Zeus bot has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of stealing personal information by infecting the user’s computers and capturing all the information entered on the Banking sites. Apart from stealing passwords, this bot has variety of methods implemented for stealing identity and controlling victim’s computer over the internet.
In the Part 1 of this series, I will disclose the process involved in building and distributing Zeus botnet in the wild. In the Part 2, I will discuss on Zeus network communications , how it captures personal information by injecting HTML code dynamically, and finally some thoughts on Command and Control.
Zeus serves as a heads up!! for all those who believe that banking transactions on HTTPS can never be intercepted.
Zeus builder toolkit
I’ve been busy researching on how Zeus is built and distributed in the wild. It has been a pretty high profile botnet since it was discovered, due to its high rate of infections. During our research activity I was able to get hold of Zeus builder toolkit. It was priced at USD 700 to USD 1500 back then and few months later, a free version of this toolkit was out for public.
Building and Configuring Zeus Bot
The process of building and configuring Zeus bot requires just a couple of steps.
Step 1) Configuration specs
Specifying all the static configuration parameters in the configuration file.
“Edit config” button will allow you can enter various parameters to control the botnet as described below.
timer_logs : Time interval to upload the logs to server
timer_stats : Time interval to upload infection statistics to server
url_config : Server URL for fetching the Config file
url_compip : Server URL for reporting the victim
encryption_key : Encryption key to encrypt config file
url_loader : URL for fetching latest version of the zeus exe
url_server : Command and Control server
file_webinjects : This parameter is the file name containing HTML Web injection code.
AdvancedConfigs : URL for fetching the backup config file
WebFilters : Contains the masked list of URLs that should be monitored for capturing login credentials.
WebDataFilters : Contains the list of URLs that should be monitored for specific string matches . If patterns such as "Passw" or "login" is matched , data is captured and sent to C&C server e.g http://mail.rambler.ru/*" "passw;login"
WebFakes : URLs that should be redirected to the fake websites.
TANGrabber :
timer_logs : Time interval to upload the logs to server
timer_stats : Time interval to upload infection statistics to server
url_config : Server URL for fetching the Config file
url_compip : Server URL for reporting the victim
encryption_key : Encryption key to encrypt config file
url_loader : URL for fetching latest version of the zeus exe
url_server : Command and Control server
file_webinjects : This parameter is the file name containing HTML Web injection code.
AdvancedConfigs : URL for fetching the backup config file
WebFilters : Contains the masked list of URLs that should be monitored for capturing login credentials.
WebDataFilters : Contains the list of URLs that should be monitored for specific string matches . If patterns such as "Passw" or "login" is matched , data is captured and sent to C&C server e.g http://mail.rambler.ru/*" "passw;login"
WebFakes : URLs that should be redirected to the fake websites.
TANGrabber :
TAN (Transaction Authentication Number) Grabber is Zeus feature that allows the botmaster to specify the banking sites to monitor and the specific patterns to search for in the transaction data posted to the bank websites. Zeus will match these specified data patterns, capture them and will post on C&C server. Botmaster can enter other banking sites here and Zeus will add it in the final encrypted configuration file when “Build config “ button is clicked.
I have entered the fake banking URL to check in the builded config file.
https://www.mybank.com/loginform.asp""S3R1C6G""*&tid=*" "*&betrag=*"
Step 2) Config builder
Let’s have a look what happens when “Build config” button is pressed. Toolkit will build the final encrypted configuration file with an option to save it . This configuration file is then uploaded by the botmaster on the C&C server
Step 3) Building bot executable
Botmaster can build Zeus executable by clicking "Build loader" button
One of the interesting features of this toolkit is that during botnet building process, if botmaster accidently infects his own computer, he can remove the botnet with “Remove spyware from this system” button that is option built into the Zeus builder.
Variety of methods for distributing this botnet exist . Most popular means of spreading this binary is through drive-by-downloads using social engineering techniques and SPAM mails which either might contain malicous attachments or download links which when clicked , downloads and installs Zeus into the system .
Variety of methods for distributing this botnet exist . Most popular means of spreading this binary is through drive-by-downloads using social engineering techniques and SPAM mails which either might contain malicous attachments or download links which when clicked , downloads and installs Zeus into the system .
That's it for Part 1 . Will see you again in Part 2 of this series where we will have more deeper look into this piece of malware .
Posts
