Back to Home

Zeus trojan first acquaintance

information security · trojan · zeus · zbot · malware

Zeus trojan first acquaintance

    Hello, Habr!
    I saw a “wave” of articles about hacks, nepokheks, 1337 h4x0rz ... etc. And then I thought that Habru would be interested to read about the malware and how it works not from cross-sharing news, but from the hands of those who worked with it.

    I will immediately announce this:
    All information in this article is provided purely for review and is intended primarily to indicate errors in security systems.


    In most cases, the antivirus (hereinafter referred to as AB) coped with all the harmful little animals, but one fine sunny day :) I had to crawl, so to speak, under the hood of one of these "little animals."

    It was in August 44th of 2008. At that time, I was a little technical and practically savvy in terms of the fight against all kinds of malvarii and the like.

    So, climbing the sites of dubious nature, to which the search engine sent me in search of the software I needed, nod32 suddenly shouted that they were trying to feed me something Trojan-Spy.Win32.Zbot (hereinafter zeus \ zbot \ zevs). I have no idea what struck me in the head, but it really impelled me to study this beast.

    About how I watched Zeus, I went to his command center and got access to it, under the cut.

    In this article, I will talk superficially about the trojan that got me into the "topic" with the Malvars and the like ... further, if Khabaruzers are interested, I will tell you about other interesting cases of working with the Malvars, articles about the work and disposal of interesting specimens.


    Hi Zeus!


    First of all, I climbed into google and found out what kind of charm I was trying to settle in, the search engine did not particularly resist and told me urls with a description.

    So, what I learned is the key:
    • What is it and what can it do?
      • Trojan form grabber 1 pc. (later the next version will be released where there will be support for the injection system)
      • It only crashes forms in Internet Explorer up to version 7 (later the next version with module support will be released, one of the modules will allow the trojan to rob forms of the FireFox browser)
      • Robbing cookies and data from saved forms
      • It can make a socks5 proxy server from an infected PC, if it is outside NAT, that is, it has a real \ white ip address (the backconnetc module will come out later, which will allow bypassing the restriction that the PC may be behind NAT)
      • Kill system
      • Grabber certificates and sol
      • “Feeds” fake page to users of infected PC
      • Search and delete or upload files to a remote server
      • and the rest of the things peculiar to this kind of malvary ...
    • Where does he live and what is stuck together?
      • OS Windows XP x32
      • It works both under the admin account, and under the account of the ordinary user, and even under the guest account
      • The bot is completely based on intercepting WinAPI in UserMode (Ring3), which means that the bot does not use
        any drivers and calls in Ring0.
      • It is written in Visual C ++ version 9.0+, and additional libraries
        such as msvcrt, ATL, MFC, QT, etc. are not used .
      • and other features ...

    In cl. there will be more articles about this trojan, since this article is about the bot of the old version, I decided not to go into details of its functionality and capabilities.


    Next, I learned interesting things about how it infects a PC. It turned out that the bot consists of 3 key things:
    1. The bot itself.
    2. The configuration file.
    3. Gate \ admin panel.

    After infecting the PC, he downloaded the configuration file, where his settings and addresses to the gate were indicated, where he should send the loot. That is, in theory, if you run it on a PC without the Internet, there will not be anything bad, since he will not know where to send him reports with stolen goods.

    After installing VirtualBox and Win XP on it, I climbed into the AV logs and extracted the URL where the exe trojan was located.
    After downloading the trojan to the virtual machine, I did not rush to launch it there. I downloaded the Wireshark packet sniffer and launched it, chopped off the virtual network access from the real machine, and then launched the trojan on the virtual ...

    And then I saw how the tri started get requesting to try to pick up your config, copying the url to the config and downloading it, it was found that it was encrypted and just didn’t know what was there. Since it was a virtual machine, I did not mind the system :) and I returned access to the network to the virtual machine, continuing to look at the sniffer log.

    After downloading the config, he began to receive in his gate, the bot received and gave information from the gate via the http protocol post and get requests.

    Having opened IE, I climbed the sites, pushed data into some forms, saved passwords where suggested, etc.
    Opening the sniffer log again and filtering my adventures on the Internet, I saw that the bot was sending information with each of my post requests, that is, the trojan actually sent all the data of my activity to IE.

    At that time I could not find out more and did not want to subside.

    I started to close tabs with search queries by zeus and then I saw on one of the tabs “Fill went to the Zeus admin panel”, and here I got interest again.

    To be continued...
    how I got access to the server on which there was a Zeus command center (it’s also a gate, admin panel, etc.), correspondence with the botnet owner in the TXT file on the server, botnet control.


    PS: I will be happy to answer your questions.

    UPD: Part Two - Hello, Trojan-Spy.Win32.Zbot !!! part two ... about shells, rootkits, eskloites and chat in txt file

    Read Next