On Friday a significant blow was delivered against the Zeus botnet. This was not the first time Kyrus and Microsoft have worked together on a botnet takedown, nor is disrupting a botnet via civil action usual anymore. This particular effort was remarkable because of the novel legal argument used against the creators and herders of Zeus and its variants. I will not do the argument justice, so I defer to the superior explanation delivered by Richard Boscovich at MS DCU.
Kyrus’ role in this effort was to reverse engineer binaries associated with Zeus activity and attempt to identify commonalities in said binaries. The work was broken down into two main phases.
Phase I. Microsoft provided us 70 binaries, five of which were PEs. Four of the five PE binaries were packed. We unpacked them and reconstructed the import tables for easy viewing in IDA Pro. One binary was not obfuscated and was used as a baseline for our comparison. It contained the following core functionality:
- HTTP communication capability
- Remote Process Injection. Uses WriteProcessMemory to inject executable code into a remote process. Generally this is either used by debuggers or malware. Since this binary has no debugger functionality, we assume the reason for its inclusion is malicious.
- Screenshot Capability. Allows this application to save and send back screenshots to the server. This allows an attacker to see what exactly is showing on the victim’s screen.
- VNC-Type Server Functionality. Allows the attacker to control the mouse and keyboard of the victim’s computer.
- Keyboard Logging Capabilities. Allows the attacker to send keystrokes to a server to get victim’s passwords that are typed into the keyboard.
- Browser Logging and HTTP injection capability. Hooks nspr4.dll to allow logging and injection of HTTP and HTTPS data
- Windows mail download. Allows the attacker to view the victim’s email if the user uses Windows Mail or Outlook Express.
- Self-Delete using a bat file.
After using entry point analysis and Zynamics BinDiff on the unpacked versions of the binaries in question, we were able to conclude that all five binaries were compiled from the same code base, probably to help them evade common anti-virus products. At this point we asked ourselves two questions:
- Are these binaries similar to Zeus, and if so, how similar?
- Were these binaries compiled with a Microsoft toolchain, and what evidence supports this?
Were the structural similarities of our recovered binaries similar to Zeus? Fortunately, copies of the source code to Zeus have been made publicly available, so we compiled our own copy of Zeus and compared it to the aforementioned binaries.
Compare and Contrast
We compiled Zeus with symbols and compared it to the unpacked binary we were given with BinDiff. 703 named functions out of 895 total were matched by BinDiff. Of those 698 had a similarity rating of 1.00 and confidence value of 0.92 or greater. Exceedingly strong evidence that our samples are compiled versions of Zeus.
Next we searched for functions within our copy of Zeus that had a very low probability of being duplicated or copied by accident. We chose the screenshot logic, the API interception logic, and and VNC server implementation. In every case, there was an exact or extremely high match in the control flow graph between our copy of Zeus and the programs that we analyzed.
We then used the Interactive Disassembler (IDA) to find and extract control flow graphs from each of the applications we were given, as well as the copy of Zeus that we compiled. In each case the structure of functions within each program were identical.
The similarities we noticed suggested that it was highly likely that Microsoft compilers were used to build our suspect binaries. We built Zeus with a Microsoft compiler and noted that the code produced was identical to our suspicious samples.
We also performed a mechanized comparison of the structure of the control flow graphs in each of the five programs against the Zeus binary we built from source. We performed static control flow reconstructions from the program images, and then used a simple algorithm to discover and extract functions within the program and convert them into an intermediate format that could be analyzed withNetworkX. The NetworkX graphs showed that for the functions we identified in these binaries, almost all of them were structurally identical to functions within Zeus.
Finally, we used the industry standard 'fuzzy' hashing technique via the ssdeep program to compare the unpacked binaries. Three of the files we analyzed were found to have large stretches of identical patterns of bytes, giving us a high degree of confidence that these three files are essentially the same.
Phase II. Microsoft provided us with several hundred binaries that were known or suspected to be related to the SpyEye, ICE-IX, and PCRE Trojans. Of the binaries we were able to analyze (repeating the process noted above), each were highly similar to Zeus.
Why This Approach?
Combating cyber crime is a complicated affair. As with any sort-of “good” vs “evil” situation the latter have myriad advantages over the former, who have to operate within various constraints lest they themselves violate the law. Every case is a slow, tedious slog of both technical and legal grunt work. Despite the tens of billions of dollars that have been spent on cyber security recently just in the U.S. alone, events like those that occurred today are actually quite rare.
Yet it is precisely activities like this, and previous efforts led by Microsoft’s Digital Crimes Unit, that are more likely to produce positive results over the long term. Zeus and its ilk are platforms from which a wide range of malicious and illicit activity can be launched. Fighting the discrete activities launched from such a platform is like shooting down a plane launched from an aircraft carrier: they’re just going to send more planes. If you want to have an impact you need to negatively impact the carrier.
As long as cyber crime fighting efforts are focused on end-points, discrete incidents and the perpetrators of same, we will never impact the perpetrators of cyber crime on the same level as they impact innocents. This is a problem that must be attacked at scale, or we resign ourselves to a world where cyber crime will always be lucrative and largely risk-free.