Posted by: Dan O'Connor
zues bot net, zues rar
So what was in the Zues rar?
7z.exe – Looks clean, nothing reported on it.
bt.exe – Listed as suspicious but nothing specific by any vendor.
upx.exe – Nothing reported.
FASM.exe – Listed as suspicious but nothing specific by any vendor.
php.exe – Nothing reported.
zip.exe – Nothing reported.
zsb.exe – Reported as Trojan-Spy:W32/Zbot, everything reports this as the main exe for the Zeus botnet.
zsbcs.exe – Backdoor, Backdoor.Generic.653241
Lots of PHP, cpp, xml, a few txt and a GeoIP lookup csv.
If you do not know what that one is, it’s a list of IP’s ranges with the assigned country code. This list can be purchased online and is frequently updated with changes.
More to come.