Zeus (Malware Family)

win.zeus (Back to overview)

Zeus

aka: Zbot

URLhaus

There is no description at this point.

References

http://contagiodump.blogspot.com/2010/07/zeus-version-scheme-by-trojan-author.html

http://contagiodump.blogspot.com/2010/07/zeus-trojan-research-links.html

https://www.secureworks.com/research/zeus?threat=zeus

https://www.symantec.com/connect/blogs/brief-look-zeuszbot-20

https://www.symantec.com/connect/blogs/spyeye-s-kill-zeus-bark-worse-its-bite

http://www.symantec.com/content/en/us/enterprise/media/security_response/whitepapers/zeus_king_of_bots.pdf

https://nakedsecurity.sophos.com/2010/07/24/sample-run/

http://eternal-todo.com/blog/zeus-spreading-facebook

http://eternal-todo.com/blog/new-zeus-binary

http://eternal-todo.com/blog/detecting-zeus

https://www.mnin.org/write/ZeusMalware.pdf

http://malwareint.blogspot.com/2009/07/special-zeus-botnet-for-dummies.html

http://malwareint.blogspot.com/2010/01/leveraging-zeus-to-send-spam-through.html

http://malwareint.blogspot.com/2010/02/facebook-phishing-campaign-proposed-by.html

http://malwareint.blogspot.com/2010/03/new-phishing-campaign-against-facebook.html

http://malwareint.blogspot.com/2010/02/zeus-on-irs-scam-remains-actively.html

https://zeustracker.abuse.ch/monitor.php

http://contagiodump.blogspot.com/2012/12/dec-2012-linuxchapro-trojan-apache.html

rule win_zeus_auto {

    meta:
        author = "Felix Bilstein - yara-signator at cocacoding dot com"
        date = "2018-11-23"
        version = "1"
        description = "autogenerated rule brought to you by yara-signator"
        tool = "yara-signator 0.1a"
        malpedia_reference = "https://malpedia.caad.fkie.fraunhofer.de/details/win.zeus"
        malpedia_version = "20180607"
        malpedia_license = "CC BY-NC-SA 4.0"
        malpedia_sharing = "TLP:WHITE"

    /* DISCLAIMER
     * The strings used in this rule have been automatically selected from the
     * disassembly of memory dumps and unpacked files, using yara-signator.
     * The code and documentation / approach will be published in the near future here:
     * https://github.com/fxb-cocacoding/yara-signator
     * As Malpedia is used as data source, please note that for a given
     * number of families, only single samples are documented.
     * This likely impacts the degree of generalization these rules will offer.
     * Take the described generation method also into consideration when you
     * apply the rules in your use cases and assign them confidence levels.
     */

    strings:
        $sequence_0 = { 83f8ff 0f8484000000 53 6a30 }
            // n = 4, score = 2000
            //   83f8ff               | cmp                 eax, 0xff
            //   0f8484000000         | je                  0x411879
            //   53                   | push                ebx
            //   6a30                 | push                0x30

        $sequence_1 = { 8975f8 e8a4ffffff 83f81e 0f82f4000000 }
            // n = 4, score = 2000
            //   8975f8               | mov                 dword ptr [ebp - 8], esi
            //   e8a4ffffff           | call                0x40e028
            //   83f81e               | cmp                 eax, 0x1e
            //   0f82f4000000         | jb                  0x40e181

        $sequence_2 = { 57 6a25 57 ff15c8124000 }
            // n = 4, score = 2000
            //   57                   | push                edi
            //   6a25                 | push                0x25
            //   57                   | push                edi
            //   ff15c8124000         | call                dword ptr [0x4012c8]

        $sequence_3 = { 85c0 0f84d9000000 6a23 6a90 }
            // n = 4, score = 2000
            //   85c0                 | test                eax, eax
            //   0f84d9000000         | je                  0x40e181
            //   6a23                 | push                0x23
            //   6a90                 | push                -0x70

        $sequence_4 = { 85c0 0f85c0010000 6a7d 8d742460 }
            // n = 4, score = 2000
            //   85c0                 | test                eax, eax
            //   0f85c0010000         | jne                 0x407dbc
            //   6a7d                 | push                0x7d
            //   8d742460             | lea                 esi, dword ptr [esp + 0x60]

        $sequence_5 = { 8bf0 e821080000 8bf8 8d5fff }
            // n = 4, score = 2000
            //   8bf0                 | mov                 esi, eax
            //   e821080000           | call                0x40a363
            //   8bf8                 | mov                 edi, eax
            //   8d5fff               | lea                 ebx, dword ptr [edi - 1]

        $sequence_6 = { 3d02010000 754d 8d442410 50 }
            // n = 4, score = 2000
            //   3d02010000           | cmp                 eax, 0x102
            //   754d                 | jne                 0x412af7
            //   8d442410             | lea                 eax, dword ptr [esp + 0x10]
            //   50                   | push                eax

        $sequence_7 = { 8bcf e853060000 85c0 7e62 }
            // n = 4, score = 2000
            //   8bcf                 | mov                 ecx, edi
            //   e853060000           | call                0x40a363
            //   85c0                 | test                eax, eax
            //   7e62                 | jle                 0x409d76

        $sequence_8 = { e821080000 8bf8 8d5fff b800020000 }
            // n = 4, score = 2000
            //   e821080000           | call                0x40a363
            //   8bf8                 | mov                 edi, eax
            //   8d5fff               | lea                 ebx, dword ptr [edi - 1]
            //   b800020000           | mov                 eax, 0x200

        $sequence_9 = { e818e7ffff 8b4d0c 895598 895da0 }
            // n = 4, score = 2000
            //   e818e7ffff           | call                0x4098d9
            //   8b4d0c               | mov                 ecx, dword ptr [ebp + 0xc]
            //   895598               | mov                 dword ptr [ebp - 0x68], edx
            //   895da0               | mov                 dword ptr [ebp - 0x60], ebx

    condition:
        7 of them
}

Zeus Propose Change

References

Zeus