RSA Admin

ZeusCoiner Detection: Zeus Variant Engages in BitCoining

Blog Post created by RSA Admin Employee on May 16, 2014

The most common forms of Zeus are easily detectable by their beacons by looking for the filename of "gate.php" along with an action of "put."  But as time goes by these botnets evolve ever-so-slightly.  Below we will discuss a specific purpose-built variant that engages in converting victims to Bitcoin miners.  We call this "ZeusCoiner" and this is how you can detect it.

 

This variant was found by exploring traffic related to the complete absence of a user-agent string.  If you subscribe to Live Content, this type of traffic is tagged by the HTTP parser as 'http1.1 without user-agent header' in the risk.info key.  You can also find this type of traffic quickly by looking for service=80 && client !exists.  If you have not had a chance to explore and normalize this traffic, you should.  One thing we noticed while exploring this traffic was that there were encoded strings as user names. Lets take a look at the meta values for this drill in our environment:

 

84680

As you can see there are two destination hosts that use the familiar gate.php filename, however, instead of a "put" or "Post" as is common with Zeus, these are all get commands followed by a username.  This username is likely used to create a unique session for the botnet beacon.

 

Now let's look at the sessions:

 

84687

 

The initial request is for the gate.php, followed by a username, ID, type and a hex encoded key.  The request is answered by an encoded stream of data which likely contains commands for the infected host, including jobs for bitcoin mining.

 

The second session informs the victim where to find the storage site to post any new-found bitcoins.

 

84688

 

And finally, the third session asks for the hashrate.

 

84689

A good rule to detect this type of Zeus traffic is the following app rule:

risk.info= 'http1.1 without user-agent header' && filename='gate.php' && username exists

Name the rule "Zeus Gate With User String"

 

The original infector files are profiled by VirusTotal here

 

Attached is a PCAP for testing this rule and for demonstration purposes.

 

Don't forget to explore other web traffic that lacks user-agent strings.  Good Luck and Happy Hunting!

Attachments

Outcomes