A small review of the source code of the zeus trojan

Introduction

As the English-Russian dictionary tells us, zeus translates as Zeus, the Thunderbird, the main god of the ancient Greek Pantion. Calling his creation zeus back in 2007 already, the unknown author of the Trojan assumed certain obligations obliging to be, if not the main one, then at least among the first, and admittedly, he fulfilled, and even exceeded, these obligations.
Zeus-Trojan has become legendary on the Internet and even beyond its borders over the past few years. None of the Trojans bloomed in such a violent color, did not spread as widely as this one, and the breadth of coverage of zeus is not far behind the notorious Kido / Conficker worm.

Initially, zeus was positioned as a Bansky Trojan, that is, a program that somehow penetrates the victim's computer and sends confidential information to its owner — logins, passwords, credit card numbers, CVV2 / CVC2 codes, and so on. But over time, modifications began to appear to steal corporate data, infect executable files, send spam, and so on.

I'll tell you a little about the business scheme that is used when working with zeus. The author of zeus (or authors) has been diligently expanding and improving his offspring for many years, but this guy has the sense not to distribute the Trojan himself - he sells the designer to create modified versions for everyone, with more or less clear instructions, you can also buy and those. support Well, the search for Dedikov as control centers, the creation and distribution of the Trojan - client, every low-intellectual “shkolota” deals with the processing of the received credit card numbers, cashing and other crimes.

The most significant example of this kind is the detention in the beginning of October 2010 in the USA of a group of students from Russia who most likely got stung due to their irrepressible greed and stupidity. Here are their names: Ilya Karasev, Kristina Izvekova, Sophia Dikova and others like them. Taken from here . However, the whole shkolota got off with a surprisingly cheap price - everyone was given less than a year in prison and a meager fine, although in the US you can sit down for 40 years for such crimes.

Although it should be noted that the author of zeus was actively involved in the work of existing large botnets, apparently within those. support for users, because he writes in the recommendations on the use of his offspring that the grandfather, on which the admika should spin, should be powerful enough, with specific configuration instructions.
Recently, zeus lit up in another attack - someone sent Christmas cards before Christmas, allegedly from the White House, to US government agencies. When clicking on a link or opening an attached file, zeus stupidly scanned the hard drive in search of Word, Excel, PDF files and sent them to a server in Belarus.

In general, a lot of zeus threads lead to the countries of the post-Soviet space, which gives grounds to suspect that he was from Russia or Ukraine, which later was confirmed, because the comments in the source code and instructions for work were written in Russian. And the zeus server GUI itself contained only two languages ​​- English and Russian.
')

Opportunities

Here is a little bit of what the author himself writes about the possibilities of zeus:

- Language and IDE programming:

Visual C ++ (current version 9.0). No additional libraries (crtl, mfc, etc.) are used.

-Supported OS:

XP / Vista / Seven, as well as 2003 / 2003R2 / 2008 / 2008R2. Including work under Windows x64, but only for 32-bit processes. Also, the full work of the bot is maintained during active Terminal Servers sessions.

-Operating principle:

The bot is based on WinAPI interception, splicing in ring3 (user mode), by running a copy of its code in each user process (without using a DLL).

-Installation process:

At the moment, first of all, the bot is focused on working under Vista / Seven, with UAC enabled, and without using local splots. Therefore, the bot is designed to work with minimal user privileges (including the Guest user), and therefore the bot always works within the sessions of one user (from which the bot was installed). A bot can be installed for each user in the OS, and the bots will not know about the existence of each other. When installing, the bot creates its copy in the user's home directory, this copy is tied to the current user and OS, and cannot be run in another user, or even OS. The original copy of the bot (used for installation) will be automatically deleted, regardless of the success of the installation.

-Protection:

Unique names of all objects (files, mutexes, registry keys) created by the bot for each user and botnet. The installed bot cannot be started from another OS or user. Destroyed code that serves to install the bot. At the moment, the bot files are not being hidden through WinAPI, since Anti-virus tools are very easy to find such files, and allow you to accurately determine the location of the bot. Auto update bot does not require a reboot. Control of the integrity of the bot files.

-Getting important data from user programs:

Login from FTP clients: FlashFXP, CuteFtp, Total Commander, WsFTP, FileZilla, FAR Manager, WinSCP, FTP Commander, CoreFTP, SmartFTP. Adobe Cookies (Macromedia) Flash Player. Cookies wininet.dll, Mozilla Firefox. Import certificates from the Windows certificate store. And tracking their further addition. Tracking keystrokes.

I will make a few comments about the statements of the author zeus: the version that came to me was compiled on the author’s computer using MS Visual Studio 10.0, so the comments file is somewhat out of date. Tolya, the author did not bother to update them for the user who sold the weights, toli still that.

Regarding the principle of action - the author decided not to bother writing drivers, raising privileges and other boot-time chips that are very popular with virus writers lately, and not by chance - this old-dullness is quite justified, since the bot works extremely stable on the whole family Windows operating systems, is functional even from under a guest account, and has the lowest possible probability of igniting antivirus. Moreover, in the Windows operating systems after XP SP2, to support the hot patch technology, the prologue of each function was made constant 5 bytes long, which saved zeus from carrying the BeaEngine disassembler, and this undoubtedly benefited the Trojan, for the author of zeus calls the disassembler “rather cumbersome, albeit universal”.

The bottleneck is that the Trojan's client program registers itself in each user process, and this can be detected. For example, the technique of determining whether a given process is infected is used by the client bot itself to draw a window when the embedded vnc server is running - it is checked whether a mutex is created with a special name in the process. If created, then this process is infected. But the name is most likely unique for each instance of the client program, so it’s so easy to cram the rules of antivirus. Here are some interesting lines: “When installing, the bot creates its copy in the user's home directory. At the moment, the bot files are not hidden through WinAPI”, which gives us a great way to detect this particular bot. And in general - there should not be any left suspicious files in the root of the user's home directory! Especially executed, it is strange that antiviruses do not know about it.
In general, the distribution scheme of this version of zeus is rather primitive - the user follows the link that came in the spam letter, or via an infected pdf document, and runs the zeus installer, which encrypts the virus for each individual user with a unique cipher, after which the installer is removed and the virus can be executed only on this computer under this user. No distribution through network scanning, flash drives, and other newfangled stuff. All this undoubtedly limits the spread of the trojan, but it makes it much more resistant to antivirus, which, judging by the degree of spread, zeus is more than justified.

Regarding “Getting important data from user programs” - the truth is, there is such functionality. True, the author forgot to write that the CuteFTP password loader is in the current version of the toolbox, that is, it does not get into the build, judging by the fact that it is not completed, and the decryption of the password for WsFTP is not implemented at all, which is reflected in the comments of the sorts, but it's all the little things; ) It is strange that the author did not bother to passwords ICQ, Skype, saved passwords from social. networks, etc., other Trojans happily steal all this data. Apparently, the algorithms for decrypting many passwords were obtained by the methods of reverse engineering, that is, disassembling. By the way, among the browsers, the author does not mention Google chrome, all of a sudden, the Trojan doesn’t rob it, so perhaps it’s best to use Google’s browser, although I haven’t investigated this question

Well, as is clear from all of the above, zeus is unusually widespread, well-made, stable and secretive in its work, it easily adapts to various new tasks, among other things, it works under the overwhelming majority of Windows operating systems, including 64-bit ones. In general, a kind of unique product.

And finally - the source code of this most famous Trojan leaked to the network, that is, its creator got on the same rake as its law-abiding fellow programmers: someone from the buyers lost roofing felts, roofing felts deliberately put sors into the network, thanks to which everyone got the opportunity to get acquainted with the malware from the inside.

Analysis

As you know, software development, including writing code, is a very creative work, there are no common standards and once and for all trodden paths, it’s like a sport, when every great athlete develops his own style of play, like art, when the master's paintings can be recognized by a characteristic underscore, like literature, for example, if a little boy fell into the clutches of non-humans - that’s Lukyanenko, and if all people peremerli and the hero investigates a crime, running along the ruins of cities - illipe Dick. It is the same with the source code of the software and the details accompanying it - every professional programmer has his own characteristic handwriting, which can say a lot about his author. And no corporate templates, such as documents on styling code, using characteristic language constructs, and so on, can prevent the author of a code from changing its style, for it sits already in the subconscious, in the subcortex of the brain. So I'll try, analyzing the source code of the zeus Trojan, try to find out something about its author.

When you first look at the weights, their extremely clear structuredness is striking, which indicates the author’s extensive experience in software development. No trace of any version control system is noticeable, and this once again confirms the assumption that it was not a source leak from their creator, but a package of sorts that was sold to a customer got into the network. After all, the author hardly managed to work for 4 years and live to version 2.0.8.9 without source control.

For a start, I would like to note that the zeus package itself, which fell into my hands, consists of several modules:
common - common for all projects files, which contain the implementation of most of the abstractions necessary for work, such as a memory manager, work with strings, file system, processes, threads, synchronization objects and so on. In general, a set of extremely useful and necessary basic services.
client - directly the viral client or bot that penetrates and settles on the computers of the victims. The largest code in volume is here, because a trojan needs to be able to do a lot of things.
builder - the builder of new versions of the viral client based on the compiled contents of the “client” directory
bcserver is a server for working on Dedik to which the bots will connect.
server [php] - a web interface for managing a botnet.
bin - the few 3rdparty that the zeus project uses. All other third-party components were rewritten under the zeus API, such as vnc, a disassembler on the BeaEngine engine. In this directory are fasm, php, 7zip, upx.

The first thing that caught my eye was a build system. Although zeus is built for Visual Studio 10, the build system is written in php. This is a very unusual and rare solution, since the development of a build system on php is not typical for Windows systems, and generally not for any systems. This may indicate that the author took a ready-made similar system and modified it for his own purposes. And where could he get it? Only in his previous or current work, and most likely he participated in the development of this system.

The code is written almost entirely in C, only where COM interfaces are used, C ++ is unsupportively used. Although the author regularly writes TODOshki that some parts need to be rewritten using COM.

All the code is well otkommenitorovannu, the impression is that all the comments are written in the style of some kind of self-documentation system, like javadoc or qtdoc, but more primitive, apparently proprietary, which was used on the former work of the author of the bot. Almost all codes in the code are written in Russian, and this is very indicative, for it says that the author did not work in large international projects, because they have a 100% ban on comments written in national alphabets. In php comments in utf-8, while in C-code comments in win-1251. It is also quite possible that the author is not fluent in English, because, as explained in the previous paragraph, he did not work with foreigners. True, there is one obstacle here - the file manual_en.html, which is written in more or less decent English, but perhaps the author has an assistant who speaks English. But I repeat once again - I am 99% sure that the C-code of all zeus, including the build system, was written by one person. 80% of the probability the same person wrote the admin php code for Bonten. More about the comments, many of them are full of spelling errors in the style of “Internet bastards”, which were fashionable 5 years ago. Apparently this philosophy is firmly stuck in the head of an unknown author, since he uses it so actively.

Once again - I categorically state that the whole C-code of zeus was written by one person, about any team of hackers, about any transfer of the source of zeus to SpyEye developers, who were so frightened by us in the media, there is no question, everything is stylistically and functionally so clear it is verified and calculated that even without seeing the code to the end, you can roughly imagine what will be there.

The code itself, in a sense, even pleased me - no large commentary pieces, there are not even unformatted pieces, everything is concise, clear and beautiful, it is immediately obvious that the code is regularly reviewed by the author.

Another distinctive feature is a high degree of code abstraction from system calls and in general work with a specific operating system. Almost everything that is possible is rendered into separate program modules, which are designed according to a single architecture, similar to the structure of classes of the c ++ language. It is also surprising that there is a very high degree of unification of software components, many of them are made on a single template, despite the extremely different functionality, which indicates the high professionalism of the program's author.

I was a little surprised by the often quite sickly long lines in the source files - often it exceeds 200 characters! On the one hand, this suggests that the author has a monitor of at least 24``, on the other hand, it’s still not clear how he, for example, uses tools like diff of different revisions of the source code, with long lines here, 32`` is not enough).

After reviewing the code, the zeus phenomenon became clear - high reliability, easy modifiability and wide distribution, minimal dependence on the current operating system: everything is very simple, zeus is a very high-quality program product, with a developed set of basic services, thoughtful mechanisms of implementation, concealment and interaction with the command center. Therefore, it is not surprising that he became so popular with computer criminals of all stripes and families, and apparently brought to his creator at least $ 100,000. Although, it is worth noting that the author complains in several comments that he has nothing to test on some components of the virus, for example SetColourMapEntries in vnc and SEC_I_CONTEXT_EXPIRED, SEC_I_RENEGOTIATE in ssl. It does not fit in with the alleged income of the author, although Moscow, where the author of the Trojan is supposedly living, is an expensive city. In general, it seems to me that if zeus continues to evolve further, an award will be announced for the head of an unknown author, just as Microsoft announced a reward of $ 250,000 for the head of the creator of the Kido worm. A little more about the author - apparently this guy has long since left his former job, for the dates of some Sorsov modifications are 4 am, 12 am, and so on, in short, the time when any decent developer should sleep to go to work I can argue that it is possible on the computer where the development took place, deliberately set the wrong time? Nonsense! The author in his development probably uses several computers, and here in due course you will not particularly play around, at least the source code storage system will not like it. Also, the author could not work remotely, because again he needs several computers to work, even if he uses virtual machines, and even remotely, you can easily get accidentally ignited.

In general, I experienced the most unpleasant feeling when working with the code when I launched the make_debug.cmd file for execution, and I got everything pretty quickly assembled without a hitch. It turns out that any shkolota, having set up an elementary config, will begin to rivet their instances of bots. Although it is necessary to give honor to the build - system, it worked with a bang.

In the “source \ builder \ resources \" resources.aps ”and“ zeus.sln ”files an extremely interesting line“ C: \ Users \ jam3s \ Desktop \ Zeus \ source \ builder \ resources \ resources.rc ”was found, this is the full path on the disk on which the project tree was stored on the original developer’s computer. What is valuable here is that the unknown author didn’t bother much with the location of the sources, and trite them on the desktop, as a result of which the username of the operating system, “jam3s”, got into the way, and this is something! This is not “nic”, “mike” or other common Labuda, this name is quite unique, and I would not be surprised if it already appeared on the Internet, somewhere on forums or chats, or even on freelance forums. Later the author became more “advanced” and copied the project source tree into “c: \ zeus”, we can find out from any original object file of the project. A search on Yandex and Google didn’t reveal any obvious personalities with the nickname jam3s, but I didn’t expect any special results, because the author of zeus doesn’t burn so easily, not a bird.
There was also an attempt to try to find where the author took the monk for the back-connect server, it depicts something like a black pig or horse, but nothing interesting was found, a couple of times the image was found in galleries in a series of similar freaks.

In general, in short, you can create a generalized portrait of the bot-writer:
- Young man from 28 to 35 years old, Russian.
- Worked in a more or less large company as a software developer for several years, the company did not cooperate with foreigners.
- 90% live in Moscow, 80% in St. Petersburg
- Does not know English or knows poorly.
- It uses the nickname jam3s.

Epilogue

It is said that the instruments for killing have their own hidden aesthetics, the bending of lines and the outlines of forms betray such objects to hidden charms, causing a mixture of admiration and horror to those who observe them. I experienced similar feelings in the process of exploring the source code of zeus, this one of the most sophisticated tools of the universal cybernetic era, when no one can feel safe from the invisible but tenacious paws of Trojans and rootkits. Maybe while you are reading these lines, you are being closely watched through vnc by one of the next botnet owners, patiently waiting for you to log into your bank account? But not everything is so bad, the example of the author zeus tells us that nothing is impossible for an experienced and goal-oriented loner - a programmer, even if he bears the lowest and most insidious ideas.

May Habra-force come with you!