2009-04-26

Zeus / Zbot / Prg / Ntos / Wsnpoem

Real name of the trojan package is Zeus. It comes with a PHP based control panel and a Windows executable to build the trojan. Builder's job is to parse a text based config file, encrypt it, and embed some options into the trojan. The builder can also remove the infection from the system.



Main scripts of the control panel are:

"in.php"

Script which controls authentication to the admin panel as well as all reporting and configuration options of the botnet.

"s.php"

This is the script which accepts all communication from the bot client on a compromised computer. Depending on configured options it will either insert the data into a MySQL database, or store inside a seperate directory, or both.

It's responsable for decrypting the POST data and parsing individual stolen records. Basically, this is the main C&C script of the botnet.



Keep in mind that these filenames are not hardcoded anywhere but are only the defaults. If the filename is changed on the server then the bot client must be updated with a new configuration file, which it periodically polls off the server. Typical configuration file will have entries similar to the ones on this screenshot.

Currently, Zeus' build tree is 1.2.x.x which, depending on subversions, will utilize either RC4 encryption or a simpler form of it. Otherwise, the record and configuration structures remain the same between different 1.2.x.x builds. Older versions, prior to 1.2.x.x used a completely different structure and obfuscation method. They contained a unique field in the HTTP headers during C&C communication and thus were easily detected via IDS signatures from Emerging Threats (2003182, 2003183, 2007688, 2008100, 2008326)

So, what can this bot/trojan do?
It has the following abilities:

Credential stealing of FTP and POP3 on any TCP port.

Via a custom build can capture any data.

Capture of HTTP and HTTPS traffic.

Proxy server via Socks 4/4a/5, even if compromised device is behind a NAT.

Screenshot capture of the desktop.

Theft of "Protected Storage" data.



Here's an example how a communication flow between bot/trojan and C&C server will look like.