This website uses cookies. By clicking Accept, you consent to the use of cookies. Click Here to learn more about how we use cookies.
Accept
Reject
Register Now
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
NetWitness Community Blog
Subscribe to the official NetWitness Community blog for information about new product features, industry insights, best practices, and more.
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

ZeusCoiner Detection: Zeus Variant Engages in BitCoining

RSAAdmin
Beginner
Beginner
‎2014-05-16 09:40 AM

The most common forms of Zeus are easily detectable by their beacons by looking for the filename of "gate.php" along with an action of "put."  But as time goes by these botnets evolve ever-so-slightly.  Below we will discuss a specific purpose-built variant that engages in converting victims to Bitcoin miners.  We call this "ZeusCoiner" and this is how you can detect it.

 

This variant was found by exploring traffic related to the complete absence of a user-agent string.  If you subscribe to Live Content, this type of traffic is tagged by the HTTP parser as 'http1.1 without user-agent header' in the risk.info key.  You can also find this type of traffic quickly by looking for service=80 && client !exists.  If you have not had a chance to explore and normalize this traffic, you should.  One thing we noticed while exploring this traffic was that there were encoded strings as user names. Lets take a look at the meta values for this drill in our environment:

 

zeuscoinermeta.JPG.jpg

As you can see there are two destination hosts that use the familiar gate.php filename, however, instead of a "put" or "Post" as is common with Zeus, these are all get commands followed by a username.  This username is likely used to create a unique session for the botnet beacon.

 

Now let's look at the sessions:

 

init-request.JPG.jpg

 

The initial request is for the gate.php, followed by a username, ID, type and a hex encoded key.  The request is answered by an encoded stream of data which likely contains commands for the infected host, including jobs for bitcoin mining.

 

The second session informs the victim where to find the storage site to post any new-found bitcoins.

 

coindrop.JPG.jpg

 

And finally, the third session asks for the hashrate.

 

hashrate.JPG.jpg

A good rule to detect this type of Zeus traffic is the following app rule:

risk.info= 'http1.1 without user-agent header' && filename='gate.php' && username exists

Name the rule "Zeus Gate With User String"

 

The original infector files are profiled by VirusTotal here

 

Attached is a PCAP for testing this rule and for demonstration purposes.

 

Don't forget to explore other web traffic that lacks user-agent strings.  Good Luck and Happy Hunting!

zeuscoiner.pcap
zeuscoiner.pcap
0 Likes
© 2022 RSA Security LLC or its affiliates. All rights reserved.