WINDAZ, sLOTz, FALAFEL, KSCRACKiNG

[Aguila]

Some guy is spreading his bot via scene releases.

Mirc.v7.0.Incl.Keymaker-WiNDAZ
Nero.v9.9.4.26.0b.Incl.Keymaker-WiNDAZ
ESET.NOD32.Antivirus.v4.2.42.0.Incl.Keymaker-WiNDAZ
JESET.NOD32.Antivirus.v4.2.42.0.Incl.Keymaker-WiNDAZ
Avast.Internet.Security.v5.0.545.Incl.Keymaker-WiNDAZJules.v2.0.Cracked-sLOTz
Eastern.Slots.v3.0.Cracked-sLOTz
Cortez.Treasure.v1.0.Cracked-sLOTzKaspersky.Keygen.V1.WORKiNG.WiNALL-KSCRACKiNGWINX.HD.CAMCORDER.VIDEO.CONVERTER.V3.0-FALAFEL
FRESH.VIEW.V7.94.READ.NFO-FALAFEL
FRESH.DOWNLOAD.V8.48.READ.NFO-FALAFEL
........

Let's analyze his "work".

idx.exe -> Microsoft Visual C# / Basic.NET / MS Visual Basic 2005 - Overlay : 2F7C5C... Nothing discovered

Set up some VM.

Use reflector to reveal the sourcecode. Result: .NET stub, which hides the real bot.

Use Ollydbg to unpack. BP WriteProcessMemory -> buffer / create backup, dump to file

Use some hexeditor to correct the backup.

idx_unpacked.exe -> Microsoft Visual C++ ver. ~6.0~7.0 - Overlay : 000000... Nothing discovered

Awesome, what a nice bot (you can buy...). Google: gBot v2

Selfcopy to %windir%\system32. Name: srvhost64.exe

Registry:

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
System Server Cache

Injecting some code to winlogon.exe, so BP WriteProcessMemory

Inside winlogon.exe -> connecting to IRC 1.privatetorrent.org

Somebody want to take over a botnet?

idx.rar

[Aguila]

I don't know what you are trying to do, but whatever it is, it is not very productive.

1. Don't waste your time on anti-debug stuff in malware, because there are plenty plugins which hide your debugger very well.

2. zsb.exe in your rar file is protected with VMProtect. Maybe you should read some tutorial about unpacking it (use the search), but it is a pretty hard protector, not suitable for unpacking beginners.

I only briefly looked in the rar file:

ZeuS_Builder 1.3.x.x.exe -> upx packed, completly coded in visual basic 6 (inclusive server) = not worth any dollars!

content BackConnect -> visual basic 6, nothing special = not worth any dollars!

content External VNC -> visual basic 6, nothing special = not worth any dollars!

content FreeZS-panel -> looks interesting, but it is only a webpanel (no exploit kit)

content Tools -> Freeware

content Configuration builder -> interesting, but without license a useless builder. Unpacking the builder is some other topic.

Edited May 17, 2010 by k11

[Aguila]

Use the most recent version of StrongOD. You can download it from this thread: http://forum.tuts4you.com/index.php?showtopic=19480 (last page)

Remove all other hide plugins and set all ticks in StrongOD. Then debugging with Olly is no problem.

use the search, you can find a lot of information about anti-debug stuff in VMProtect. Maybe LCF-AT or quosego will help you unpack it. I think they are the best VMProtect unpackers in this forum.

Edited May 18, 2010 by k11

[deepzero]

do you think its possible to beat the license key scheme... or is it not even worth trying

posible, sure.somehow.

As far as i know, vmprotect can be unpacked with this nice script by LCF_AT.

The VM i supposed to be quiet hardcore though.