1

I am currently disassembling an instance of malware, of which, following a quick first pass, looks to be some augmented variant of ZueS. As I was quantitatively characterizing the targeting mechanics I came across the expression below. I'm simply looking for a confirmation of the code's inherent purpose(s).
The origins of the code below is a CnC-supplied malicious .dll, which is injected into msiexec.exe, and directly into browsers (?). To me it looks as if this injection into various browsers is solely for API hooking/interception, working to spy, and modify content (using specific WebInjects, etc).

Does this sound correct?

Thanks!

enter image description here

Kairos
  • 26
  • 2
  • While we don't generally allow code review here (groan), there is not enough information for me. However, when I look at `*(_DWORD *)(v16 +2) = inet_addr("127.0.0.1");`, I start thinking that the purpose is to have the browser use a proxy server that will allow the program intercept/modify the responses you receive. – Mark Buffalo Nov 26 '17 at 21:15

2 Answers2

1

Banking malware like Zeus does something called WebInjects, basically it modifies webpages once they've been decrypted by the browser but before they've been displayed to the user. This functionality can be used to gain access to information the user wouldn't usually give, such as a mothers maiden name or pin.

Source.

Daniel V
  • 443
  • 3
  • 12
0

This sounds correct. Injection of a DLL into a process is very common for trojans, and as you also already stated it's mostly used for API hooking and opening a socket to the main application of the trojan.

nebulak
  • 390
  • 1
  • 9