Posted by: Dan O'Connor
zeus analysis, zeus botnet, zeus source code, zeus walkthrough
Our last bit we need before we hit the big red button and infect the machine is getting wireshark ready to go.
I have wireshark loaded with a filter string to only capture traffic from the workstation that I will infect.
I have the workstation infected now, and I can see the traffic coming back to the server on port 80 to the web server we setup. The infected workstation is talking to the gate.php file on the web server, as expected it’s encrypted. This will be the first php file we dive in to, it should be a great start.