A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #20148  by alex18
 Thu Jul 18, 2013 1:01 am
Hello All,

Very interesting topic here. I am wondering if you can elaborate something here:

- Naming convention for Zeus different versions is not clear for me. I know Zeus has two Major versions: version 1 and version 2. Does it have other versions?

- I am a bit confused about variants and subversion concepts. What are the difference between them?

- Is new Malware as Citadel considered a new family, variant or subversion of Zeus?

- Finally, if someone obtains Zeus toolkit crime, can he generates different variants or same variant?

Thanks,
Ahmad
 #20154  by Xylitol
 Thu Jul 18, 2013 9:07 am
 #20165  by alex18
 Fri Jul 19, 2013 4:18 am
Thanks for your reply. However, it doesn't explain or answer my questions above. Would you help please?

thanks
 #20173  by EP_X0FF
 Fri Jul 19, 2013 10:19 am
alex18 wrote:Thanks for your reply. However, it doesn't explain or answer my questions above.
http://lmgtfy.com/?q=zeus+1.2+builder#


v2
Code: Select all
Version 2.0.0.0, 01.04.2010

Full compatible with previous versions.
Since the core of the bot is aimed at Windows Vista+, and the bot will never use privilege escalation, etc., bot is working within a single user. But the basic attempts to infect other Windows users are made (usually effective in cases of disabling UAC, or run from under LocalSystem).
Arbitrary file names, mutexes, etc.
Completely rewritten bot core, the installation process in the system to send reports to the Control panel.
At installation, the bot recrypts his body, thus preserves a unique copy of the exe-file on each computer.
Binding bot to computer by modifying/deleting some data in the exe-file.
Valuable work with x32 applications in Windows x64.
Delete the original bot file, after execution, regardless of the outcome of performance.
Valuable work in parallel sessions for "Terminal Services".
When run as the LocalSystem user, an attempt is made to infect all system users.
Removed the option "StaticConfig.blacklist_languages".
The name of the botnet is limited to 20 characters and can contain any international characters.
The configuration file is read in UTF-8 encoding.
Removed the option "StaticConfig.url_compip".
A new method for determining the NAT.
You can not upgrade a new version of the bot on an old one.
When updating bot is a complete update immediately, without waiting for a reboot.
At the moment, due to some reasons, hide bot files will not run at all.
Removed "Protected Storage" grabber, because starting with IE7, it is no longer used.
With regard to the unreliability of the old system of counting "Installs" the bot is counted automatically as "Install" when added to database.
A new way to get IE cookies.
Improved back-connect protocol.
Because the "light-mode" builder is designed to test and debug HTTP-injects and HTTP-fakes, it has some limitations on assembly of the configuration file.
Complicated to discover the bot traffic.
Complete (as with wininet.dll) to work with nspr4.dll, but without HTTP-fakes.

Version 2.0.1.0, 28.04.2010

Now using an external crypter, with respect to these canceled some features of the previous version:
Modified to bind to the user/OS.
Bot is no longer able to recrypt itself during installation.
Minor improvements to HTTP-injects.

Version 2.0.2.0, 10.05.2010

Forced change of Mozilla Firefox security settings for normal HTTP-injects.
Command "user_homepage_set" uses home page is mandatory for IE and Firefox (i.e. the page will be restored even if the user makes a change) as long as no command is canceled.
Version 2.0.3.0, 19.05.2010

With regard to the fact that HTTP-injects are mostly written by people who understand little of HTTP, HTML, etc., removed warning "*NO MATCHES FOUND FOR CURRENT MASK*". Because due to abuse of the mark "*" masked URL, this warning appears very often.

Version 2.0.4.0, 31.05.2010

In control panel, fixed a bug in the module "Botnet-> Bots", which does not allow to search by IP.
In the configuration file, added the option "StaticConfig.remove_certs", to disable the automatic deletion of certificates from the user store when install the bot.
In the configuration file, added the option "StaticConfig.disable_tcpserver", which allows you to disable the TCP-server (DISABLE: socks-server, screenshots in real time). This option is introduced to prevent warnings from the "Windows Firewall".
Ripped certificates stored on the server with an indication of the user, from which they are received.

Version 2.0.5.0, 08.06.2010

For scripts added commands "bot_httpinject_enable" an "bot_httpinject_disable".
Fixed minor bugs in HTTP-grabber.

Version 2.0.6.0, 22.06.2010

In nspr4.dll, in a particular format of the HTTP-response from server, this reply was not analyzed correctly (resulting, for example, in disabling the HTTP-injects).

Version 2.0.7.0, 15.07.2010

Disable the built-in bot encryption.

Version 2.0.8.0, 17.08.2010

To the parameters HTTP-injects was added a new option "I" (compare URL insensitive) and "C" (comparison of context insensitive).
Version 2.1.0.0, 20.03.2011

RDP + VNC BACKCONNECT ADDED
v1
Code: Select all
[Версия 1.2.0.0, 20.12.2008]
  Общее:
[*] Более не будет документации в chm-файле, все будет писаться в этот файл.
    [+] Теперь бот способен получать команды не только при отправки статуса, но и при отправки
        файлов/логов.
    [+] Локальные данные, запросы к серверу, и файл конфигурации шифруются RC4 с ключом на
        ваш выбор.
[*] Полностью обновлен протокол бот <-> сервер. Возможно, понизится нагрузка на сервер.
  
  Бот:
    [-] Устранена ошибка, блокирующая бота на лимитированных ученых записях Windows.
[*] Написан новый PE-криптор, теперь PE-файл получается очень аккуратным и максимально
        имитирует результат работы MS Linker 9.0.
[*] Обновлен процесс сборки бота в билдере.
[*] Оптимизировано сжатие файла конфигурации.
[*] Новый формат бинарного файла конфигурации.
[*] Переписан процесс сборки бинарного файла конфигурации.
[*] Socks и LC теперь работают на одном порту.
  
  Панель управления:
[*] Статус панели управления переведен в BETA.
[*] Изменены все таблицы MySQL.
[*] Начет постепенный перевод Панели Управления на UTF-8 (возможны временные проблемы с
        отображением символов).
[*] Обновлена геобаза.

[Версия 1.2.1.0, 30.12.2008]
  Бот:
[*] BOFA Answers теперь отсылается как BLT_GRABBED_HTTP (было BLT_HTTPS_REQUEST).
    [-] Мелкая ошибка при отправке отчетов.
    [-] Размер отчета не мог превышать ~550 символов.
    [-] Ошибка существующая с начала существования бота: низкий таймаут для отсылки POST-запросов, 
        в результате чего блокировалась отсылка длинных (более ~1 Мб) отчетов на медленных
        соединениях (не стабильных), как теоретическое последствие - бот вообще переставал слать
        отчеты.
  
  Общее:  
    [+] В случаи записи отчета типа BLT_HTTP_REQUEST и BLT_HTTPS_REQUEST в поле SBCID_PATH_SOURCE
        (в таблице будет path_source) добавляется путь URL.
  
  Панель управления:
[*] Обновлен redir.php.

[Версия 1.2.2.0, 11.03.2009]
  Бот:
    [-] Устранена ошибка в HTTP-инжектах существующая на протяжении ВСЕХ версий бота. При
        использовании в программе асинхронного режима wininet.dll, был упущен момент
        синхронизации потоков создаваемых wininet.dll, в результате чего, при некоторых условиях
        происходило исключение.
    [+] При срабатывании HTTP-инжекта, теперь также изменяются файлы в локальном кэше.
        Отсутствие этой доработки, позволяло не всегда срабатывать HTTP-инжектам.
    [+] Уменьшен размер PE-файла.

[Версия 1.2.3.0, 28.03.2009]
  Бот:
    [-] Мелкие ошибки в крипторе, спасибо доблестным говноаналитикам из Avira.

  Общее:
[*] Изменен протокол раздачи команд ботам.
  
  Панель управления:
[*] Полностью переписана панель управления.
[*] Дизайн переписан на XHTML 1.0 Strict (под IE не работает).
[*] Бот теперь опять способен получать команды только при отправке отчета об онлайн-статусе 
        (слишком высокая нагрузка).
[*] Обновлена геобаза.

[Версия 1.2.4.0, 02.04.2009]
  Бот:
    [+] При работе с HTTP, заголовок User-Agent теперь читается от Internet Explorer, а не
        является константой как раньше. Теоретически из-за постоянного User-Agent'а, запросы
        могли блокироваться провайдерами, или попадать под подозрение.
- Naming convention for Zeus different versions is not clear for me. I know Zeus has two Major versions: version 1 and version 2. Does it have other versions?
No, everything else is unofficial rip-off's.
- I am a bit confused about variants and subversion concepts. What are the difference between them?
Contact Slavik for detailed information and changelogs.
- Is new Malware as Citadel considered a new family, variant or subversion of Zeus?
It is a modification based on 2.0 answering your next question.
- Finally, if someone obtains Zeus toolkit crime, can he generates different variants or same variant?
Zeus is almost 2 years as open source.
 #20281  by rough_spear
 Tue Jul 30, 2013 12:08 pm
Hi All,

Three new zbot sample files.

MD5 list-

55d4adaf83946ab6bcab697348ceba76
5bad5fdb431c2136519d71468758cb06
a7f92be18f5d1475773797d8d0463039

Regards,

rough_spear. ;)
Attachments
password - infected.
(971.54 KiB) Downloaded 61 times
 #20289  by unixfreaxjp
 Tue Jul 30, 2013 6:41 pm
These moronz is making Zbot campaign,
below is the list of currently ALIVE ZBot.
Captured their downloadable snapshot by putting all at Urlquery as evidence.
There are more, under tango down( already dismantled), in case you need recent FRESH sample I shared them here, pls grab it for analysis.. cant let my hands go now..
Code: Select all
    -------------------------------------------------------------------------------------------
    DOWNLOAD URL                                 POC by URLQUERY (ALIVE!!
    -------------------------------------------------------------------------------------------
h00p://www.giftedintuitive.com/kQYjoPqY.exe  h00p://urlquery.net/report.php?id=4226237
h00p://ftp.jason-tooling.com/nhdx.exe        h00p://urlquery.net/report.php?id=4226246
h00p://paulalfrey.com/guBwFA.exe             h00p://urlquery.net/report.php?id=4226249
h00p://bremertondisciples.org/p6AERteJ.exe   h00p://urlquery.net/report.php?id=4226293
h00p://proactionpt.com/7dPmE3P.exe           h00p://urlquery.net/report.php?id=4226295
h00p://ruffledpaper.com/N7SvZ.exe            h00p://urlquery.net/report.php?id=4226294
h00p://www.energiereise-namaste.de/EggT.exe  h00p://urlquery.net/report.php?id=4226312
h00p://www.labycar.com/Zi6L.exe              h00p://urlquery.net/report.php?id=4226311
h00p://208.112.50.5/c38QVmd.exe              h00p://urlquery.net/report.php?id=4226314
h00p://s148231503.onlinehome.us/y3R.exe      h00p://urlquery.net/report.php?id=4226318
h00p://microconvergent.com/0nE8JSm.exe       h00p://urlquery.net/report.php?id=4226333
h00p://ca-merchant.com/tnBj.exe              h00p://urlquery.net/report.php?id=4226334
h00p://www.mbbd.it/ALmx.exe                  http://urlquery.net/report.php?id=4227741
h00p://fanpageserver.info/qtJ.exe            http://urlquery.net/report.php?id=4227765
h00p://icewebhosts.com/vcGv9E.exe            http://urlquery.net/report.php?id=4227789
h00p://legodendart.com/f2kr.exe              http://urlquery.net/report.php?id=4227824
h00p://horizon.okcareertech.org/1k7Yvm.exe   http://urlquery.net/report.php?id=4227855
h00p://marinapanagiotidou.gr/qntUYid.exe     http://urlquery.net/report.php?id=4227869
h00p://www.sch.ac.cy/DH8xSJxy.exe            http://urlquery.net/report.php?id=4227891
Analysis base, urls dropped by these fareit, got so many of these...
Code: Select all
http://www.kernelmode.info/forum/viewtopic.php?f=16&p=20157#p20285
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1558&start=40#p20286
http://www.kernelmode.info/forum/viewtopic.php?f=16&t=1558&start=40#p20287
  • 1
  • 16
  • 17
  • 18
  • 19
  • 20
  • 29