Saturday, 11 January 2014

Decoding Zeus 2.9.6.1 dynamic config

I got a look on the zeus builder who was released by the MMBB guy on exploit.in, finally i'm decided to write something about it, so let's talk about the change in the config encryption.
MD5: 0a05783316e7f765e731aadf5098564f

This version use AES instead of RC4 and can interact with the latest version of Firefox.
Anyway it's nothing more than a basic Zeus v2.

iBank parser on the panel, monitoring of process:
About the panel, the released version require Ioncube loader (nvm, the gate code can be recovered easily)

Now let's view an example of report from modules, keylog+screenshot:


Part of the static config (in plain on generated bot):

Installation process/dynamic config decoding (beware, dubstep):

And a small code because it's easier to understand:
<?php
    function decode($data, $key) {
        $td = mcrypt_module_open(MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_ECB, '');
        $iv = mcrypt_create_iv(mcrypt_enc_get_iv_size($td), MCRYPT_RAND);
       
        mcrypt_generic_init($td, $key, $iv);
        mcrypt_generic($td, $data);
       
        $data = mdecrypt_generic($td, $data);
       
        mcrypt_generic_deinit($td);
        mcrypt_module_close($td);
       
        return $data;
    }
   
    function visualDecrypt(&$data) {
        $len = strlen($data);
       
        if ($len > 0)
            for ($i = $len - 1; $i > 0; $i--)
                $data[$i] = chr(ord($data[$i]) ^ ord($data[$i - 1]));
    }
   
    $data    = file_get_contents('config.bin');
    $key     = md5('hasd7h12g1', true);
    $decoded = decode($data, $key);
   
    visualDecrypt($decoded);
   
    $size = strlen($decoded);
   
    header('Content-Type: application/octet-stream;');
    header('Content-Transfer-Encoding: binary');
    header('Content-Length: ' . $size);
    header('Content-Disposition: attachment; filename=config_decrypted.dll');
    header('Expires: 0');
    header('Cache-Control: no-cache, must-revalidate');
    header('Pragma: no-cache');
   
    echo($decoded);
   
    exit;
?>

You can find the decoded modules here:
JAVA: 7d7ae6ffbd9f3c7673b339f9b94493e5
BSS: cc98dabebe047c6115a6cd9d13ed3122
KEYLOG: 8ac1c7c019d16ff3b8a9543d46ae5e0e

And if you want to test yourself the WebInject, i usually use this code:
set_url http://requesttests.appspot.com* GP
data_before
</body>
data_end

data_inject
<center><img src="http://temari.fr/webinject.png" alt="Injected!"></center>
data_end

data_after
data_end





/facepalm
Posted by at 18:18
Labels: , , , ,

5 comments:

  1. Unknown11 January 2014 at 23:34

    does this version work on FF and Chrome

    ReplyDelete
  2. Anonymous14 January 2014 at 14:51

    great job)

    ReplyDelete
  3. Camere de supraveghere7 February 2014 at 10:02

    This version use AES instead of RC4 and can interact with the latest version of Firefox.

    ReplyDelete
  4. Anonymous21 February 2014 at 17:16

    how can modules be decoded ???

    ReplyDelete
  5. Camere de supraveghere9 February 2015 at 12:07

    Can they be decoded? :)

    ReplyDelete

Subscribe to: Post Comments (Atom)