2009-04-26

Zeus / Zbot / Prg / Ntos / Wsnpoem

Real name of the trojan package is Zeus. It comes with a PHP based control panel and a Windows executable to build the trojan. Builder's job is to parse a text based config file, encrypt it, and embed some options into the trojan. The builder can also remove the infection from the system.



Main scripts of the control panel are:

"in.php"

Script which controls authentication to the admin panel as well as all reporting and configuration options of the botnet.

"s.php"

This is the script which accepts all communication from the bot client on a compromised computer. Depending on configured options it will either insert the data into a MySQL database, or store inside a seperate directory, or both.

It's responsable for decrypting the POST data and parsing individual stolen records. Basically, this is the main C&C script of the botnet.



Keep in mind that these filenames are not hardcoded anywhere but are only the defaults. If the filename is changed on the server then the bot client must be updated with a new configuration file, which it periodically polls off the server. Typical configuration file will have entries similar to the ones on this screenshot.

Currently, Zeus' build tree is 1.2.x.x which, depending on subversions, will utilize either RC4 encryption or a simpler form of it. Otherwise, the record and configuration structures remain the same between different 1.2.x.x builds. Older versions, prior to 1.2.x.x used a completely different structure and obfuscation method. They contained a unique field in the HTTP headers during C&C communication and thus were easily detected via IDS signatures from Emerging Threats (2003182, 2003183, 2007688, 2008100, 2008326)

So, what can this bot/trojan do?
It has the following abilities:

Credential stealing of FTP and POP3 on any TCP port.

Via a custom build can capture any data.

Capture of HTTP and HTTPS traffic.

Proxy server via Socks 4/4a/5, even if compromised device is behind a NAT.

Screenshot capture of the desktop.

Theft of "Protected Storage" data.



Here's an example how a communication flow between bot/trojan and C&C server will look like.

8 comments:

Pedro said...

very interesting, but what about the configuration file ?

what information it contains and what encryption it use and how to decrypt it ?

-=[ dxp ]=- said...

Pedro/Uri,

Configuration file is encrypted using the same algorithm as the stolen records. It contains information necessary to update itself and where to submit stolen data. Also, it has a list of sites to target, to avoid, and what code to inject into web pages.

Alejandro said...

Can I build my own config file ?

-=[ dxp ]=- said...

Alejandro,

You can build your own config but you must know the format and have the Zeus build utility to compile it for the trojan to use.

Anonymous said...

Hi,

do you happen to have a sample of the bots which you made the posts on? I would like to study it and do an analysis for RCE.

-=[ dxp ]=- said...

I do have the samples of all the malware discussed on this blog.

If you'd like to study malware then I recommend to check out Offensive Computing. Some of the stuff discussed here can be found at OC.

If you're still not satisfied with what OC has to offer then provide your contact information and we'll work something out.

seguridad said...

Can you post where the src is ?

-=[ dxp ]=- said...

Source code was leaked, some more info here.