Zbot + Carberp = Zberp, an online banking trojan that is reported to have impacted 450 financial institutions around the world in the first month since discovery. In addition to its malicious capabilities, the Zberp Trojan uses a combination of evasion techniques that it inherited from both the Zeus, also known as Zbot, and Carberp. Add in the ‘invisible persistence’ feature and you have one nasty piece of malware.
3. Your speakers today
Marion Marschalek
Security Research Expert
Shelendra Sharma
Product Marketing Director
4. Agenda
o What is ZBERP
o Dissecting the malware
o Wrap-up and Q&A
Cyphort Labs T-shirt
5. Threat Monitoring &
Research team
________
24X7 monitoring for
malware events
________
Assist customers with
their Forensics and
Incident Response
We enhance malware
detection accuracy
________
False positives/negatives
________
Deep-dive research
We work with the
security ecosystem
________
Contribute to and learn
from malware KB
________
Best of 3rd Party threat
data
10. ZeusVM / KINS
o Born December 2011
o Sold as a kit since 2013
o Heavily based on Zeus code
http://blog.fox-it.com/2013/07/25/analysis-of-the-kins-malware/
14. What Makes ZBERP
o Steganography
o Invisible persistence
o SSL CnC Communication
o VMProtect Feature
o New Hooking implementation
15. System Infiltration
1. Drop executable in users %APP% folder
2. Create and execute a batch file to delete dropper
3. Maintain registry key for persistence
4. Inject payload to system processes
5. Download customized configuration
16. System Infiltration
1. Drop executable in users %APP% folder
2. Create and execute a batch file to delete dropper
3. Maintain registry key for persistence
4. Inject payload to system processes
5. Download customized configuration
29. Critical Questions
Zeus first appeared in 2007 –
why are its derivates still so successful?
What is compromised on an infected machine?
How can mitigation be achieved?
31. Potential Data Loss
Digital Identities
Critical Browser Data
Media
Sensitive Documents
Anything the botnet
operator desires!
32. Conclusions
o Don’t underestimate Zeus and its
descendants.
o Check for presence of unfamiliar network
callbacks.
o Use a professional grade APT solution to
detect these Trojans.
33. Q and A
o Information sharing and
advanced threats resources
o Blogs on latest threats and
findings
o Tools for identifying malware