Skip navigation.
Home

Decrypting traffic from twex.exe (a variant of Zeus Crimeware Suite)

|

I am working on a case where the client machine was infected with a variant of the following:
http://www.threatexpert.com/report.aspx?md5=4c43982c586ab3b159c60e6a5164d772

We traced it back to Zeus crimeware suite:
http://amzeus.co.uk/2008/05/crimeware-in-middle-zeus-its-not-me.html

We are trying to ascertain what data was stolen, which can be gleaned from network traffic, malware storage files (local.ds, user.ds, and user.ds.lll), and system restore files created from previous instances of (local.ds, user.ds, and user.ds.lll), if only we could identify the encryption key.

Here are the hash values of the malware that we found, which I uploaded to this site:
ef5e64bb771e57cb0af9a1bd844e08a6
e54db17d4228ac758093ca4e07327e4e
58b9ebcfcf14053013965589a2d05f91
a04959f43e810bfdfe7833e761d25d4c

We have looked into decryption methods of previous instances of this, but they do not work on this version. Has anyone had any luck with this?

Thanks in advance,

Colby

reverse

you can try to reverse/debug the malware with ida and debugger like olly or immunity ...

Hello, please post a comment

Hello, please post a comment if you do not need the information anymore, but I will look at it tonight and let you know if I can recover keys.

Yes! Please!

Yes, we do need the info. I had one of our programmers look at it and try to debug it, but they could not find the key. If you could help, that would be great!

Thanks,

Colby

I just finished looking at

I just finished looking at it... Yeah... You won't find what you want.

This is far from the small-time malware. If I had to take a guess they are using advanced crypto (not stupid XORing or even simple symetric keys).

If you really need the information you will need to pay some good people some good money and some time.

Sorry, I had no idea what this malware was and was hoping for a simple one-night project...

Encryption changed

Colby,
the encryption changed to RC4, so you need to extract the 256bits key from the binary. I can help you with that

how can I contact you.

Hi tomac,

Is there any way I can contact you (email/IM/etc.)?

Thanks,
Tomer

looking for samples

Colby,

Im looking for as many Zeus exes that have this feature.

Contact me off list if you have any more :)

Thnks

Replay