Zorenium Bot: Follow-up

This is a guest post by Dimitry, a forensics expert who will be joining our team soon.

Image

As a follow up to our previous post, here is a quick overview of some of Zorenium’s capabilities.

Please note that as we are still in the process of fully analyzing this bot’s capabilities – the post is mostly based on the information publish by the bot maker.

Without a doubt, one of the most interesting modules to start with would be the FakeShoutDown mechanism. If according to the author indeed it operates as they say it does, then it is definitely a new “way of thinking”.

In essence, the authors of Zorenium are faking the shutdown process of a machine. The code imitates the entire process (once the shutdown sequence isinitiated by the user) including proper images and even, and this is quite fascinating, slowing down the computer fans to eliminate the noise.

In my humble opinion, it is quite impressive.

The bot has multiple interfaces of management (such as IRC and I2P), and all come with a great set of 256 bit AES keys.

Another interesting aspect would be the implementation of the stenography module. The stenography module is not a “regular”, and it makes this bot into more sophisticated than others. I am curious to see how that implementation works.

Another funky aspect of the bot would be what the author called “CHRISTMAS USERKIT4 SPECIAL ADDON”. Amongst the various features, the bot will replicate a new disk drive and will drop the core dll’s onto it. Then it will encrypt the hard drive and thus protect it from various AV and anti-malware mechanisms. Pretty sweet if you ask me.

The cherry on this icecream would be the iOS module. This is definitely the first bot that I have seen that actually operates on “Cross-platforms”. It can infect Android, Windows and iOS systems – a true nightmare to all security specialists. The main question regarding iOS still remains – are only jailbroken phones at risk or is it much, much worse?

Zorenium Bot Coming to the iPhone Nearest to You

Written by Tanya Koyfman and Assaf Keren

Recently our analysts have been monitoring the advancement of a new threat in the commercial malware theater – the Zorenium Bot. Zorenium, a relatively new and unknown bot,  has been for sale on the underground sinceJanuary 2014. This bot will be getting new features in its March 18th update, including, the ability to infect iOS devices (version 5-7), alongside its existing capabilities to run on Linux- and Windows-based machines. The developers have also updated the rootkit to TDL4 (making it vulnerable to anti-TDSS tools).

 zorenium1

Capture of the recent release notifications

Zorenium, a relative of Betabot, is a very robust bot which is still undetected by most AV companies. It has several key abilities, including DDoS, Formgrabbing, Bot-killing, Banking Trojan and Bitcoin mining. The cost of a basic Zorenium bot is 350 GBP and with advanced features (including P2P C&C, i2p C&C and more) it can go up to over 5000GBP.

 zorenium2

Zorenium Payment Plans

According to the developers, it is still in beta mode and more features will be available in time .

 zorenium3

Zorenium Source Screen Capture