Zeus trojan first acquaintance
Hi, Habr!
Here I saw a “wave” of articles about hacks, nepoheki, 1337 h4x0rz ... etc. And then I thought that Habra would be interested in reading about the hardware and how it works not from the crossposting of news, but so to speak from the hands that worked with it.
Immediately read this:
In most cases, the antivirus (hereinafter AV) coped with all the harmful little animals, but one fine sunny day :) I had to climb, so to speak, under the hood of one of these "little animals."
')
It was in August of the44th of 2008. At that time I was a little technically and practically grounded in terms of dealing with all kinds of hardware and so on.
So, climbing the sites of dubious nature, to which the search engine directed me in search of the software I needed, nod32 suddenly shouted that I was trying to feed something Trojan-Spy.Win32.Zbot (hereinafter zeus \ zbot \ Zeus). I have no idea what happened to my head, but I really wanted to study this beast.
About how I watched Zeus, went to his command center and got access to it, under the cut.
First of all, I got into google and found out what the beauty was trying to settle with me, the search engine did not particularly resist and told me the URLs with the description.
So, what I found out is key:
Next, I learned about how interesting it infects a PC. It turned out that the bot consists of 3 key things:
1. The bot itself.
2. Configuration file.
3. Gate \ admin panel.
After infecting the PC, he downloaded the configuration file, where his settings and addresses were specified to the gate, where he should send the loot. That is, in theory, if you run it on a PC without the Internet, nothing bad will happen, since he will not know where to send reports with stolen good.
Having put myself VirtualBox, and Win XP on it, I got into the AV logs and extracted the URL on which I found a Trojan.
Having downloaded the trojan on the virtual machine, I did not hurry to launch it there. I downloaded the Wireshark packet sniffer and launched it, chopped off the access to the virtual machine from a real machine, and then launched the trojan on the virtual machine ...
And then I saw how Troy started the het with a request to try to pick up his config, copying the URL to the configuration and downloading it, it was found that he was encrypted and just did not know what was there. Since it was a virtual machine, I was not sorry for the system :) and I returned access to the virtual network, continuing to look at the sniffer log.
After the config jump, he began to receive to his gate, the bot received and sent information from the gate using the http protocol post and get requests.
Having opened IE, I climbed the sites, poked the data in some forms, saved the passwords where I suggested it and so on.
Having opened the sniffer log again and filtering my adventures on the Internet, I saw that the bot sends information with each of my post requests, that is, the Trojan actually sent all my activity data in IE.
I couldn’t find out more at that time and didn’t want to stop my interest.
I started closing tabs with search queries for Zeus and then I saw in one of the tabs “Fill in went to the Zeus admin panel”, so I became interested and woke up again.
To be continued...
How I got access to the server on which was the command center Zeus (it is also a gate, admin panel and so on), correspondence with the owner of the botnet in txt file on the server, control the botnet.
PS: I will be happy to answer your questions.
UPD: Part Two - Hello, Trojan-Spy.Win32.Zbot !!! part two ... about shells, rootkits, eskploity and chat in txt file
Here I saw a “wave” of articles about hacks, nepoheki, 1337 h4x0rz ... etc. And then I thought that Habra would be interested in reading about the hardware and how it works not from the crossposting of news, but so to speak from the hands that worked with it.
Immediately read this:
All information in this article is provided purely for information and is designed primarily to indicate errors in security systems.
In most cases, the antivirus (hereinafter AV) coped with all the harmful little animals, but one fine sunny day :) I had to climb, so to speak, under the hood of one of these "little animals."
')
It was in August of the
So, climbing the sites of dubious nature, to which the search engine directed me in search of the software I needed, nod32 suddenly shouted that I was trying to feed something Trojan-Spy.Win32.Zbot (hereinafter zeus \ zbot \ Zeus). I have no idea what happened to my head, but I really wanted to study this beast.
About how I watched Zeus, went to his command center and got access to it, under the cut.
In this article I will tell superficially about the Trojan, which sucked me into a “theme” with hardware and so on ... further, if Habarusers are interested, I will tell you about other fascinating cases of working with hardware, articles about work and neutralizing interesting specimens.
Hi Zeus!
First of all, I got into google and found out what the beauty was trying to settle with me, the search engine did not particularly resist and told me the URLs with the description.
So, what I found out is key:
- What is it and what can it do?
- Troyan formgrabber 1 pc. (Later the next version will be released where the injection system will be supported)
- Internet Explorer can only rob the forms up to version 7 inclusive (later the next version with modules support will be released; one of the modules will allow the Trojan to rob the forms of the FireFox browser)
- Rob cookies and saved form data
- It can make a socks5 proxy server from an infected PC if it is outside NAT, that is, it has a real \ white ip address (later a backconnetc module will be released, which will allow to bypass the restriction related to the fact that the PC may be behind NAT)
- Kill the system
- Grabber certificates and sol
- It feeds fake pages to users of an infected PC.
- Search and delete or upload files to a remote server
- and other things characteristic of this kind of Malvarim ...
- Where does it live and what is it from?
- OS Windows XP x32
- It works both under the admin account, and under the user account, and even under the guest account.
- The bot is completely based on WinAPI interception in UserMode (Ring3), this means that the bot does not use
any drivers and references in Ring0. - Written in Visual C ++ version 9.0+, with no additional libraries being used.
such as msvcrt, ATL, MFC, QT, etc. - and other features ...
In cl. there will be more articles about this troj, since this article deals with the bot of the old version, I decided not to succeed in the details of its functionality and capabilities.
Next, I learned about how interesting it infects a PC. It turned out that the bot consists of 3 key things:
1. The bot itself.
2. Configuration file.
3. Gate \ admin panel.
After infecting the PC, he downloaded the configuration file, where his settings and addresses were specified to the gate, where he should send the loot. That is, in theory, if you run it on a PC without the Internet, nothing bad will happen, since he will not know where to send reports with stolen good.
Having put myself VirtualBox, and Win XP on it, I got into the AV logs and extracted the URL on which I found a Trojan.
Having downloaded the trojan on the virtual machine, I did not hurry to launch it there. I downloaded the Wireshark packet sniffer and launched it, chopped off the access to the virtual machine from a real machine, and then launched the trojan on the virtual machine ...
And then I saw how Troy started the het with a request to try to pick up his config, copying the URL to the configuration and downloading it, it was found that he was encrypted and just did not know what was there. Since it was a virtual machine, I was not sorry for the system :) and I returned access to the virtual network, continuing to look at the sniffer log.
After the config jump, he began to receive to his gate, the bot received and sent information from the gate using the http protocol post and get requests.
Having opened IE, I climbed the sites, poked the data in some forms, saved the passwords where I suggested it and so on.
Having opened the sniffer log again and filtering my adventures on the Internet, I saw that the bot sends information with each of my post requests, that is, the Trojan actually sent all my activity data in IE.
I couldn’t find out more at that time and didn’t want to stop my interest.
I started closing tabs with search queries for Zeus and then I saw in one of the tabs “Fill in went to the Zeus admin panel”, so I became interested and woke up again.
To be continued...
How I got access to the server on which was the command center Zeus (it is also a gate, admin panel and so on), correspondence with the owner of the botnet in txt file on the server, control the botnet.
PS: I will be happy to answer your questions.
UPD: Part Two - Hello, Trojan-Spy.Win32.Zbot !!! part two ... about shells, rootkits, eskploity and chat in txt file
Source: https://habr.com/ru/post/87025/
All Articles