Nearly 2 weeks ago I published an article about a seemingly fake bot with ridiculous features, however; After spending the past few weeks doing some deep digging, it turns out that the Zorenium malware is in-fact real and more potent than first thought. Not only did all the features, including the private unreleased TDL4 rootkit, turn out to be real, but some interesting new features have been spotted. I'll walk through some of the interesting features in the sample I found.
TDL4 Rootkit
The rootkit component of Zorenium is TDL-4 based, but seems to be updated to include some slightly better persistence: As well as infecting the MBR with malicious code responsible for loading the driver during the boot process (and thus before the antivirus), the rootkit is able to flash UEFI compatible EEPROM chips with code required for serving up the malicious bootloader, which works on both MBR and GPT disks. As a result of hijacking the UEFI chip, the bot is able to survive re-install, full disk format, and even hard drive replacement, making it one of the most persistent bots yet.
Peer to Peer Spread
A fairly unique method of spreading across networks is used by Zorenium. When executed on a Wi-Fi enabled device, the malware will use the Wi-Fi adapter to broadcast a "fake" unprotected Wi-Fi hotspot, whilst using the LAN connection to connect to the actual network. When other wireless device users connect to the unprotected hotspot: Zorenium will forward content to the real network so the hotspot will appear to function normally, however; When an executable download is done via an un-encrypted connection (HTTP), Zorenium will intercept the download and bind itself with the target executable, infecting anyone who runs it.
Cross-Platform Compatibility
I have been able to confirm that Zorenium can infect and spread across the following systems: Windows, Debian, iOS, Mac OSX, Android and UNIX. While testing the cross-platform functionality of Zorenium it was able to spread wirelessly to other devices on my network, including my wireless media burner. I noticed that after the Zorenium infection, when I used my burner to burn disk and CD images, instead of burning them with the given ISO / IMG file, it would infect the media with a copy of the Zorenium executable.
My disc burner wasn't the only device effected by Zorenium surprising portability: In 2012 the failed Russian mars probe Fobos-Grunt was spotted flying backward by an astronomer, this was originally thought to be a malfunction, however; during it's re-entry into the earths atmosphere in January 2012, the probe began intercepting satellite signals from TV-Stations and replacing commercials with an advert urging viewers to download and run the Zorenium malware.
TDL4 Rootkit
The rootkit component of Zorenium is TDL-4 based, but seems to be updated to include some slightly better persistence: As well as infecting the MBR with malicious code responsible for loading the driver during the boot process (and thus before the antivirus), the rootkit is able to flash UEFI compatible EEPROM chips with code required for serving up the malicious bootloader, which works on both MBR and GPT disks. As a result of hijacking the UEFI chip, the bot is able to survive re-install, full disk format, and even hard drive replacement, making it one of the most persistent bots yet.
Peer to Peer Spread
A fairly unique method of spreading across networks is used by Zorenium. When executed on a Wi-Fi enabled device, the malware will use the Wi-Fi adapter to broadcast a "fake" unprotected Wi-Fi hotspot, whilst using the LAN connection to connect to the actual network. When other wireless device users connect to the unprotected hotspot: Zorenium will forward content to the real network so the hotspot will appear to function normally, however; When an executable download is done via an un-encrypted connection (HTTP), Zorenium will intercept the download and bind itself with the target executable, infecting anyone who runs it.
Cross-Platform Compatibility
I have been able to confirm that Zorenium can infect and spread across the following systems: Windows, Debian, iOS, Mac OSX, Android and UNIX. While testing the cross-platform functionality of Zorenium it was able to spread wirelessly to other devices on my network, including my wireless media burner. I noticed that after the Zorenium infection, when I used my burner to burn disk and CD images, instead of burning them with the given ISO / IMG file, it would infect the media with a copy of the Zorenium executable.
 |
| Infected Wireless Media Burner |
My disc burner wasn't the only device effected by Zorenium surprising portability: In 2012 the failed Russian mars probe Fobos-Grunt was spotted flying backward by an astronomer, this was originally thought to be a malfunction, however; during it's re-entry into the earths atmosphere in January 2012, the probe began intercepting satellite signals from TV-Stations and replacing commercials with an advert urging viewers to download and run the Zorenium malware.
Ransomware
When a device is first infected with Zorenium, the malware scans any contact lists, phone books and address books; for the addresses of possible family members. Once the bot has enough addresses of family members: it begins writing letters to them declaring that you are in financial ruin, after kindly lending all your money to a Nigerian price, the letter will request that relatives lend you a small amount of money to feed your children who currently have nothing to eat, if you don't have children Zorenium will adopt some for you.