ZeuS Ransomware Feature: win_unlock

Earlier today, while doing our daily data mining, we came across a new variant of ZeuS 2.x. It includes a new backdoor command called: win_unlock. Very interesting, turns out this slightly modified ZeuS 2.x includes a ransomware feature.

When this particular variant is executed, it opens Internet Explorer with a specific page (lex.creativesandboxs.com/locker/lock.php) and prevents the user from doing anything else with the infected system. The webpage that was opened presumably showed some type of extortion message, but it’s currently unavailable because the site is offline.

The most straightforward way to unlock the system is to simply delete the trojan. This can be a bit tricky since the trojan prevents doing anything with the infected system, luckily the locking itself can be easily disabled first.

Looking at the code that corresponds with a received win_unlock command, it’s clear the unlock information is stored to the registry.

ZeuS, ransom feature

Unlocking can therefore be performed quite easily with a registry editor:

  1. boot the system in safe mode
  2. add a new key named syscheck under HKEY_CURRENT_USER
  3. create a new DWORD value under the syscheck key
  4. set the name of the new DWORD value to Checked
  5. set the data for the Checked value to 1
  6. reboot

SHA1: 03f0c26c6ba77c05152a1e0cc8bc5657f0c83119

Analysis by — Mikko S. and Marko

Source: ZeuS Ransomware Feature: win_unlock


Posted in F-Secure, English-Italian Translations and tagged , , by with no comments yet.

Android malware spies on your SMS messages – but is it part of the Zeus family?

Android malware

The Symbian, Windows Mobile and Blackberry modules of the notorious Zeus malware toolkit (also known as ZBot) have been known about for some months, and it has been clear that Zeus gang was interested in developing malware for mobile platforms.

However, until now we have not seen any evidence of Zeus targeting users who own Android or iOS (iPhone/iPad) devices.

This fact was quite surprising to us, considering the popularity of the Android and iOS platforms and the growing prevalence of malware being written for the Google Android operating system in particular.

In the last couple of days, however, there has been quite a lot of discussion on the mobile malware analysis mailing lists about a version of a an Android version of Zeus.

We eventually concluded that this was a malicious application that Sophos products have been detecting as Andr/SMSRep-B since 31st May 2011.

The malicious application pretends to be an Android version of Trusteer Rapport banking security tool, and was served to devices running the Google Android OS by a web server which was set up to deliver Zbot malware to multiple platforms.

After the fact, it was not difficult to connect the Android application with Zeus toolkit, although we could not conclude 100% that there was a connection.

The installed application uses a stolen Rapport icon and displays a simple screen when launched on affected device.

Zeus Rapport

The fake Rapport application registers a Broadcast receiver which intercepts all received SMS messages and forwards the messages to a malicious web server using HTTP POST requests. The stolen SMS messages are encoded using a JSON encoding scheme, often used by various web services.

Although the application is clearly designed to steal the content of SMS messages, its not very sophisticated.

That’s why we cannot be 100% sure that this is indeed a part of the Zeus kit. The URL of the command and control server is hard-coded into the source code, for example, which makes the application quite inflexible for installation on an alternative server.

Nevertheless, this malicious Android application is interesting as it combines spyware functionality with the concept of fake security software. As we’ve seen recently in the Mac OS X world, fake anti-virus software is one of the most common themes adopted by malicious hackers in their attacks.

Eventually, the doubt whether this is really part of the Zeus family or not remains.

I suppose only the developers of Zeus kit know for certain. Unfortunately I have no means of contacting them, and even if I did I doubt they would be prepared to confirm or deny this theory.

Source: Android malware spies on your SMS messages – but is it part of the Zeus family?


Posted in Naked Security, English-Italian Translations and tagged , , , , by with no comments yet.

ZeuS Mitmo: Man-in-the-mobile (II)

After explaining the scenario, we can share more details. Stealing the username or the password is relatively easy, and malware like ZeuS have been doing that for ages (injecting HTML or adding field using JavaScript work like a charm). But now, the trojan will also ask for new details: our mobile vendor, model, and phone number (the website will force you to fill in this information due to its new security measures).


Once the information has been filled in, an SMS will be sent to the mobile device with a link to download the new security certificate (which it’s a malicious application).

It is important to emphasize that depending on your mobile vendor, the link will be pointing to a Symbian application (.sis) or a BlackBerry one (.jad). Why those vendors and for instance iPhone is not there? Any user can install any application in those vendors just by clicking ‘ok’ when asking for it in the device. iPhone only can install applications through the AppStore (unless they are jailbroken, but that’s another story)

ZeuS Mitmo: Man-in-the-mobile (I)
ZeuS Mitmo: Man-in-the-mobile (II)
ZeuS Mitmo: Man-in-the-mobile (III)

David Barroso

S21sec e-crime

Source: ZeuS Mitmo: Man-in-the-mobile (II)


Posted in S21sec, English-Italian Translations and tagged , , by with no comments yet.

ZeuS Mitmo: Man-in-the-mobile (I)

All of you who follow this blog already know that we’ve been tracking ZeuS for many years. We have seen many improvements in its features (injection, JavaScript, Jabber, VNC, etc.), but recently there have been some new additions that can be the next big milestone: the mobile world.

The reason is pretty obvious; many companies (not only financial institutions) are using SMS as a second authentication vector, so having both the online username and password is not enough in the identity theft process. There are some social engineering techniques in the wild that try to handle this issue by luring the user; the user thinks that is doing a specific operation, but in fact he is doing other forged one (man-in-the-browser, JabberZeus, etc.)

In this post, we are going to talk about a better alternative planned by a ZeuS gang: infect the mobile device and sniff all the SMS messages that are being delivered. The scenario is now easier:

  1. The attacker steals both the online username and password using a malware (ZeuS 2.x)
  2. The attacker infects the user’s mobile device by forcing him to install a malicious application (he sends a SMS with a link to the malicious mobile application)
  3. The attacker logs in with the stolen credentials using the user’s computer as a socks/proxy and performs a specific operation that needs SMS authentication
  4. An SMS is sent to the user’s mobile device with the authentication code. The malicious software running in the device forwards the SMS to other terminal controlled by the attacker
  5. The attacker fills in the authentication code and completes the operation.

ZeuS Mitmo: Man-in-the-mobile (I)
ZeuS Mitmo: Man-in-the-mobile (II)
ZeuS Mitmo: Man-in-the-mobile (III)

David Barroso

S21sec e-crime

Source: ZeuS Mitmo: Man-in-the-mobile (I)


Posted in S21sec, English-Italian Translations and tagged , , by with no comments yet.