[Vol-users] zeusscan2

Michael Hale Ligh michael.hale at gmail.com
Tue Jan 28 09:47:47 CST 2014


Sure, if malfind identifies the injected code, but zeusscan2 doesn't dump
the RC4 keys, then you've just got a new Zeus variant (or not "new" per se,
but just one that we don't currently have a signature [1] for).

To fix that, the injected Zeus code would need to be extracted and reversed
a bit to determine the proper instruction sequences which reference the RC4
key.

Any chance you can still send the vadinfo output offlist, so I can look
into the memory consumption issue on the other process(es)?

[1].
http://code.google.com/p/volatility/source/browse/trunk/contrib/plugins/malware/zeusscan.py#207


On Tue, Jan 28, 2014 at 9:40 AM, <shorejsi2 at mmm.com> wrote:

> Michael;
>
>  Interesting:
>
> $ python vol.py --plugins=contrib/plugins/malware  zeusscan2 -f
> ~/Images/CA005040-HP8460/CA005040-HP8460-RAM.dd4.001 --profile=Win7SP1x86
> -p 2928
> Volatility Foundation Volatility Framework 2.3.1
> [a05p8zz at W0147206 volatility-2.3.1]$
>
>  Ends relatively quickly with no output.
>
>  Looking at 'strings' for the malfind output relate to this process, I see
> all of the things I have come to know and love about Zeus:
>
> 00008A40  tellerplus
> 00008A58  bancline
> 00008A6C  fidelity
> 00008A80  micrsolv
> 00008A94  bankman
> 00008AA4  vantiv
> 00008AB4  episys
> 00008AC4  jack henry
> 00008ADC  cruisenet
> 00008AF0  gplusmain
> 00008B04  launchpadshell.exe
> 00008B2C  dirclt32.exe
> 00008B48  wtng.exe
> 00008B5C  prologue.exe
> 00008B78  silverlake
> 00008B90  pcsws.exe
> 00008BA4  v48d0250s1
> 00008BBC  fdmaster.exe
> 00008BD8  fastdoc
>
>  And our FireEye infrastructure is screaming Zeus as well.
>
>  Thoughts?
>
>
>                         -=[ Steve ]=-
>
>
>
> >> Hi Steve,
>
> >> The plugin may have encountered a bad size field, causing it to read
> too much data into memory at once. Can you do the following for me, please:
>
> >> * Run zeusscan2 -p PID where PID is the process id for explorer.exe (we
> know Zeus injects explorer, so this will let us focus on just one process
> first)
>
> >> * If you get the same memory-consumption behavior, run vadinfo -p PID
> and send me the output (offlist is fine)
>
> >> * If you don't see the same behavior on explorer.exe, please run
> vadinfo across all processes (just vol.py vadinfo > results.txt) and send
> me that instead.
>
> >> Thanks!
> >> Michael
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: https://lists.volatilityfoundation.org/pipermail/vol-users/attachments/20140128/b704b84d/attachment.html


More information about the Vol-users mailing list