ZeuS Source Code Leaked...

[Teddy Rogers]

The source code for ZeuS has been leaked for weeks, so what is known?

Fellow threat response engineer Jasper Manuel reviewed the code and said it was authored by someone with a deep understanding of C preprocessor (cpp) and macros. He added that the way by which ZeuS was coded was unconventional and did not use standard libraries. Someone who wishes to modify the code, therefore, should have a similar or the same level of understanding as the original authors. We know that the majority of ZeuS users are fairly inexperienced and wish to earn money through cybercrimes. In addition, ZeuS became mainstream because of its sophistication and of its volume of inexperienced or noncoder cybercriminal users—two vastly opposing factors. If ZeuS’ source code falls into the hands of its existing users, they may not be able to modify it and come up with a more intricate Trojan.

More experienced hackers who can code their own bots, on the other hand, should probably be white hats primary concern. If you think about it though, there must be a reason why ZeuS has become mainstream while other bots have not. This fact suggests that the ZeuS’ author(s)’ skill level is fairly advanced and that only a few can really come up with a sophisticated malware such as ZeuS.

Here is some technical information about the Zeus bot:

- It is compiled in Visual C++.

- XP/Vista/Seven, as well as 2003/2003R2/2008/2008R2 compatible.

- Windows x64 support.

- It attempts to infect all users in the system.

- It runs a copy of its code in each process of the user (without using a DLL).

- It has unique names of all objects (files, MUTEXes, registry keys) when creating a bot for every user.

- It intercepts HTTP/HTTPS-requests from wininet.dll (Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla Firefox) libraries.

- It steals credentials from FTP-clients: FlashFXP, CuteFtp, Total Commander, WsFTP, FileZilla, FAR Manager, WinSCP, FTP Commander, CoreFTP, SmartFTP.

/>http://blog.trendmicro.com/the-zeus-source-code-leaked-now-what/

Sophos Technical Paper

Zeus or Zbot is one of the most notorious and widely-spread information stealing Trojans in existence. Zeus is primarily targeted at financial data theft; its effectiveness has lead to the loss of millions worldwide. The spectrum of those impacted by Zbot infections ranges from individuals who have had their banking details compromised, to large public order departments of prominent western governments.

We will explore the various components of the Zeus kit from the Builder through to the configuration file; examine in detail the functionality and behaviour of the Zbot binary; and assess emerging and future trends in the Zeus world.

/>http://www.sophos.com/medialibrary/PDFs/technical%20papers/Sophos%20what%20is%20zeus%20tp.pdf?dl=true

ZeuS 2.0.8.9.rar

Ted.

[deepzero]

the PE infection part is missing, though.

[NeO]

that one is important one:(

[Hello EMO]

what is this ??

its botnet keyylogger virüs wrong file

[ghandi]

Confusion abounds...

A) What is this? One would be forgiven for assuming (after reading this thread of course) that the original post from Teddy was concerning the ZeuS family of malware and that the links he supplied are to what he claims they are for:

Sophos Writeup: http://www.sophos.com/medialibrary/PDFs/technical%20papers/Sophos%20what%20is%20zeus%20tp.pdf?dl=true

ZeuS Example: http://www.mediafire.com/?hvs25b964hbl525

'Its botnet keyylogger virüs wrong file' You said the file was the wrong one, is it because the file link from Teddy:

1) Is to a keylogger/trojan/virus but the wrong file.

or

2) Is the wrong file because it is to a keylogger/trojan/virus?

If i have misunderstood your questions, please clarify.

HR,

Ghandi

[JMC31337]

Did Zeus ever privilege exploit into the "SYSTEM" kernel to run as SYSTEM

or just rely upon dumb user luck to get there and load up its drivers and filters

Edited November 6, 2013 by JMC31337