Thursday, October 10, 2013

MMD-0007-2013 - KINS? No! PowerZeuS, yes! Source Code for View & Download

Background

Finally announced publicly in social engineering media TODAY that the leaked source code of (updated) what we thought was KINS (/updated) was publicly exposed. We found out later on in the codes that there is no link to any current alive CnC with destination and/or pattern used by the known "realKINS", apart from some differences inside binary files. And (With thank's to "Invisible Kid" for suggestion to clarify this matter) found this toolkit is made based on known toolkit known as PowerLoader with an optional/additional ZeuS module/functions in a dll shape(indicated from Citadel stripped code actually), therefore, in "Ad Hoc", the "PowerZeus" looks like the "suitable naming" for this malware/toolkit itself.

Peeling the codes deeper, we found there is Bootkit codes from Carberp used; the loader which is leaving an old SpyEye traces (don't ask me why..); the form-grabber that are coming from the root of Zeus-based (found it in Citadel too); the gate web interface used was similar to what Pony/Zbot used with altogether tons of flaws in it.. it made me feel like seeing a re-union of Zeus family in one package. Our coder team also noticing the at least three different PHP coders were working in separated modules in separated time for the gate's codes.

Below is the simple grep traces of PoC of Builder code snips, explaining the modules used by the tookit, reference of Power Loader:

make.py(262): def build_project(project, project_out, params, is_x64 = False):
make.py(384):     build_project('softwaregrabber','softwaregrabber.dll', params)
make.py(402):     build_project('socks_server','socks5Server32.dll', params)
make.py(420):     build_project('socks_server','socks5Server64.dll', params, True)
make.py(438):     build_project('mod-killer','mod-killer.dll', params)
make.py(456):     build_project('dropper','dropper32.exe', params)
make.py(474):     build_project('dropper','dropper64.exe', params, True)
make.py(492):     build_project('clientdll','client32.dll', params)
make.py(510):     build_project('clientdll','client64.dll', params, True)    
make.py(542):     build_project('builder', outfile, params)

I just finished reading all codes when I added this note, these are a must-have for the AV industry and researchers to understand the recent concept of form-grabber, bot networking used, the bootkit, the gate's codes and its vulnerabilities (I count 3 SQLi, 2 PHP/Escape flaws & 1 Escalation User Privilege exploits in the gate's codes which can be used to, erm, "mitigate" this threat *smile*)

Many of download source was announced, some contains the PUP with unnecessary backdoors which can actually infect you. So I feel is important to have a clean download for the AV filtration support and research purpose. If I may add, for the press and media gentlemen, this malware is not new news, but the public disclosure code part for this toolkit is.

Malware Product Description (in package)

Below I pasted as per it is, the malware (toolkit)'s product description found in the source code, please take a look at this description well, specially at the explanation on mod-killer, module socket (designed for grabbing softwaregrabber of FTP , email , pop3 data and certificates & integrated with a common neural networking, is bot base module to the kernel ) and the installation parts. The exported admin certificates password also written clearly in plain text:

Product description:
itur1, url2, url3 - URLs on the gate dropper ( exe file).

In addition , there are two main slashes spare in case if your domain loknut .
This file should be progruzhat . It must be crypted .

delay - the delay otstuk

retry - interval core sampling bot.

buildid - the name dropper botnet .

encryption_key - encryption key.

url_server - admin Gate "B" , that is, admin core.

$ - Notifay .
! - A ban .
@ - Screenshots ( full-size ) .

macros :
% BOTID% - ID bot.
% opensocks% - automatic opening of the socks in the transition to H HRM .

captcha_server - interception of CAPTCHA . Works with AD. Leave as is.

After collecting the config files is issued shall be issued 3 - dropper.exe, 
bot32.dll, bot64.dll and just as you do is file softwaregrabber.dll,
which has already been assembled independently of the first three .

dropper.exe - dropper file ( 50 kb ), which pulls the core bot (2 cores , bot32.dll
 and bot64.dll). This file is crypted .

bot32.dll - kernel for 32-bit systems .....
: > kriptovat is not necessary . Avtokript memory . The modules are the basis of 
the bot and are responsible for the processes of injection and grabbing a browser .
bot64.dll - kernel for 64 -bit systems .....

softwaregrabber.dll - module port opening . Responsible for grabbing FTP \ Email \ 
pop3 \ Billing \ screen and check otstuk kernel modules. Kriptovat is not 
necessary . Avtokript memory .

The core of the bot. RULE OF COMMUNICATIONS AND DOWNLOADS . Pay special attention .

- Adding a file in the " Files" section. As jobs are added files bot32.dll, 
bot64.dll, softwaregrabber.dll and other modules , including third-party dll or exe files .
Name and version selected as desired. Bot communicates with the modules Zutick, 
Shylock, SpyEye, but without an open API ( optional) argument to leave empty.
Attention ! Communication with the module . First, load the kernel modules . 
In this case, the kernel modules should not be linked to anything . 
Next, load the module softwaregrabber.dll,
that should be associated with bot32.dll

- Give the job to the modules in the " job ." It should be noted key points : 
a) To select the kernel module loading mode " reusable "
Module softwaregrabber - " one-off " or " reusable " . 
b) Number of times (performance ) put a big number, eg 9999999 .

- Quest " written in the config ", " input commands manually " are available on
ly when you open API. Setting the "send logs " is available only for debug version,
which is done by request and in extreme cases. In this case, the installation 
logs dropper and obtaining rights go to the " logs " .

- Net \ dirty - a necessary attribute if you decide to download the bots in one hand.

- Updating the dll is on the circuit i +1 preserving the bot name in the files 
and assignments , if necessary update of sequence, and the scheme i, if the update
comes after the reboot .

- To update the statistics in the admin dropper , do not forget to add the task to CZK .

- The difference between the admin area "A" and "B" indicates the quality of 
your traffic. Cores bot ticking only after obtaining logs . In case
progruzhaetya kernel , say, Dedic , where there is no activity , the bot will 
appear in the admin "B" , but did not appear in the admin area "A".
You can always see the number of loaded cores bot in the " jobs " in the admin 
dropper . The difference in bad trafe may reach 90 %
we only show the balance of objective things.

The module mod-killer is designed to maintain the purity of your bots from 
third-party bots , unwanted software .
- Deleting Citadel (all), Zeus (all), SpyEye (all), IceIX (all), 
  Evolution (all) and their derivatives , Carberp ( exception - bootkit )
  Zutick, Lickat, Shylock, Gazavat (Sality).
- Delete a third-party malicious software, such as loaders , Rata , DDoS bots , based on heuristic analysis.
- Removal of unwanted software, such as click bots , bots spoofing issue , based on the heuristic analysis.
- Removal of the common bots even crypted form on the basis of signatures.
- Total integration with neural network bot. Analysis of unsigned software , processes, without windows, etc.

Installation Options :
Specify the arguments (arguments SpyEye in the admin core)
"77_uninstall;" - the removal of unwanted software , such as a boat- clickers , etc.
"77_replace_with = http://aa.ru/file.exe" ( if you have the software to progruz , 
but competitors will ship similar software on your bot ) swings on a new boat 
with RLS imunnitetom to deliteru - 77_uninstall
"Report;" - bug report in the admin area of the nucleus.
"Clean_zeus_based;" - delete all versions of popular signature-based bots .
The record of a line of several arguments. Each argument must end with "" .
Load module files , add to the value associated with the core bot32.dll

In order to use the module socks , do the transaction :
1 ) Find a server, it is desirable to Windows ( you can Dedicated Server with 
installed apache / nginx / xamp / denwer, in general, need a server
with installed php). Nix on Vine also supposed to work .
2) Fill socks_server folder on the server , we put all the 777 law.
3) Take gate.php link to the file on the server, remember .
4 ) Go to the admin panel dropper , add -ins and socks5Server32.dll socks5Server64.dll, 
in the arguments indicate the link from paragraph 3 ) .
Where to inject - explorer.exe.
5 ) Sox as IP: Port take in going to the link " your_server " / control.php, either from the log.txt
Sometimes we clean konnekshn we click in Kill Tasks. The terminal supports the 
socks fourth and fifth versions of standard rfc.
Authorization is not required. Volnovatsya about ports for bots do not need , 
they will take out of the gate .

WARNING ! The module must be connected to the core bot32.dll for socks5Server32.dll 
and bot64.dll c socks5Server64.dll respectively.
Attention ! In the tasks and files names must be exactly socks5Server32.dll and socks5Server64.dll
Auto open socks carried out on the macro / /% opensocks% in inzhekta .

The module is designed for grabbing softwaregrabber FTP , email , pop3 data and certificates.
The module is integrated with a common neural network is bot base module to the kernel .

Installation Options :
Specify the arguments (arguments SpyEye in the admin core)
"Grab_all;" - Rob everything - all FTP data that are recorded by a list of 
all email-i + contacts uchetka ,
Cookies IE and FF ( after sending the admin area as possible are removed ) , 
and certificates MY store ( exported to the admin certificates under the password "GCert")
"Grab_emails;" - grabbing only the email adresses .
"Grab_ftps;" - grabbing only FTP .
"Grab_certs;" - grabbing only certificates.
"Grab_sol;" - salt- grabbing cookies .
The record of a line of several arguments. Each argument must end with "" .
Load module files , add to the value associated with the core bot32.dll

Code Sharing Details

I wrapped up all of the codes into a 7zip after confirming the authenticity and be available for a clean share and you can download safely from here -->[MalwareMustDie MediaFire]
This source code is very important to filter the several evading techniques used by similar variants, with also planning a mitigation for the Bootkit implementation of the malware, I really hope AV industry will use this code well for their products implementation.

Before you download please see the size, MD5 hash, date and filename well as per mentioned in the below movie. In additional, there are countries that forbidding the owned of malware source, so if you want to view what's in the source code package, you don't have to downloaded it, but you can see it in the below movie I just took, to get the idea what the source actually contained:

The share limitation and rules

The password will be shared to the known security researchers and all anti-virus industry ONLY, please contact us by twitter's mention, or by email if you know how to reach me already. We share this information for the purpose to raise detection ratio of the threat and for the mitigation purpose. Any other purpose (even it sounds legitimate) will be rejected without notification or to be put into the lower priority. This is a recent and dangerous malware code, and evil malicious source code, a cyber crime tool, our sharing method in this subject is not a democracy nor discussion, please understand. So please present your self, your work and your purpose well.

Thank you for the good Crusader that leaked the source directly to us. God bless you.

References:

1. Technical Overview (Bootkit+Evade Wow64): KINS Source Code Leaked (Touch My Malware), link-->HERE
2. In depth analysis: Having a look on the KINS Toolkit (Xylibox), link-->HERE
3. Article: New Trojan #INTH3WILD: Is Cybercrime Ready to Crown a New “KINS”? (RSA Blog), link-->HERE

Kudoz friends in arms who read codez!

Luv you all! Stay secure! ( ^-^)v

The password is a tribute to a good young friend crusader with a very big heart!

#MalwareMustDie!