Malware of the Day – Zeus
Welcome to the first installment of our new series, Malware of the Day! Each week we will select a replication sample of real-world malware that has been propagated “in-the-wild” and perform a basic dynamic malware analysis upon it. The primary objective is to capture the network traffic generated by running malware samples in a lab environment and share them here. Our goal is to help you more easily identify potential threats on your network by becoming familiar with the network communication methods commonly seen from observed malware. So, let’s get to it…
AKA: Zeus trojan, ZeuS, or Zbot
Traffic Type: Crimeware
Connection Type: Reverse HTTP
C2 Platform: Cobalt Strike
Host Payload Delivery Method: Powershell one-liner
Target Host/Victim: 192.168.99.53 – Windows 10 x64
C2 Server: 220.127.116.11 – Ubuntu 18.04.3 (LTS) x64
Beacon Timing: 30s
Our focus is on identifying and detecting network beaconing behavior. We are using AI-Hunter as our network threat and C2/beacon detection platform to visualize the network traffic generated from running the Zeus malware replication. We encourage you to download and use the PCAP files included below to analyze these files independently using your preferred threat hunt platform to test your detection capabilities.
The above screenshot is taken of the AI-Hunter Beacons module from a 24-hour traffic capture. Zeus has been picked-up as a strong beacon signal and a high host threat rating.
In the green highlighted box is the connection/beacon timing which is 615 connections at 29 second intervals, 1771 connections at 30 second intervals and 491 connections at 31 second intervals. The 29 & 31 second intervals are revealing the jitter of a 5% deviation from 30 seconds. This jitter could be just enough to spoof some detection tools that are looking for very rigid timing patterns. The consistent connection timings and graph are evident of programmed machine communications.
In the red highlighted box are the number of connections per hour (each blue block is a one-hour time frame) and the consistency is a tell-tale indicator of non-human behavior. Notice how you could almost draw a flat line across the top. Normal human traffic will be much more random in nature. For this malware sample, we are seeing almost exactly 120 connections per hour.
Switching to the connections Data Size view (shown in the green highlighted box), we can see some of the unique functionality of the Zeus malware as compared to common C2 “heartbeats” of checking in at programmed intervals with consistent data sizes of connections. As you can see by the graph, the data sizes of connections are not consistent, which is an indication of unique communications or data transfers taking place.
The connections vary in data size from 1355 byte payloads to 6353 byte payloads. Part of the inherent functionality of the Zeus malware is to join botnets, perform website monitoring and key-logging, so it should be expected to see varying data sizes. This is some of the sneakiness of detecting Zeus when analyzing connection data sizes, the data sizes almost look like human-ish activity. Notice the visible bell curve in the graph, this is one indicator of possible pseudo-randomized machine connections.
Because… PCAPs, or it didn’t happen. 😊
The following PCAP files are packet captures taken from our lab environment over a one-hour time frame and a 24-hour time frame. The files were generated using Wireshark from the target host and include normal Windows OS traffic and normal network broadcast traffic. They have not been edited. The PCAPs are safe, standard PCAP files and do not include any malware.
Zeus 1 Hour Capture
zeus_1hr.pcap (served by Dropbox)
Size: 28.4 MB
MD5 Checksum: 5f61d92406b6da8e59087261a6877d75
Zeus 24 Hour Capture
zeus_24hr.pcap (served by Dropbox)
Size: 873 MB
MD5 Checksum: e2510bc2c65a3d3a0ab37a6861ae3fde
Want to talk about this or anything else concerning threat hunting? Want to share how good (or bad) other detection tools were able to detect this Zeus sample? We would love to hear how this malware traffic sample fares in other detection tools!
We have a Discord server titled “Threat Hunter Community” and this subject fits nicely into our “#network-hunting” channel. We invite you to join our server here.
Until the next!
Interested in threat hunting tools? Check out AC-Hunter
Active Countermeasures is passionate about providing quality, educational content for the Infosec and Threat Hunting community. We appreciate your feedback so we can keep providing the type of content the community wants to see. Please feel free to Email Us with your ideas!
Keith’s appreciation for computing and processes originates from working with his first personal computer in 1982, a TI-99/4A. Keith sees himself as fortunate for the opportunity to apply his passion towards a career that assists in the advance of technology and continuing education.