Zeus - 6 ways in which it avoids analysis

Written by Andreas Baumhof Wednesday, 02 March 2011 09:55

How Zeus tries to make life hard for researchers.A recent post on a security mailing list caught my eye. It was about a Zeus version, 2.0.9.0, which I had not seen before, so I thought I would take a look at the sample. When I ran it in my analysis environment, nothing happened. No network traffic. No files dropped. No registry entries changed. Nothing! What was happening? For a split second, I wondered if the sample was corrupt. Then I had another idea. One of TrustDefender’s predictions for 2011 was that more malware would attempt to make researcher’s lives harder by refusing to run in an analysis environment. Was this such a sample? I decided to take a closer look.

First Steps

The first task was to unpack the sample.

The first layer of unpacking allocates memory at 180000, unpacks code there, then transfers to location 189501 using a retn 50 instruction.

Figure 1- Layer one end of control

The second layer of code unpacks itself. It then transfers to location 4173d5 by stuffing the stack with this address, then using a ‘jmp’ instruction to ‘call’ the VirtualFree system call. So far, fairly normal operation without any nasty tricks.

Figure 2- End of layer 2

This takes us to the inner layer of code, so now it’s time to investigate further to find why Zeus is not running. After a short time tracing through the program the culprit is found. A subroutine is called, and if the al register is set to 1 on return, the program terminates. So what does this subroutine do?

Anti researcher

The subroutine itself is very small. It pushes the addresses of six more subroutines onto the stack then loops round, calling them all. If any of the routines returns non zero in the al register the routine returns with the al register set to 1. Otherwise the al register is set to zero. These routines turn out to be the anti-researcher code. The bad news is that this modular design will make it very easy for the Zeus authors to add more anti-researcher code in the future – just write a small routine, push its address onto the stack, and update the loop count. The good news is that ordinary home users using virtual machine technology will be automatically protected against this type of malware, because it will simply refuse to run. Similarly corporate users using VDI (virtual desktops) will also be protected.

Figure 3- Anti-researcher loop

Trick 1

The first routine tries to load a dll called SbieDll.dll. If it succeeds, Zeus aborts. Sbiedll.dll is a dll used by the sandboxie program (www.sandboxie.com). This is a sandbox program that Zeus obviously wants to avoid.

Trick 2

This routine tries to create a mutex called Frz_State. If this fails because the mutex already exists then Zeus aborts. I was initially unable to trace which program uses this mutex. However, a helpful fellow researcher pointed me to DeepFreeze, a security program which restores your system on each reboot. Zeus obviously does not like this particular security program.

Trick 3

The third routine tries to open a file called \\.\NPF_NdisWanIp. If it succeeds then Zeus aborts. My assumption here is that Zeus is trying to check for applications which are trying to capture network traffic.

Trick 4

This next routine checks for two files \\.\HGFSand \\.\vmci. These are ‘Host Guest File System’ and ‘Virtual Machine Communication Interface’, files used by Virtual Machines such as VMWare.  If either is found, Zeus terminates. Zeus obviously does not want to be run inside a virtual machine.

Figure 4- Virtual machine checks

Trick 5

This routine checks for the file \\.\VBoxGuestand terminates if it is found. This file is used by Virtual Box, a virtual machine platform from Sun. Again, Zeus obviously does not want to be run inside a virtual machine.

Trick 6

The last routine checks for the file C:\popupkiller.exe and terminates if found. This is a program created by xFX jumpstart, and tries to bock popup ads. This is a slightly unusual program to abort for – it is not likely to be used by researchers. Perhaps it interferes with the operation of Zeus.

String Hiding

Even though Zeus is protected with two layers of encryption the author has still taken care to obscure strings which could give clues to the program purpose – after all, a researcher seeing a string such as \\.\HGFS would immediately guess there might be some anti virtual-machine code somewhere and then look for references to that string to find the code. All strings used in the six subroutines – and in fact, a large number of other strings – are protected by an xor-based scheme, and only decrypted onto the stack for the short time they are used.

Figure 5- String decryption

Conclusion

We expected to see anti-researcher code in 2011, but it was still a surprise to encounter the first example. We will see more of this type of code, because the harder it is to analyse, the more successful a piece of malware is likely to be. Still, as I have shown in the above article, analysis is not impossible, and once you know what the malware is looking for, it is possible to defeat its protection and analyse the sample as normal.

Appendix – analysis tools

This is a list of tools used during the analysis.

• 010 hex editor, version 3
• Vmware workstation, version 7.1.2
• IDA pro, version 6.0.10
• Ollydebug with ollydump plugin, version 1.10

Comments

Name *
Email
Code   

Submit Comment

TrustDefender Labs Report 1 (you will be directed to a contact form and we will send one out to you)

TrustDefender Labs Report 2 (you will be directed to a contact form and we will send one out to you)