How to bypass Zeus Trojan’s self protection mechanism ~ by Raashid Bhat
August 6, 2014
Spammers are good when it comes to intimidating users to open the attachment . One of the recent pathetic and cruel one was
A Person from your office was found dead outside . Please open the picture to see if you know him .
Attachment is basically a Zip file consisting of an exe file named “image.scr” with a nice mspaint icon .
Quickly opening up in IDA will give us a hint that it is basically a VBpacker. VBPackers usually create a hallow suspended process , overwrite the memory and resume within .
After successfully unpacking and fixing the dump we get the following output
OEP the unpacked binary is enough to tell us that it is a Zeus Banking Trojan . Well this one is a different version of Zeus with self-protection which means unpacked ones wont run . This is usually done to “force” the bot masters to buy a Cryptor service .
If you double click the binary it will not run , It will simply exit. Now lets see where things are going wrong and how to bypass the protection.
For that purpose we will generate an API call Graph made by the unpacked binary to see the exit point of program .
So from this we got an idea that it is reading file buffer and performing some operations on it and now lets see what operation it is performing on it .
Now if we dig deeper we find out the file buffer is read and the some cryptography operations are performed .
And if go inside CheckSelfProtection() function we will observe that this function will RC4 the whole binary buffer with a static encryption key and will search for placeholder “DAVE”
In my case the RC4 Key was
We can copy that 0x200 byte data from the packer into the overlay of our unpacked file. And if found it goes further on verifying the integrity of that data structure and decodes another payload using a 4 byte XOR key taken from that structure.
The Total size of the data Structure is 0x200 bytes and on the basis size, Installer and injector are decrypted . Let now understand the structure of that0x200 Data Structure.
During installation phase iSizeOfPacket bytes are copied from the data chunk into heap . And then later on used to decode installer subroutine using XOR cipher .