Monday, October 29, 2012

The crusaders' note : New BHEK2 actor spreads Zbot P2P sets

Went home after a full week work-trip made me in the mood to decode malwares. Rest a while and went straight to start crusade in #MalwareMustDie.
This weekend we found many interesting things, one of them is as per written in this title.
Most of the details is already written well in our pastebin here:--->>[PASTEBIN]
Please see the pastebin data before you continue.
So this blog is about the conclusion, as below:
1. This time BHEK2 was being used to spread Zbot p2p version/GameOver
2. BHEK2 was used to aim dropping the trojan front infector of this Zbot scheme. 
3. This Zbot does everything, calling mothership, sent data, download others set & drops itself
4. See the network traffic goes in the pastebin, it contacts to some sites
   and download the rest of it.
5. jar and PDF is not as the main for this infection.

Below are snapshots we shared of this investigation in Twitter:

Initial Traffics PCAP while contacting Moothership..

The overall analysis snapshots (bins,captures) as PoC...

The funny stuff during sniffing CNC traffic:

Non nobis Domine, non nobis, sed nomini tuo da Gloriam!

#MalwareMustDie (Special thanks for the great ninja sniper who hinted us this)