1

Zeus Almighty’s Handcrafted PDF Files


Though primarily being distributed through spam and drive-by downloads, and in addition to social-engineering tactics, the Zeus/Zbot malware also utilizes specially-crafted PDF files to get into an unsuspecting user’s computer.
The Malware Research Center has seen PDF files that carry embedded javascript codes that in turn exploit the Collab.getIcon buffer overflow vulnerability (CVE-2009-0927) and the Util.Printf buffer overflow vulnerability (CVE-2008-2992).

These vulnerability exploits allow the execution of malicious arbitrary codes that download and execute the Zeus malware on the unsuspecting user’s machine.
Deobfuscated javascript code exploiting the Util.Printf vulnerability
Deobfuscated javascript code exploiting the Collab.GetIcon vulnerability
The Zeus/Zbot malware essentially steals online credentials, particularly targeting online banking information from a compromised computer.
Internet users are encouraged to ensure that their Reader software is up-to-date and to be vigilant when visiting sites and downloading and opening files, even those coming from known sources.
PC Tools strongly advice to make sure that your signature are up-to-date by using Smart Updates to ensure you are protected by current and upcoming web threats.

We would like to express our gratitude to Jonathan San Jose for using the Browser Defender technology in finding web exploits in realtime and prodiving the malware samples used in this analysis.

Steve Espino
Malware Research Analyst
————————————————————————————
27/04/2010 – UPDATE:
Aside from the Handcrafted PDF files which are used by Zeus bot, Malware Research Center has also seen additional exploits used by the Zbot variant. Here are the exploits used:
1. Java Exploits
The Java Runtime Environment (JRE) Vulnerability in Deserializing Calendar objects (CVE-2008-5353).

The jj.jar file contains the Hirwfee.class file which exploits the vulnerability in Deserializing Calendar objects.
Stack-based buffer overflow in the HsbParser.getSoundBank function in Sun Java SE in JDK and JRE (CVE-2009-3867).
The j.jar file contains the Uutecwv.class file which exploits the vulnerability in java using getSoundBank function (CVE-2009-3867).
2. Flash Player Exploits on different versions.
Information regarding the vulnerabilities can be found in these links:
Deobfuscated javascript code exploiting the Flash player vulnerability part 1


Deobfuscated javascript code exploiting the Flash player vulnerability part 2
3. Adobe PDF Exploits
It uses iframe tag to load the file img.php

img.php file is the crafted PDF file
It also uses the vulnerability in Collab.getIcon function (CVE-2009-0927) and the util.printf JavaScript function with a crafted format string argument (CVE-2008-2992). Additionally, it exploits a buffer overflow by creating a specially crafted pdf that contains malformed Collab.collectEmailInfo() (CVE-2007-5659).
Deobfuscated javascript code exploiting the collecEmailInfo vulnerability
4. MDAC Exploit (CVE-2006-0003)
Deobfuscated javascript code exploiting the MDAC vulnerability
5. Internet Explorer Exploit
Use-after-free vulnerability in the Peer Objects component (aka iepeers.dll) in Microsoft Internet Explorer (CVE-2010-0806).
Deobfuscated javascript code exploiting the iepeers vulnerability
6. The Microsoft Office Web Components Spreadsheet ActiveX control (aka OWC10 or OWC11) vulnerability (CVE-2009-1136).
Deobfuscated javascript code exploiting the Spreadsheet vulnerability
These vulnerability exploits allow the execution of malicious arbitrary codes that download and execute the Zeus malware on the unsuspecting user’s machine.
Upon installation of the Zeus malware on the user’s machine, it drops a copy of itself in windows system folder with the filename sdra64.exe, it then sets the file time to that of the file %SystemFolder%ntdll.dll. It also set the file attributes as hidden, system file, read only and archive.
It also creates the folder lowsec in windows system folder with the hidden attribute to create the following files:
• local.ds
• user.ds
• user.ds.lll
These files are the configuration file and the log file where Zeus malware uses to gather and steals information.
This Zeus bot malware also have an autostart technique by attempting to add the string %SystemFolder%sdra64.exe, in the below registry entry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
Userinit = %Original value%
Example:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionWinlogon
Userinit = “c:WindowsSystem32userinit.exe, c:WindowsSystem32sdra64.exe,”
Furthermore, once this Zeus bot failed to modify the above mentioned registry entry, it will create the below autostart registry entry:
HKEY_CURRENT_USERSoftwareMicrosoftWindowsCurrentVersionRun
userinit = “%SystemFolder%sdra64.exe”
This Zeus bot malware disable Windows Firewall by creating the following registry entry:
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesSharedAccessParametersFirewallPolicyDomainProfile
EnableFirewall = dword:00000000
Also creates the following registry entry:
HKEY_LOCAL_MACHINESoftwareMicrosoftWindows NTCurrentVersionNetwork
UID = “%ComputerName%_%HexNumber%”
This Zeus/Zbot malware also attempts to gather information about the below FTP applications to steal ftp servers and the desired username and password if available.
• FlashFXP
• Total Commander
• WS_FTP
• FileZilla
• WinSCP
• CoreFtp
• SmartFtp
This Zeus bot malware inject its code in certain processes.
One of the process it inject its code is the windows winlogon.exe process.
The injected Zeus code in the winlogon.exe is also capable of injecting another code in windows svchost.exe which is capable of downloading the configuration file of this malware.
The injected code in svchost.exe consists of decryption of the URL where it downloads the configuration file, and the decryption routine of the downloaded configuration file.

Basically, the configuration file contains the following:
• URLs of updated copy of itself
• URLs for another Configuration file
• Html Script codes which the Zeus bot used to fake the login to the bank sites
• Bank sites where this bot monitors for information theft
• Non Bank sites where the Zeus bot also monitors for account information theft

This Zeus bot malware is detected by PC Tools as Trojan-Spy.Zbot.YETH
PC Tools strongly advice to make sure that your signature are up-to-date by using Smart Updates to ensure you are protected by current and upcoming web threats.


~Jonathan N. San Jose
Malware Research Analyst

This entry was posted in Malware Alerts and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *

*

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>