this morning I found a ZeuS seller who offered it to me, “only 6000 dollars” 😀 (click the pic to make it readable).
Well, why should I buy it ? I work all day long with Malwares ! I really really don’t wanna buy one !
BUT, since I remember from older versions that ZeuS was not very intuitive, I decided to public this little post on it. This post won’t be a tutorial or a ZeuS using guideline, it might be useful to clarify what ZeuS is and How it works.
So for everyone who don’t know what Zeus is:
ZeuS (also known as Zbot / WSNPoem) is a crimeware kit, which steals credentials from various online services like social networks, online banking accounts, ftp accounts, email accounts and other (phishing). The web admin panel can be bought for 700$ (source: RSA Security 4/21/2008) and the exe builder for 4’000$ (source: Prevx 3/15/2009).
The crimeware kit contains the following modules:
1) A web interface to administrate and control the botnet (ZeuS Admin Panel) (see number 4, yellow)
2) A tool to create the trojan binaries and encrypt the config file (see number 2)
3) A configuration file (see number 1)
4) A binary file which contains the newest version of the ZeuS trojan (see number 3)
5) A webijects file for advance usage (phishing page, see number 5)
To properly use DIY toolkit the tester needs to configure the config file which will be loaded and encrypted in a bin file.
There aren’t several examples around, so I decided to discuss a little bit more about that. The file is divided into two main sections :
1) Static Configurations. Static configuration describes the actions that ZeuS does directly from the PC without injecting or interfering to the user. These actions can be: steal static passwords, steal cache informations, visited websites, emails, chats conversations and so on. Inside the static configuration the tester finds the “url_config”. This entry is really important, in fact through it tester may change dynamically the bot configuration by changing the file in this location. Basically the bot looks for it during it booting phase.
2) Dynamic Configurations, Dynamic Configuration describes the actions that ZeuS does interacting with the user. Examples of Dyn conf could be: automatic downloader and executable, injecting fake Bank of America pages stealing credentials or utilizing common Man in the middle techniques injecting dynamic contents. ZeuS needs the url to the loader and the url of the server where redirect the traffic and where download itself. The file_webinjects is the main file of the dynamic configuration. Basically tester tells to the system where the “important” information are. This configuration file is “platform dependent” by meaning that it depends on which web page you wanna exploit. (don’t worry I’ll let you some true example at the end of the post)
The tester may want do add an “advanced” (in terms of different) configuration file to the same bot (underlined in green in previous img). An example of webinjects file is the following one. As first parameter the tester has to define which url is going to be analyzed, then he needs to underline where the sensible informations are by injecting fake contents.
True configuration files are more complicate. There are more “entries” like for example :
1) “WebFilters” . To filters some urls. Example: ”*.fedbank.com/*”
2) “WebDataFilters”. To look for some data inside the parameters. Example : “gmail.google.com/*” “passw;login”
3) “WebFakes”. To force the user to surf a phised page. Example: “https://sitekey.bankofamerica.com/sas/signon.do” “http://XXX.YYY.ZZZ.HHH/zu/fk/US/bofa.php” “P” USpass=*” “”
The ZeuS version 220.127.116.11, From RapidShare here .