In the S21sec blog we have been talking some time ago about our dear friend, almost one more colleague: ZeuS. It is a malware with more than 3 years of life which continues changing and evolving to hide itself better and making the fraud more efficient. But what we maybe have not mentioned yet is how to know if our little friend is here, spying all our movements and reporting all of this to its parents, because sometimes the AV software is not so effective as we expect.
There are several evidences in its different versions which mean that we are infected with ZeuS:
ZeuS leaves a trace in the filesystem when it's installed in the computer, but it hides and blocks all the files it creates, avoiding that a normal user can see and delete them. The solution to find these files is using antirootkit software which will show us the hidden files.
Nowadays the usual binary name is sdra64.exe and its configuration directory c:\windows\system32\lowsec, but this can change depending on the version. We already mentioned the various names for the configuration files, so now I'll only comment the different names for binary files:
- Windows registry
Searching the Windows registry is another way to detect the infection. The trojan is able to execute itself after each reboot thanks to the inclusion of the binary path in the following registry entry:
Thus simply opening the registry editor (regedit.exe) we could locate our ZeuS:
ZeuS needs to put several hooks in different functions in order to make the code injection, intercept data, etc. We can find these hooks in most of the executed processes and the most common ones are the following:
To know if we have these hooks in our system we must use an antirootkit program too:
- Online banking strange behaviour
- Extra parameters (server-side)
Usually when ZeuS adds extra fields in the bank page through HTML injection these additional parameters will be sent to the bank server where, depending on the injected code, could be intercepted and being possible to warn the user of a possible infection.
- Trojan mutexes