuration files.

Shrek: Onions have layers. Ogres have layers... You get it? We both have layers.
Donkey: Oh, you both have layers..


[...]

To assist those researchers who need to decrypt and analyze the contents of the ZeuS 2.0 configuration files, the ZeusDecryptor tool is available for download here.

No comments:

Post a Comment