In March 2014, the Zorenium bot (W32.Zorenium) made headlines after the malware’s author claimed that the information-stealing threat had been updated with some advanced new features. According to the malware author, known as Rex, these features included the ability to run on iOS and Android devices, steal banking credentials, support peer-to-peer (P2P) communications, and spread over Skype and Facebook.
The malware originally appeared in 2013 and Symantec has observed how it has evolved over time. If Rex’ claims were true, then the update could have made Zorenium a major threat. While this update’s full feature set was never proven, Rex stood by the iOS claim and later stated that the iOS code came from a third party. In this blog, we look at the evolution of the Zorenium bot and ask just how significant of a threat Zorenium really is.
In November 2013, an initial Pastebin post for the Zorenium bot appeared, listing a host of version one’s features. The post also included a conversation between Rex and one of his marketers, known as Switch, about version two. A further post on Pastebin in December 2013 detailed how the Zorenium bot was developed, along with further information of what the bot was capable of. Then, in March 2014, Rex published a post on Pastebin claiming that Zorenium had been updated to run on iOS 5 to iOS 7, along with a list of other features. Several more Pastebin posts occurred in March 2014, which included supposed Zorenium code snippets in an effort to prove that the bot was not a fake and that it had the marketed functionality.
There was an additional Pastebin post on Zorenium in April 2014 and another Pastebin post in May 2014. Both of these posts stated that the malware author planned to release Zorenium’s version three documentation on June 1, 2014. The last post on Pastebin that seems to be linked to Zorenium appeared on June 3, 2014, but it did not cover the version three documentation.
Evolution of Zorenium bot
Based on the limited number of Zorenium bot samples that are in the public domain, Symantec has been able to track the evolution of this malware.
The first samples we observed have timestamps from November 2013 and are 40KB in size. While timestamps from executable files’ headers can be spoofed, the headers in all of the Zorenium samples that we observed appear to be reliable. These samples have limited functionality that is typical of back door Trojans, such as the ability to communicate with attackers through IRC channels, capture screenshots, and modify files on the compromised computer.
The second groups of Zorenium samples we observed have timestamps from December 2013 and are 50KB in size. These samples have very similar functionality to the earlier samples, though the threat had been updated to mine Bitcoins using the compromised computer’s resources.
The third groups of samples we observed have timestamps from April 2014 and are 1MB in size. These samples have many more features than the earlier samples did, which include the following abilities.
- Communicate with the attacker through IRC channels
- Download and execute files
- Create an FTP server
- Capture screenshots
- Spread itself to other computers through email attachments
- Install a keylogger in order to steal account information from online payment and gaming services
- Use the computer to perform denial-of-service attacks
- Perform port scanning
- End antivirus-related processes
Zorenium’s new features — Fact or fiction?
As we can be seen through the evolution of the Zorenium bot samples, the threat does indeed include a host of malicious features for attackers to use. However, we could find absolutely no evidence to support many of Zorenium’s marketed features, such as the following.
- Running on iOS 5 to iOS 7
- Running on most Debian platforms, as well as the latest Android tablets
- Similar capabilities to the sophisticated TDL-4 rootkit
- The ability to spread though Skype or Facebook
- P2P communications
- The ability to steal banking details
Zorenium’s marketed literature also lacked credibility regarding some of the threat’s suggested features. The images published by the malware author just show short code snippets that look vague and generic or display a visual studio project that doesn’t tell us much if anything at all about the threat.
Figure. Images released related to the development of Zorenium.
The malware author did go as far as leaving this message in one of the samples we analyzed.
“I KNOW THIS IS ON A PUBLIC WEBSITE
THIS IS FOR A REASON
DONT EXPECT THE DOCUMENTED
Pastebin quoted FEATURES
TO BE INCLUDED WITHIN THIS FILE
THIS IS A P2P TEST
FEATURES IN THE P2P HAVE BEEN DISABLED
SO YOU CAN NOT SEE OUR ENCRYPTION METHODS JUST YET UNLUCKY SON.
thanks FOR READING this and going out your way to read this
thank you for your free debugging website
it come in handy alot"
Is the Zorenium bot a significant threat?
Given the capabilities that we have currently observed in Zorenium bot samples, while the threat can be used for nefarious purposes, in its current form, it is punching well below its marketed weight. There is the possibility that the marketed Zorenium bot’s features and released samples are nothing but a scam in an effort to trick buyers into paying for a dud. The Pastebin posts offer the Zorenium .bin file with Tor & P2P command-and-control capabilities for £5000GBP to be paid in Bitcoins. Rex also states that the code is not for sale.
Based on our research, the malware author seems to have close ties to one underground forum and may be using contacts from this forum to assist with the development of Zorenium. However, we question whether these contacts have the capabilities to create Zorenium’s more advanced marketed features. There is also no evidence to substantiate most of Rex’ claims about the threat’s more sophisticated features, that the development of Zorenium is ongoing, or that it is actively being used in the wild. Symantec will be watching this bot for any future developments but given what we currently know, it does not look like Zorenium is even half the threat that it makes out to be.