Over the holiday break I had the opportunity to examine version 18.104.22.168 of the Zeus DiY kit – released around May of 2009. Newer versions are already available in the hacker market (specifically 22.214.171.124) being sold for as much as $700 as seen in our recent blog “Botnet Feature Advancement and Zeus Tweaking” http://blog.damballa.com/?p=438.
This particular kit is freely available and very easy to use. No programming skills are needed.
Let’s look at how easy it is to create your own botnet (if you’re so inclined) using Zeus 126.96.36.199.
Figure 1: Zeus DiY Information Window
Take note: It offers to remove spyware from your system.
The first thing that stood out for me, as with earlier versions of the Zeus DiY kit, is the option to remove spyware from the system. I reckon that it will remove other DiY kits given how competitive this underground business is. This is subject for another blog so stay tuned…
As with previous versions, Zeus relies upon text configuration files. One such file contains a pre-populated list of targeted financial and retailer sites – which the botmaster can modify to his liking if the default list is not to his taste. The simplicity of using text configuration files makes it easier for a botmaster to have different configuration files that he can use – depending upon his intent. Can you say “ease of management”? This gives the botmaster the capability to have different configuration files depending on the target or their intent. Just in case the would-be botmaster is not that savvy when it comes to crafting configuration files for a specific objective, they have at their disposal a selection of configuration files designed for specific use or targets offered in online hacker markets.
Figure 2: Successful Loading of Config file
Once the botmaster has tweaked or has chosen the appropriate configuration file, it only takes a click of a button (Build Config) to have his own custom made config.bin file for use by his future bot agents.
Figure 3: Successful Building of Config.BIN
Did you notice the URLs in the output screen? Some of them are popular financial sites. These are URLs from which the bot agent will attempt to grab form data and seek out any valuable information that can be sold to the black market. And yes, the URLs can be configured using the text configuration files.
The next step is then to build the bot-agent themselves. From the Zeus Builder Page, this is pretty easy, and it only takes a click of a mouse to build a new agent. And voila!!! the botmaster now has his first bot agent, aptly named bot.exe by the Zeus builder, ready and willing to do its master’s bidding.
Figure 4: Successful Building of bot agent
To top it all off, Zeus also includes a PHP install script that the botmaster can use on a fluxed or bulletproof hosted server. And of course, if the botmaster is stuck and doesn’t know what to do, he can browse through the included help file (but he has to know how to read Russian or know someone who does), or the botmaster can always utilize botnet helpdesk services as discussed in a previous blog – “The Botnet Distribution and Helpdesk Services” (http://blog.damballa.com/?p=454).
And so there you have it, Zeus 188.8.131.52.
But, unfortunately, this is not the end. If the botmaster has any experience in building Zeus bot agents, the resulting executable will still go through other processes to make it more resilient against host based detection solutions. These will be discussed in future blog posts so stay tuned!
As of this writing, the default bot agent (with no further application armoring) created by Zeus 184.108.40.206 is only detected by 56.1% of AV Solutions in Virus Total. And to think that this kit is already available publicly if you know how to search for it, I would have expected that the default output of the DiY would be detected by at least 90% by host solutions after seven months.
Aside from other resiliency techniques, what happens if you bind the bot.exe with another file? The detection rate drops down to numbers too scary to mention…
– Christopher Elisan, Senior Research Analyst