Friday, March 20, 2015

Indicators - Zbot Variant

Apologies for not updating for a while, but I think this post willThis one has been showing up pretty frequently. I have labeled it as Zbot, but it is most likely Dridex or Upatre; if anyone has clarification then please let me know.

Threat Name: Zbot / Upatre / Dridex

Indicators: The malware will attempt a connection to the "checkip.dyndns.org" domain in order to ensure connectivity. If successful, then it will attempt to connect to several IP addresses (direct to IP over HTTP) using high level ports. It's hard to nail down exact domain names and IP addresses, but thankfully there are other indicators.

HTTP Indicators:
  • Request Methods
    • CONNECT - this method will be used to connect to "checkip.dyndns.org" to determine network connectivity.
    • POST - will connect to a domain with a URI path of "/gate.php".
    • GET
  • User-agent Strings:
    • Mazilla/4.0
    • Mazilla/5.0
  • HTTP URI Paths:
    • /gate.php
    • /1802us21/
    • /1902us21/
    • /2101us21/
    • /2901us21/
    • /mandoc/
    • /images/
    • /news/
    • /files/
    • /fla/
    • /ar/file/
    • /menu/
    • /dhl/
  • HTTP URI Filenames:
    • /factj.pdf
    • /gunter.pdf
    • /hone.pdf
    • /sdocc.pdf
Dear malware authors, please continue to use unique user-agent strings. Since the malware uses exploits to download the payload, ensure that Java and Adobe is up-to-date. Preventing the above user-agent string values to access the internet is also an effective means, if your web filtering appliance of choice allows you this option.