FACULTY OF INFORMATION ENGINEERING, COMPUTER SCIENCE AND STATISTICS Master Thesis in ENGINEERING IN COMPUTER SCIENCE Reverse Engineering For Malware Analysis: Dissecting The Novel Banking Trojan ZeusVM Candidate Advisor Donato Dell’Atti Prof. Roberto Baldoni Student ID Assistant Advisors 1231142 Dott. Leonardo Aniello Dott. Daniele Ucci Academic Year 2014/2015 Contents Abstract ................................................................................. vii 1. Introduction ....................................................................... 1 2. Malware Categories: Purposes and Security Techniques ..... 3 2.1. Malware Categories: Purpose ........................................................................... 3 2.1.1. Virus .......................................................................................................... 3 2.1.2. Worm ........................................................................................................ 4 2.1.3. Trojan ........................................................................................................ 4 2.1.4. Spyware..................................................................................................... 4 2.1.5. Rootkit ....................................................................................................... 4 2.1.6. Botnet ....................................................................................................... 5 2.2. Malware Categories: Security Techniques ....................................................... 5 2.2.1. Encrypted Malware ................................................................................... 5 2.2.2. Oligomorphic Malware ............................................................................. 5 2.2.3. Polymorphic Malware ............................................................................... 6 2.2.4. Metamorphic Malware ............................................................................. 6 2.3. Obfuscation Techniques ................................................................................... 6 2.3.1. Dead Code Insertion ................................................................................. 6 2.3.2. Register Reassignment .............................................................................. 7 2.3.3. Subroutine Permutation ........................................................................... 7 2.3.4. Instruction Substitution ............................................................................ 7 2.3.5. Code Transposition ................................................................................... 7 2.3.6. Code Integration ....................................................................................... 8 3. Reverse Engineering ........................................................... 9 3.1. Malware Analysis Techniques ......................................................................... 10 3.1.1. Static Analysis ......................................................................................... 10 3.1.2. Dynamic Analysis .................................................................................... 11 3.2. Tools for Malware Analysis ............................................................................. 12 3.2.1. Hash Algorithm Based Software ............................................................. 12 3.2.2. Antivirus .................................................................................................. 13 3.2.3. Packer Detector ...................................................................................... 13 3.2.4. Header and Sections Inspector ............................................................... 14 3.2.5. String Analysis ......................................................................................... 14 3.2.6. Disassembler ........................................................................................... 15 3.2.7. Decompiler .............................................................................................. 15 3.2.8. Debugger ................................................................................................. 15 3.2.9. Registry Monitor ..................................................................................... 16 3.2.10. File System and Process Monitor............................................................ 17 3.2.11. Network Monitor .................................................................................... 17 3.2.12. Virtual Machine....................................................................................... 18 4. The Banking Trojan Zeus .................................................. 19 4.1. Introduction .................................................................................................... 19 4.2. History ............................................................................................................. 20 4.3. Toolkit ............................................................................................................. 23 4.3.1. Config.txt ................................................................................................. 23 4.3.2. WebInjects.txt ......................................................................................... 24 4.3.3. Command & Control Server .................................................................... 25 4.3.4. The Builder .............................................................................................. 26 4.3.5. The Executable ........................................................................................ 27 4.4. How Zeus works .............................................................................................. 27 5. Reverse Engineering of ZeusVM ....................................... 29 5.1. Case Study Environment ................................................................................. 29 5.1.1. Creation of the Virtual Machines ............................................................ 30 5.1.2. Installation of the ZeusVM Control Panel ............................................... 30 5.1.3. Creation of the ZeusVM trojan ............................................................... 31 5.1.4. Tools Setup.............................................................................................. 32 5.2. Analysis ........................................................................................................... 32 5.2.1. Malware testing: Basic Static Analysis .................................................... 33 5.2.2. Advanced Dynamic Analysis ................................................................... 36 5.2.3. Static Analysis of the Virtual Machine .................................................... 36 5.2.4. Dynamic Analysis .................................................................................... 39 5.2.5. Basic Dynamic Analysis ........................................................................... 39 5.2.6. Dynamic Analysis of Dropped.exe .......................................................... 40 5.2.7. Dynamic Analysis of RC4 S-Box ............................................................... 41 5.2.8. Static Analysis of RC4 PRNG .................................................................... 43 5.2.9. Remote Debugging of Explorer.exe ........................................................ 43 5.2.10. C&C URL Decryption ............................................................................... 45 5.2.11. DynamicConfig Decryption ..................................................................... 46 5.2.12. Traffic Analysis ........................................................................................ 47 5.2.13. Dynamic Analysis of communications .................................................... 49 5.2.14. Static Analysis of POST data .................................................................... 51 5.2.15. Multiple Malware Samples Analysis ....................................................... 52 5.3. Summary ......................................................................................................... 54 5.3.1. Missing pieces ......................................................................................... 56 6. Conclusions ...................................................................... 58 6.1. Future Works .................................................................................................. 58 7. References ....................................................................... 60 List of Figures Figure 1 - Zeus timeline ................................................................................................... 20 Figure 2 - Toolkit scheme ................................................................................................ 23 Figure 3 - Config.txt......................................................................................................... 24 Figure 4 – Webinject.txt .................................................................................................. 25 Figure 5 – Builder Control Panel ..................................................................................... 26 Figure 6 – ZeusVM Builder .............................................................................................. 27 Figure 7 – Environment ................................................................................................... 30 Figure 8 – ZeusVM decryption overview ........................................................................