This is a guest post by Dimitry, a forensics expert who will be joining our team soon.
As a follow up to our previous post, here is a quick overview of some of Zorenium’s capabilities.
Please note that as we are still in the process of fully analyzing this bot’s capabilities – the post is mostly based on the information publish by the bot maker.
Without a doubt, one of the most interesting modules to start with would be the FakeShoutDown mechanism. If according to the author indeed it operates as they say it does, then it is definitely a new “way of thinking”.
In essence, the authors of Zorenium are faking the shutdown process of a machine. The code imitates the entire process (once the shutdown sequence isinitiated by the user) including proper images and even, and this is quite fascinating, slowing down the computer fans to eliminate the noise.
In my humble opinion, it is quite impressive.
The bot has multiple interfaces of management (such as IRC and I2P), and all come with a great set of 256 bit AES keys.
Another interesting aspect would be the implementation of the stenography module. The stenography module is not a “regular”, and it makes this bot into more sophisticated than others. I am curious to see how that implementation works.
Another funky aspect of the bot would be what the author called “CHRISTMAS USERKIT4 SPECIAL ADDON”. Amongst the various features, the bot will replicate a new disk drive and will drop the core dll’s onto it. Then it will encrypt the hard drive and thus protect it from various AV and anti-malware mechanisms. Pretty sweet if you ask me.
The cherry on this icecream would be the iOS module. This is definitely the first bot that I have seen that actually operates on “Cross-platforms”. It can infect Android, Windows and iOS systems – a true nightmare to all security specialists. The main question regarding iOS still remains – are only jailbroken phones at risk or is it much, much worse?