Zeus Botnet Overview (Tutorials )

Zeus Botnet Overview

Zeus is a toolkit that provides a malware creator all of the tools required to build and administer a botnet. The Zeus tools are primarily designed for stealing banking information, but they can easily be used for other types of data or identity theft. A Control Panel application is used to maintain/update the botnet, and to retrieve/organize recovered information. A configurable Builder tool allows to create the executables that will be used to infect victim's computers. These executables are usually detected as ZBot by anti-virus software.
There is no single Zeus botnet. The toolkit is a commercial product that is sold to many different users, and distributed freely to many more. Each of them can create one or more botnets of their own, so the number of Zeus botnets is likely quite large.
The latest version of the toolkit typically sells for about $700 USD to trusted buyers, with the bot source code possibly available for a much larger sum. After a few months the new toolkit version is released as a free "public" version, which is probably meant to serve as a promotion for the commercial version. The public version may not include all of the latest functions, and the documentation is minimal. Modified versions of the public toolkit have also been offered for sale at lower prices by third party developers, sometimes known as "modders".

Configuration and Bot Creation

The first step in building a bot executable is to edit the configuration file. The configuration tells the bot how to connect to the botnet, and it also contains information on what user data to gather and how to do so. The configuration file is in two parts, as described below.

Static Configuration

The StaticConfig is compiled into the bot by the Builder tool. It contains information that the bot will need when it is first executed. To update the StaticConfig the bots must be ordered to download a new bot version.
The available settings are:

• The name of the botnet that this bot belongs to.
• The amount of time to wait between dynamic configuration file downloads.
• The time interval between uploads of logs and statistical information to the drop server.
• The URL where the bot can get the dynamic config file.
• A URL where the bot can check its own IP address, to determine if it is behind a router or firewall.
• The encryption key that is used to hide information transmitted within the botnet.
• A language ID list that tells the bot to go into a dormant state if the infected computer's language is on the list.

Dynamic Configuration

The DynamicConfig is downloaded by the bot immediately after it is installed on a victim's computer. This file is downloaded at timed intervals by the bot, and can be used to change the behaviour of the botnet. Most of the entries control how information is collected from the infected computer.
Available settings include:

• A URL where the bot can download a new version of itself, if the command to do so is given.
• The URL of the drop server where logs, statistics and files will be uploaded and stored.
• Information used to inject additional fields into web pages viewed from the infected computer.
• A list of URLs where an emergency backup config file can be found.
• A set of URL masks used to cause or prevent logging of information.
• A set of URL masks to indicate that a screen image should be saved if the left mouse button is clicked.
• A list of pairs of URLs that are used to cause redirection from the first URL to the second.
• A set of URL masks used to collect TAN (Transaction Authentication) numbers - used by some banks for online authentication.
• A list of IP/URL pairs that are inserted into the infected computer's hosts file to override DNS lookups.

Building the Bot

Once the configuration file is ready the Builder tool is used to build the encrypted dynamic configuration file and the bot executable file. The Builder first checks the computer it is running on to see if the Zeus bot is installed and gives the user the option to clean the system. This is probably meant to make it easier to test configuration settings. The Builder will then report system information as seen in Figure 1 below:


Figure 1: Zeus Builder - Information Using the Builder, the aspiring botnet master can click the "Build config" button to compile the configuration file into its encrypted form. An option to edit here is also provided. When this file is ready it is placed on the server where the bots have been told to look for the DynamicConfig. Distributing the configuration file this way makes it easy to update the settings in the future. The image below shows the Builder output after the config has been built. If any error occurs during the build it is detailed here.


Figure 2: Zeus Builder - Compiling configuration Then, by clicking the "Build loader" button, the distributable form of the bot executable can be assembled and saved. The button can be repeatedly pushed to produce internally identical bot executables with different encryption. The sizes of the PE file sections are also changed in each new build. The image below shows the information displayed by the Builder after the bot has been built.


Figure 3: Zeus Builder - Assembling configuration and binary Because new versions of the same bot configuration can easily be created it is fairly easy to keep enlarging the botnet when anti-virus software begins to detect the earlier versions.

Bot Distribution and Installation

The Zeus bot has no built-in capability to spread to other computers. In most cases a spam campaign is used to distribute it, either as an attached file or a link. Some type of social engineering within the spam message is used to trick the victims into executing the bot. A wide variety of these tricks have been seen, often in forms that are persuasive and difficult to detect. The large number of social engineering tricks is a result of many individuals attempting to seed their own botnet, using the common Zeus platform.
The lack of worm-like spreading capabilities makes the bot suitable for targeted attacks, since the bot is less visible and less likely to be detected. In targeted attacks, it can be sent to the intended victim in various disguises until success is achieved.
When the bot is executed on a victim's computer it goes through a number of steps to install and configure itself, and to connect to the botnet. The filenames given here are for the tested version, and sometimes are changed in new versions. Outlined below are the steps taken upon initial execution:

1. The install function searches for the "winlogon.exe" process, allocates some memory within it and decrypts itself into the process.
2. The bot executable is written to the hard drive as "C:\WINDOWS\system32\sdra64.exe".
3. The directory "C:\WINDOWS\system32\lowsec\" is created. This directory is not visible in Windows Explorer but can be seen from the command line. Its purpose is to contain the following files:
• local.ds: Contains the most recently downloaded DynamicConfig file.
• user.ds: Contains logged information.
• user.ds.lll: Temporarily created if transmission of logs to the drop server fails.
4. The Winlogon ("HKLM/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Winlogon") registry key's value is appended with the path of the bot executable: C:/WINDOWS/system32/sdra64.exe. This will cause the bot to execute when the computer restarts.
5. The Windows XP firewall is disabled. This causes a Windows Security Center warning icon to appear in the system tray, the only visible indication that the computer has been infected.
6. The bot broadcasts an "M-SEARCH" command to find UPnP network devices. This may be an attempt to access and reconfigure local routers.
7. The bot sends an HTTP GET command to the configured botnet server to get the latest DynamicConfig file.
8. The bot begins capturing and logging information from the infected computer. The DynamicConfig file largely determines what information is collected.
9. The bot sends two HTTP POST commands to upload log (user.ds) and stat information to the botnet drop server.
10. Three timers are set to values in the StaticConfig, each executing a function on time-out:
1. Get new config file (DynamicConfig) from server (default 60 minutes).
2. Post harvested data (user.ds) to server (default 1 minute).
3. Post statistics to server (default 20 minutes).
11. If a web page that is viewed from the infected computer is on the injection target list in the DynamicConfig, the additional fields from the list are injected into the page.
12. If the HTTP "200 OK" reply to a POST contains a hidden script command, the bot executes it and returns a success or failure indication along with any data (see Communication section below).