Saturday, February 12, 2011

JaZeus: When Zeus Meets Java

Via inreverse.net -

This is the first analysis as far as I know, of a Zeus malware that uses a Java engine to infect a victim system, by using a multi-stage approach. The sample is md5: 92869c9f958b5bfddefc09d6bfc03591. Are you curious to know more about? If so, please follow me.

[...]

Once the code is decrypted it will drop a temporary EXE in the %user_temp% directory.
Would you like to see its content? Sure, you can but you will find only a “normal” EXE, which has nothing malicious…

The point here is that the file actually dropped is not the malicious one. You need to figure out how to obtain such file.

Any ideas? Sure, let’s patch the Java class code in order to let the malicious JAR drop the real malicious EXE for us :]

To do that, you need to drop somewhere on the disk the content of the malicious EXE in memory.

[...]

Part 3 : The second EXE

By taking a quick look at the entrypoint of this dropped EXE, we can quickly see that the code is mainly the same as the main EXE.

So there is something wrong, no? Actually no, it is using the same dropping scheme, but this time it will drop a new JAR, like the previous one but with a different data section. A matrioska!

[...]

Part 5 : The real Zeus

After retrieving the real executable by using the approach described in the section: “Investigating the JAR”, we will be eventually able to meet Zeus :]

I will not go into the analysis of this sample since it acts like a normal zeus, which connects to a .ru domain in order to download a config file and to proceed with the usual “divine” stuff.

No comments:

Post a Comment