This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Detecting the Zusy Botnet Beaconing

RSAAdmin
Beginner
Beginner
‎2014-02-20 11:34 AM

Since the beginning of February 2014, FirstWatch has seen a surge of Zusy malware in our database.  Fortunately, this botnet is simple to detect.  Here is what we've been seeing, starting with a session.  You can see below that there is a post of a long hex string directly to an IP address instead of a hostname, using Firefox 25.  You can also see some encoded traffic within the put strings, as well as encoded responses from the server.

 

zusy-session.JPG.jpg

This specific malware is identified at VirusTotal here as Zusy.

 

This specific botnet uses the same posted filename over and over for each of its c2 hosts.  Drilling into the filename in our database reveals the following meta, showing that we have seen this filename 35,000 times since Feb 4.  You can also see that each put command uses the url-encoding content type.

 

zusy-meta.JPG.jpg

zusy-meta2.JPG.jpg

zusy-meta3.JPG.jpg

You will also note that this traffic is destined to a proxy port of 8080 and the SSL port of 443, however, the traffic is not encrypted.

 

By creating a simple rule of:

filename=5e1d22ded7346cca22681d1e1dca1146ee099a3faf

 

you can detect the many variants of Zusy since each seems to reuse this beaconing technique.

 

The destination IP addresses above that were seen to host the Command and Control services for this botnet have been added to the FirstWatch C2 feeds.

 

Good luck and happy hunting!

 

UPDATE!!

As it turns out, the filename shown above is unique to our environment.  It appears to be a hash of some sort, and we are investigating further to determine what that hash is based upon.  ThreatGrid is currently seeing the same activity, but from their sandbox, all beacon filenames are different-  Their's is '46BC3A3BE440F54B18E7171E0C62710CCC46D034B9', and it never changes from the multiple variants of this malware they have captured.

 

So while the above rule would work great for us, it won't work for you.  A better rule for now would be to search for the unique User-Agent string, which shows a Jan 1 2010 version of Firefox 25.  Your rule would be:

client='mozilla/5.0 (windows nt 6.1; wow64; rv:25.0) gecko/20100101 firefox/25.0'

 

There is more to this malware, and we will be updating the community soon with a follow-on story.  Stay tuned!

0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.