• 1: Home
• 2: Presentations
  • 2.1: Hibernation File Attack
  • 2.2: Stoned Bootkit
  • 2.3: The Rise of MBR Rootkits & Bootkits in the Wild
  • 2.4: Stoned déjà vu - again
• 3: Trainings
  • 3.3: Hibernation File Attack - Reino de España
• 4: Articles
  • 4.1: Polymorphic Encryption Methods
  • 4.2: Writing a Boot Scan Engine
  • 4.3: The Magic of Bootkits
  • 4.4: Analysis of Sinowal
  • 4.5: Advanced Analysis of Sinowal
  • 4.6: Microsofts Rich Header
  • 4.7: Analysis of Conficker
  • 4.8: CIPAV
  • 4.9: Windows Exception Handling
  • 4.10: Pagefile Attack
  • 4.11: Software Watermarking
  • 4.12: Analysis of Stoned
  • 4.13: The Old New Thing About Development
  • 4.14: AntiWPA
  • 4.15: Kon-Boot
  • 4.16: Compiling Shellcode
  • 4.17: Elevated rights, process token and security identifier
  • 4.18: Abusing the TrueCrypt driver
  • 4.19: Nothing new: Msvcrt.dll
  • 4.21: Identifying Source Code
  • 4.22: Analysis of Mebratix
  • 4.23: Popsomp Hills
• 5: Projects
  • 5.1: DiskEdit
  • 5.2: Forensic Deletion Software
    • 5.2.1: Additional Deletion Methods
    • 5.2.2: Visual C++ Source Code
  • 5.3: Forensic Lockdown Software
  • 5.5: Information System
  • 5.6: QuickView
  • 5.7: Smart Boot Manager
  • 5.8: USB View
  • 5.9: Windows 3.1 Emulation
  • 5.10: Windows Boot System
  • 5.11: AV Tracker
  • 5.12: EIPTN
• 6: Services
  • 6.1: Boot-US work
  • 6.2: TeraByte Unlimited work
  • 6.3: EPIGUS work
• 8: Research
  • 8.1: Ascrimez Kit
  • 8.2: Analysing the PDF Exploit
  • 8.3: ZeuS
  • 8.4: infobox.ru: Botnet
  • 8.5: Operating System Development
  • 8.6: 4 million email addresses
• 9: About
  • 9.1: Links
  • 9.3: Peter Kleissner
  • 9.4: Last Modified Pages
  • 9.5: Meeting Points
  • 9.6: Live Search
  • 9.7: Terms of Use
  • 9.8: Contact

ZeuS

ZeuS is a bot software. Take a look at my friends ZeuS Tracker https://zeustracker.abuse.ch/

Weeks ago I got an original ZeuS package (1.2.1.6 version). Take a look on its users guide:

==============
= Contents =
==============
1. Description and facilities.
2. Setting up the server.
2.1. HTTP-server.
2.2. The interpreter PHP.
2.3. MySQL-server.
3. Setting Bot.
4. History.
5. TODO.
6. F.A.Q.
7. Myths.

==============================
= 1. Description and facilities. =
==============================
ZeuS - software to steal personal user data from remote systems, Windows. On
plain language of "Troy", "backdoor", "virus". But the author does not like these words, therefore, further documentation
He will call this software "Bot".
Boat is fully based on the WinAPI Interception in UserMode (Ring3), this means that the bot does not use
no drivers or downloads in Ring0. This feature makes it possible to run even from Bota
Guest Account Windows. Plus, it ensures greater stability and adaptability
subsequent versions of Windows.
Bot is developed in Visual C + + version 9.0 +, with no additional libraries are used
Type msvcrt, ATL, MFC, QT, etc. Bot code is written with the following priorities (in descending order):
1. stability (carefully checked all the results of the call functions, etc.)
2. size (to avoid duplication of algorithms, repetitive calls, functions, etc.)
3. speed (not the type of instruction while (1 ){..}, for (int i = 0; i  server. It may decrease the load on the server.
459905217 (15:47:57 5/03/2009)
Boat:
[-] Fixed the bug that blocking bots on limited screen Windows.
[*] Written a new PE-kriptor now PE-file is very accurate and the most
simulates the results of the MS Linker 9.0.
[*] Updated build process to bildere Bot.
[*] Optimized compression of the configuration file.
[*] The new format is a binary configuration file.
[*] Rewritten the process of assembling the binary config file.
[*] Socks and LC are now working on a port.
Control Panel:
[*] The status of the control panel, transferred to the BETA.
[*] Changed all tables MySQL.
[*] Nachet a gradual transfer of the Control Panel on the UTF-8 (may be temporary problems with
displaying characters).
[*] Updated geobaza.
[Version 1.2.1.0, 30.12.2008]
Boat:
[*] BOFA Answers are now sent as BLT_GRABBED_HTTP (was BLT_HTTPS_REQUEST).
[-] Small error when sending reports.
[-] The size of the report could not exceed ~ 550 characters.
[-] Error exists since the beginning of the bot: a low timeout for sending POST-requests
resulting in a blocked sending long (more than ~ 1 Mb) Report on slow
compounds (not stable), as the theoretical implications - bot altogether stopped sending
Records.
Overall:
[+] In the case record and record type BLT_HTTP_REQUEST BLT_HTTPS_REQUEST field SBCID_PATH_SOURCE
(in the table will path_source) added path URL.
Control Panel:
[*] Updated redir.php.

============
= 2. TODO. =
============
1. Complete work in Windows Vista/2008/Seven.
2. Changing the method of intercepting WinAPI.
3. Random generation: the names of files, settings and data.
4. Console bilder.
5. x64 version.
6. Support for IPv6.
7. Writing full documentation.
8. Collecting statistics using software (antivirus, firewall, etc.).
9. Interception of FireFox 3 +.

=============
= 4. F.A.Q. =
=============
Q: When it all began?
A: distant summer of 2006, when his hands got glyuchny "VisualBreeze e-Banca". Then there
the desire to write something with the same opportunities,
(05:11:25 23/01/2009)
but not c such glyuchnostyu, and no such
size. In general, dev, thanks for the sample;)
Q: What the numbers mean in the version of ZeuS?
A: a.b.c.d
a - a complete change in your bot.
b - the major changes that cause complete or partial incompatibility with previous
versions Bot.
c - correct errors, refine, add features.
d - Number of AV to clean the current version of abc
Q: How obrozom generated Bot ID?
A: Bot ID consists of two parts:% name% _% number%, where the name - the name of the computer (the result of
GetComputerName), a number - a certain number that is generated based on unique data nekotryh OS.

===========
= 5. Myths =
===========
M: ZeuS uses a DLL to work.
A: False. There is only one executable PE file (exe). Dll, sys, etc. not when there was no
vryatli will ever be. This myth has gone due to the fact that in some version for bot
storage configuration used for files with such extensions.
M: ZeuS uses COM (BHO) for the interception of Internet Explorer.
A: False. Always use this for intercepting WinAPI of wininet.dll.

The original package contained following files:

C:\Users\Peter Kleissner\Desktop\Analyses\Analysis of ZeuS\1.2.1.6\zeus 1.2.1.6>tree /F
Auflistung der Ordnerpfade für Volume 
Volumeseriennummer : 
C:.
│   1.2.1.6.exe
│   hlp.txt
│
└───server[php]
    │   in.php
    │   index.php
    │   redir.php
    │   s.php
    │
    ├───.install
    │       geobase.txt
    │       index.php
    │
    ├───system
    │       en.bcmds.lng.php
    │       en.bots.lng.php
    │       en.dblogs.lng.php
    │       en.dbtlogs.lng.php
    │       en.lfiles.lng.php
    │       en.lng.php
    │       en.login.lng.php
    │       en.options.lng.php
    │       en.stats.lng.php
    │       en.user.lng.php
    │       en.users.lng.php
    │       global.php
    │       mod.bcmds.php
    │       mod.bots.php
    │       mod.dblogs.php
    │       mod.dbtlogs.php
    │       mod.lfiles.php
    │       mod.login.php
    │       mod.options.php
    │       mod.stats.php
    │       mod.user.php
    │       mod.users.php
    │       ru.bcmds.lng.php
    │       ru.bots.lng.php
    │       ru.dblogs.lng.php
    │       ru.dbtlogs.lng.php
    │       ru.lfiles.lng.php
    │       ru.lng.php
    │       ru.login.lng.php
    │       ru.options.lng.php
    │       ru.stats.lng.php
    │       ru.user.lng.php
    │       ru.users.lng.php
    │
    └───theme
            html.php
            menu.js
            style.css

You may download the original version (cyrillic) of the users guide under http://web17.webbpro.de/downloads/ZeuS/hlp.pdf.