A few months ago, Zeus CC was cracked and a hack was presented.
Tools for decrypting Zeus Conf.
“ZeuS configurations are always protected by encryption, but over the course of the toolkit’s evolution, the configuration encryption scheme has grown much more sophisticated. In earlier versions of ZeuS, every infection’s configuration could be decrypted using the same, static key. In a later iteration, each wave of infections employed unique keys, which had to be manually extracted from the ZBot executable. Finally, in ZeuS 2.0, a two step process employing RC4 and XOR encryption protects each configuration file.”
Though this information is very old but this blog is not about Zeus or its exploits but about Carberp, a new kit which has taken everyone by surprise.
Carberp is an evolution of the logic and algorithm used by Zeus, the mistakes committed by Zeus were thrashed out by Carberp, in this case 1: Encryption 2: Execution
1: Encryption: uses randomized key which is registered with the C&C server, due to which reverse-engineering the encryption becomes quite a task. The mistake committed by Zeus have been ‘Rectified’.
2: Execution: Carberp, DOES NOT modify the registry but instead relies heavily on WinAPI hooks to hide its presence from explorer and from command prompt, also puts itself in the Startup Folder, so as to start at the time of machine restart.The advantage, since registry is not modified, no triggers are raised and also nullifies the requirement for the need of administrative rights.
Simple rule for user-access – Non-Admin users always out-numbered Admins and sensitive data pertaining to an organization is handled by non-admin users, in other words – the reach of Carberp is massive.
Rest of the features are a common evolutionary step, after a few more months we will find some more interesting things to write about Carberp and at the end of product life-cycle of Carberp, we will come across “Eye of Sauron“, sounds more like fantasy but it issint.
