How Trojan.Zbot.B!inf Uses Crypto API
Trojan.Zbot.B!inf, which was discovered on October 1st, has functionality to update Trojan.Zbot by using Windows Crypto API. Crypto API is a set of functions that uses PKI bundled with Windows and has been used by several malicious programs in the past. This Trojan horse uses Crypto API to create a URL to download files.
The following figure uses RSA as a cryptographic service provider (CSP) to calculate MD5 hash values. The hash values are calculated by using the compromised computer’s time as a base value.
After the created hash value is extracted with the CryptGetHashParam function, it's converted to a ASCII character string and adds that character sting to a top level domain - .biz, .info, .org, .com, .net – to create a DNS name.
The following URLs are an example of the URLs that can be created:
Every second the Trojan horse calculates a hash value, for a total of 800 URLs, from which it then attempts to download files from. At the time of writing, only three of those URLs were accessible with all the others being unregistered. The domain of those three URLs use the same IP address and are currently all located on a server in the Ukraine. The domain that I have confirmed was registered on October 10th, which is after this Trojan was discovered, so the threat author may well be changing URLs.
The threat also uses Crypto API to verify the downloaded file. The downloaded file has a signature attached to it and when its downloaded the threat uses the CryptVerifySignatureW function and the public key that it has to verify the file.
Its different to the digital signature that Windows uses and from the byte sequence of the signature and signature size stored in the executable file, we can see that the file type, while simple, is using a specially crafted verification system. After it successfully verifies the signature and determines that the signature is valid, it uses CreateProcess API and executes the file.