Evolution of Zeus Botnet Part 1

Posted: December 14, 2012 in Articles
Tags: , , , , , ,

Zeus Trojan HorseEvolution of Zeus Botnet Part I

Botnet Zeus, perhaps one of the most famous representatives of malware. Zeus started back in 2007 (or 2006) years. Many people mistakenly believe that Zeus – just another Trojan, but it is not. In fact, Zeus is an example of so-called crimeware – software intended to violate any law.

In this case, the main purpose of crimeware Zeus – stealing credentials used for financial transactions. According to analysts, it is responsible for 90% of bank fraud in the world.

Another misconception is the assertion of the existence of a huge botnet Zeus. In reality, Zeus is the basis of a very large number – probably hundreds – of different botnets, and they are all controlled by different gangs of cyber criminals. The creators of Zeus just sell it to interested parties, as they are already using it form their own botnets. Thus, the right to speak not of the botnet Zeus, but of botnets created by Zeus. To track information about team Zeus servers in February 2009, Roman Hussy, a Swiss expert on computer security, created a website ZeusTracker.

Zeus, version 1

ZeuS developer known by nicknames and Slavik Monstr, was he up to 2010 alone produced sales and support of its products.

Structurally Zeus consists of several parts – Builder bot and the administrative panel.

The main module and Zeus bot builder written in Visual Studio using C and some C + +. Final executable code created Zeus bot builder, and incorporate itself the main module and the configuration file. The configuration file contains the address of the control center, the path to scripts and other data needed for the job. Builder has to bind to the computer hardware buyer, that is, can be executed only if a certain configuration.

The researchers note that in the family VPO Zeus does not use any technique to hide (rootkit) or use exploits to increase their privileges in the system. The main focus was on the stability of operation, including when working with limited user rights.

Zeus capabilities of first-generation example of version 1.3.4.x, March 2010 (source):

– steal credentials entered in the browser;
– theft of credentials stored in the Windows Protected Storage;
– theft of client certificates X.509;
– stealing FTP credentials and POP;
– theft and removal of HTTP and Flash cookies;
– modification of the HTML pages for further identity theft (Web Injects);
– redirect user requests to other sites;
– create screen;
– search and download files to a remote server;
– modifying the file hosts;
– download and then run the file from the remote server;
– deleting critical registry branches for the inability to boot the operating system.

Starting with version 1.4, there was the introduction of a functional Web Injects in Firefox. Web Injects – a set of HTML and JavaScript code, which displays the form of credentials of DBS (e-banking), simulating the real thing. When you try to visit the site of a DBS system through a browser, the Trojan intercepts the request and displays a fake form. Stolen so credentials are sent to the command center intruders. To avoid detection by antivirus software, Zeus began using polymorphic encryption mechanism and change the size of your file. The file Zeus for each infected system to encrypt itself again with the new parameters, so that the same build on different computers looked quite different.

The cost of the components of version Zeus 1.3.4.x:

– Builder and adminpanel – from $ 3000 to $ 4000;
– Module Back Connect (any port that allows for example to connect to RDP) – $ 1,500;
– module steal credentials from the browser Firefox (form grabber) – $ 2000;
– module and sending notification stolen information via Jabber – $ 500;
– private (made to order) module VNC (remote control, analog RDP) – $ 10,000;
– support work in OS Windows Vista / Seven – $ 2000.

The spread bots Zeus in various ways. For example, in the fall of 2009 it was distributed in spam messages sent on behalf of the IRS. In another case, in a letter reported on universal vaccination against the swine flu H1N1. References in the letters to the fake sites were created by intruders. On the site can download and run the executable file format exe, allegedly containing specific instructions. In fact, the file was bot Zeus.

Used to send spam ‘power’ botnet Cutwail (also known as Pushdo and Oficla). Later was changed tactics and began sending letters to link to other websites, which contain the iframe or jscript, leading to an exploit pack. This allows the infection without any user interaction – it was enough to link to, and Zeus are set automatically, of course, if a browser vulnerability was exposed (did not have the required security update.) In the process of writing letters widely used social engineering techniques.

Some admin panel Zeus had a function to check FTP accounts ‘on the fly’ – once sends new batch of stolen credentials are checked for the presence of FTP accounts and these accounts immediately verified. If after scanning you find that access is, a separate script searches for files on a remote FTP server with the extension. Htm,. Html and. Php (since the FTP service is often used to fill the content on the site) and in the files inserted iframe or jscript , leading to an exploit pack. Thus, there is an infection sites automatically.

In April 2010, Zeus was the introduction of additional functionality in a dropper executable files. 512 bytes of the implemented code performs the following actions:

– download a remote file, URL that was set in;
– run the downloaded file execution;
– launch of the original code of the infected program.

This functionality is somewhat similar to viral. However, if the antivirus treating the infected file, the virus was no longer possible to start. In this case, however, was a chance that the antivirus removes the main module and Zeus will not touch the dropper that can infect your computer again, maybe a new version of Zeus.


Estimated in December 2009 on the ‘black market’, a rival Zeus – SpyEye, functionality and composition (builder and adminpanel) which were very similar to Zeus, but the price was lower for the base modules, it was about $ 500. In the future, competition has led to the appearance of SpyEye version 1.0.7 in February 2010, the functions of ‘Zeus Killer’, designed to remove Zeus. To shut down all copies of Zeus, SpyEye command sent via a named pipe that is opened every copy of Zeus for their needs.

SpyEye Zeus discovered on a specific named mutex, Zeus was used for the detection and prevention of its copy of the re-start. In addition, SpyEye could catch reports submitted Zeus, and thus do not do double duty. Another new product – a module designed to bypass security Rapport company Trusteer, aimed at blocking the possibility of introducing malware into the browser, which has been created, including, to counter Zeus. Builder SpyEye, as builder Zeus, contained a licensing system based on binding to a specific hardware configuration. It was implemented with hinged protection VMProtect.

According to information from the forum in October 2010, the creator of Zeus Slavik gave the source code to its rival – developer SpyEye, and stopped further development. The code has been transferred to the person with the nickname Harderman, also known as Gribodemon. According Harderman, the sources he received at no cost and assumed the maintenance of all former customers Slavik, subsequently assumed a certain fusion source Zeus and SpyEye. Indeed, in January 2011, anti-virus companies, researchers began to discover a new hybrid version of the SpyEye, their numbers began with version 1.3.

The cost of the components of version SpyEye 1.3.45, August 2011:

– Builder and adminpanel – $ 2000;
– Module Web Injects for the browser Firefox – $ 2000;
– bypass the security module Rapport – $ 500;
– module proxy Socks5 – $ 1,000;
– Module access via RDP – $ 3,000;
– Module FTP Back Connect – $ 300;
– module stolen certificates from the browser Mozilla Firefox – $ 300;
– module identity theft credit card – $ 200;
– module steal credentials from browser Opera & Chrome (form grabber) – $ 1000.

User Guide for this version is available in the personal blog XyliBox.

Part 2 here

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s