Saturday, October 5, 2013

Zodiac v0.10, Part I: First Look

So I've made some progress on this analysis.

First off, this string was found in the sample:

.rdata:0040B05C 000000D4 C DEAR WHITEHATS: This bot isn't protected because I'm lazy and you're not going to do anything anyway, not because I'm inept. Although I have added a dirty cipher to please you. Come chat with us, we're friendly.

I believe I found the dirty cipher here:

It's kind of a Caesar Cipher: given a byte of ciphertext, if it is between 0x2E and 0x4F it will add 0x30, and if it is between 0x50 and 0x7E it will subtract 0x30.

This deciphering routine is used by the following functions (labelled by me):

And used on strings that are all collected together in a data segment.  I went ahead and deciphered what was there and changed the labels:

The deciphered label "ev1l1lod1ld0s" is used to create a mutex, so that only one copy of the bot is running on a host at a time:

The deciphered label "Windongs" is used to create a registry key at HKLM\software\microsoft\windows\currentversion\run for persistence:

And I am now starting to get into the code that connects to the command server at  I'll post more on that part of the code once I've slogged through it, but I also wanted to get into another fun part of the investigation: attribution.


  1. I've seen being used in dns amp attacks:

    1. Thank you, that's good information.

      Yeah, given who these guys seem to be, they aren't discrete by any means, so I can see DDoS as being part of their MO.