Friday, March 21, 2014

Zorenium - The Bot That Never Was

I was first made aware of Zorenium bot at the start of November last year by a friend on twitter (R136a1). There were no actual sales threads, just a discussion in IRC and a pastebin post detailing some features (http://pastebin.com/Pp5xmtK7). After being sent a sample, I decided not to write an analysis due to the fact the code was incomplete, of very little interest, and low quality. The bot itself is all over virustotal and similar sites, so collecting samples was easy, however; there are no samples from any later than December 2013, which is when the author was said to have discontinued the bot (Samples Here). Looking at the samples we can tell 2 things: there are 2 different PDB paths which indicates 2 different computers (possibly 2 developers) and the bot is in very early stages of development. Code changes significantly from sample to sample, but all the samples only show very basic IRC and HTTP C&C code and incredibly limited features. The pastebin claims the bot has been worked on "night and day" since December 2012, which is something you should keep in mind. 

Some "evidence" of the bot's features - a screenshot showing some filenames and no code.


Yesterday some new pastebin posts were picked up and blogged about by Sensecy, before the article found its way onto the infamous threatpost blog (Original Blog Post, ThreatPostPaste (December)Paste (March)). What's interesting about these posts is they imply the bot has gone from a barely functional HTTP/IRC bot, to a fully fledged peer-to-peer banking bot that runs on Android, IOS, Linux and Windows. If this bot is real, it would likely be the most advanced trojan ever, however; there's a few problems with some of the claims (in the pastebin and sensecy's article).

"Zorenium, a relative of Betabot" - Sensecy's Blog Post
When asked about betabot's relation to Zorenium, this was the betabot developers response:
<User> How is it related to BetaBot?
<Betabot Dev>  i have no idea
<Betabot Dev> it's not even real
<Betabot Dev> the guy never completed it, as he said himself

"we’ve also updated the rootkit, too a new version of the unreleased - TDL4 rootkit"
The TDL rootkit suddenly stopped updating a few years ago, which suggests the team are either retired or in jail. It's hard to believe that the team would resurface to sell an unreleased version of their bootkit to some guys who are selling a bot for £2000 GBP via pastebin.

"Zorenium will now run on Ios 5-7 Zorenium will also run on most debian platforms as well as the latest android ipad tablets"
It's physically impossible for malware to run on Linux, IOS and windows. If you were somehow able to compile all the code required for the 3 different operating systems into a single executable, how would it run? It might be possible in a cross-platform language like java, but Zorenium claims to be coded in C++ and compiled with Microsoft Visual Studio cl.exe (a windows C/C++ compiler).

"After alot of work, testing and money spent. We can now make the victims believe there SYSTEM is being shutdown on victim input, Thus means zorenium will throw fake images to make the user believe hes shutting down his machine. Zorenium will then shut down the screen to standby mode ( until the Poweron button is initialized ) Whilst the user thinks he or she is shutting down there machine, we can stop (Delay) the CPU Fan, and other fans, which will make a racket making the user believe his or her system is still running. remember this method is not 100% Guaranteed to overheat the victims computer, causing it to force shutdown"
Wat.
Not only does this make little sense, but I'm pretty sure there is no universal way to control PC fans. Some motherboards offer software to do it, but the software differs greatly.

"***THERE ARE STILL MORE I NEED TO ADD TO THIS DOCUMENTION, BUT WITH PLAYING CATCH ME IF YOU CAN WITH THE CYBER TEAM, ITS IMPOSSIBLE TO STAY IN ONE PLACE UPDATING THIS DOCUMENT*** STAY TUNED ***"
Some classic attention seeker action right here. Nothing says professional malware developer like running around the country fleeing authorities who are chasing you for a non-existent super bot.


-Update-
Sensecy has got back to me on my request, the bot is apparently sold on 1 forum and the seller has very little reputation, still not sure of the forum name though. 

Conclusion

Based on the fact that some of the features aren't even possible, none of the samples seen have any moderately advanced features, the only evidence of sales is a pastebin post, and no large security company has picked it up; I'm going to say the whole thing is fake. 

Obviously I will keep my eyes open for a samples of a new super bootkit banking bot using a private version of TDL4 and speading across windows, linux, android and iOS systems; let's see how long i can hold my breath. 

4 comments:

  1. According to posts i've seen on IRC the samples found online, contain such little & obfuscated code, due to the fact the developer is wanted by the police (none cyber related crimes) and as no time to sit down and do debugs on every small update/fix he/she does. the reason he states there is public samples online is because, there as been no other place to debug/ test so hes having to compile samples of the features he can allow to be public, and the rest (complete samples) go to trusted friends, who get in contact with him daily using UK-SMS... So according to him, the reasons the samples are so crappy and obfuscated, is because of the above.
    he/she also states the fact that the "Zorenium bot" will not be sold across public forums, and is currently on the market on underground forums, and places similar to ""SilkRoad"" He/she also stated the fact that iOS 5-7 support is indeed working, due to an unlisted vulnerablity on the iOS. he/she states that the vulnerabilty is not needed on iOS which contains the jailbreak modules.


    ReplyDelete
    Replies
    1. Seems like a bunch of lame excuses to cover up a failing bot. I'll believe it when I see a sample that isn't just some poorly written HTTP and IRC code.

      Delete
  2. Why does this sound so fake and HF developed.
    Reminds me of the Bat Man Botnet (Dark Knight).

    ReplyDelete
  3. if it was real, it would've surfaced by now and talked about at kernelmode.info

    ReplyDelete