ZeuS 2.0.8.9 Bot Source+Builder
Zeus Bot
Valorado en $1200 USA
Valorado en $1200 USA
Description: Bot
Language and IDE programming:
- Visual C++ (current version 9.0). No additional libraries are used (crtl, mfc, etc.).
Supported OS:
- XP/Vista/Seven, as well as 2003/2003R2/2008/2008R2. Included work under Windows x64, but only for 32-x bits processes. Also retained full bot work under active "Terminal Servers" sessions.
Action principle:
- Bot is based on intercepting WinAPI, by splicing in ring3 (user mode), by running a copy of its code in each process of the user (without using DLL).
Installation process:
At the moment, the bot is primarily designed to work under Vista/Seven, with enabled UAC, and without the use of local exploits. Therefore the bot is designed to work with minimal privileges (including the user "Guest"), in this regard the bot is always working within sessions per user (from under which you install the bot.). Bot can be set for each use in the OS, while the bots will not know about eachother. When you run the bot as "LocalSystem" user it will attempt to infect all users in the system.
When you install, bot creates its copy in the user's home directory, this copy is tied to the current user and OS, and cannot be run by another user, or even more OS. The original copy of the same bot (used for installation), will be automatically deleted, regardless of the installation success.
The session with the server (control panel):
Session with the server through a variety of processes from an internal "white list" that allows you to bypass most firewalls. During the session, the bot can get the configuration to send the accumulated reports, report their condition to the server and receive commands to execute on the computer. The session takes place via HTTP-protocol, all data sent by a bot and received from the server is encrypted with a unique key for each botnet.
Protection:
Unique names of all objects (files, MUTEXes, registry keys) when creating a bot for every user and a botnet.
Fixed bot can not be run with a different operating system or user. Destroys the code that is used to install the bot.
At the moment not done to hide bot files through WinAPI, because anti-virus tools are very easy to find such a file, and allow to pinpoint the location of the bot.
Autoupdate bot, do not require a reboot.
Monitoring the integrity of files the bot.
Server-side bot functions:
- Socks 4/4a/5 server with support for UDP and IPv6.
- Backconnect for any service (RDP, Socks, FTP, etc.) on the infected machine. I.e. may gain access to a computer that is behind a NAT, or, for example, which has prohibited connections by a firewall. For this feature to work there are used additional applications that run on any Windows-server on the Internet, which has a dedicated IP.
Getting a screenshot of your desktop in real time.
- Intercepting HTTP/HTTPS-requests from wininet.dll (Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla Firefox) libraries:
Modification of the loaded pages content (HTTP-inject).
- Transparent pages redirect (HTTP-fake).
- Getting out of the page content the right pieces of data (for example the bank account balance).
- Temporary blocking HTTP-injects and HTTP-fakes.
- Temporary blocking access to a certain URL.
- Blocking logging requests for specific URL.
- Forcing logging of all GET requests for specific URL.
- Creating a snapshot of the screen around the mouse cursor during the click of buttons.
- Getting session cookies and blocking user access to specific URL.
- Get important information from the user programs:
Logins from FTP-clients: FlashFXP, CuteFtp, Total Commander, WsFTP, FileZilla, FAR Manager, WinSCP, FTP Commander, CoreFTP, SmartFTP.
"Cookies" Adobe (Macromedia) Flash Player.
"Cookies" wininet.dll, Mozilla Firefox.
- Import certificates from the certificate store Windows. And tracking their subsequent addition.
- Tracking of pressing the keyboard keys.
- Traffic sniffer for TCP protocol in Windows Socket.
- Intercept FTP-logins on any port.
- Intercept POP3-logins on any port.
Miscellaneous:
Execution of scripts (commands), created in the control panel.
Separation of the botnet to subbotnets (by name).
Description: Control panel
Programming language:
- PHP, using the extensions mbstring, mysql.
Display statistics:
- Number of infected computers.
- Current number of bots in the online.
- The number of new bots.
- Daily activity of bots.
- Country statistics.
- Statistics by OS.
- Working with the list of bots:
Filtering the list by country, botnets, IP-addresses, NAT-status, etc.
Displaying desktop screenshots in real time (only for bots outside NAT).
- Mass inspection of the Socks-servers state.
- Displays detailed information about the bots. Of the most important here are:
Windows version, user language and time zone.
Location and computer IP-address (not for local).
Internet connection speed (measured by calculating the load time of a predetermined HTTP-resource).
The first and last time of communication with the server.
Time in online.
- Ability to set comment for each bot.
Scripts (commands):
- You can control the bots by creating a script for them. Currently, syntax and scripting capabilities, are very primitive.
Working with reports (logs) and bots files:
- Files (such as screenshots, Flash Player cookies) received from the bots are always written to files on the server. You get the opportunity to search for files with a filter: by bots, botnets, content and file name.
- Reports can be written in files (%botnet%/%bot_id%/reports.txt), and in the database. In the first case, the search for records is in exactly the same way as for files. In the second case, you get more flexible filtering, and viewing reports from the Control panel.
Receive notifications in the IM (Jabber):
- You can receive notifications from the Control Panel in the Jabber-account.
- At the moment there is a possibility of receiving notifications about a user entering a defined HTTP/HTTPS-resources. For example, it is used to capture user session in an online bank.
Miscellaneous:
Creating Control panel users with specific access rights.
Displays information about the server software.
Automatic recovery of damaged MyISAM tables.
Language and IDE programming:
- Visual C++ (current version 9.0). No additional libraries are used (crtl, mfc, etc.).
Supported OS:
- XP/Vista/Seven, as well as 2003/2003R2/2008/2008R2. Included work under Windows x64, but only for 32-x bits processes. Also retained full bot work under active "Terminal Servers" sessions.
Action principle:
- Bot is based on intercepting WinAPI, by splicing in ring3 (user mode), by running a copy of its code in each process of the user (without using DLL).
Installation process:
At the moment, the bot is primarily designed to work under Vista/Seven, with enabled UAC, and without the use of local exploits. Therefore the bot is designed to work with minimal privileges (including the user "Guest"), in this regard the bot is always working within sessions per user (from under which you install the bot.). Bot can be set for each use in the OS, while the bots will not know about eachother. When you run the bot as "LocalSystem" user it will attempt to infect all users in the system.
When you install, bot creates its copy in the user's home directory, this copy is tied to the current user and OS, and cannot be run by another user, or even more OS. The original copy of the same bot (used for installation), will be automatically deleted, regardless of the installation success.
The session with the server (control panel):
Session with the server through a variety of processes from an internal "white list" that allows you to bypass most firewalls. During the session, the bot can get the configuration to send the accumulated reports, report their condition to the server and receive commands to execute on the computer. The session takes place via HTTP-protocol, all data sent by a bot and received from the server is encrypted with a unique key for each botnet.
Protection:
Unique names of all objects (files, MUTEXes, registry keys) when creating a bot for every user and a botnet.
Fixed bot can not be run with a different operating system or user. Destroys the code that is used to install the bot.
At the moment not done to hide bot files through WinAPI, because anti-virus tools are very easy to find such a file, and allow to pinpoint the location of the bot.
Autoupdate bot, do not require a reboot.
Monitoring the integrity of files the bot.
Server-side bot functions:
- Socks 4/4a/5 server with support for UDP and IPv6.
- Backconnect for any service (RDP, Socks, FTP, etc.) on the infected machine. I.e. may gain access to a computer that is behind a NAT, or, for example, which has prohibited connections by a firewall. For this feature to work there are used additional applications that run on any Windows-server on the Internet, which has a dedicated IP.
Getting a screenshot of your desktop in real time.
- Intercepting HTTP/HTTPS-requests from wininet.dll (Internet Explorer, Maxton, etc.), nspr4.dll (Mozilla Firefox) libraries:
Modification of the loaded pages content (HTTP-inject).
- Transparent pages redirect (HTTP-fake).
- Getting out of the page content the right pieces of data (for example the bank account balance).
- Temporary blocking HTTP-injects and HTTP-fakes.
- Temporary blocking access to a certain URL.
- Blocking logging requests for specific URL.
- Forcing logging of all GET requests for specific URL.
- Creating a snapshot of the screen around the mouse cursor during the click of buttons.
- Getting session cookies and blocking user access to specific URL.
- Get important information from the user programs:
Logins from FTP-clients: FlashFXP, CuteFtp, Total Commander, WsFTP, FileZilla, FAR Manager, WinSCP, FTP Commander, CoreFTP, SmartFTP.
"Cookies" Adobe (Macromedia) Flash Player.
"Cookies" wininet.dll, Mozilla Firefox.
- Import certificates from the certificate store Windows. And tracking their subsequent addition.
- Tracking of pressing the keyboard keys.
- Traffic sniffer for TCP protocol in Windows Socket.
- Intercept FTP-logins on any port.
- Intercept POP3-logins on any port.
Miscellaneous:
Execution of scripts (commands), created in the control panel.
Separation of the botnet to subbotnets (by name).
Description: Control panel
Programming language:
- PHP, using the extensions mbstring, mysql.
Display statistics:
- Number of infected computers.
- Current number of bots in the online.
- The number of new bots.
- Daily activity of bots.
- Country statistics.
- Statistics by OS.
- Working with the list of bots:
Filtering the list by country, botnets, IP-addresses, NAT-status, etc.
Displaying desktop screenshots in real time (only for bots outside NAT).
- Mass inspection of the Socks-servers state.
- Displays detailed information about the bots. Of the most important here are:
Windows version, user language and time zone.
Location and computer IP-address (not for local).
Internet connection speed (measured by calculating the load time of a predetermined HTTP-resource).
The first and last time of communication with the server.
Time in online.
- Ability to set comment for each bot.
Scripts (commands):
- You can control the bots by creating a script for them. Currently, syntax and scripting capabilities, are very primitive.
Working with reports (logs) and bots files:
- Files (such as screenshots, Flash Player cookies) received from the bots are always written to files on the server. You get the opportunity to search for files with a filter: by bots, botnets, content and file name.
- Reports can be written in files (%botnet%/%bot_id%/reports.txt), and in the database. In the first case, the search for records is in exactly the same way as for files. In the second case, you get more flexible filtering, and viewing reports from the Control panel.
Receive notifications in the IM (Jabber):
- You can receive notifications from the Control Panel in the Jabber-account.
- At the moment there is a possibility of receiving notifications about a user entering a defined HTTP/HTTPS-resources. For example, it is used to capture user session in an online bank.
Miscellaneous:
Creating Control panel users with specific access rights.
Displays information about the server software.
Automatic recovery of damaged MyISAM tables.
Download https://mega.nz/#!CEExECaC!yp0JWfLMasmo4U9aub3iZFSEdkTCZ0Kpwgh28R7TwOc
Password?
ReplyDeleteThis comment has been removed by the author.
ReplyDeleteWill it work on windows 10 or ubuntu for testing?
ReplyDeleteDo you have any new version so that I can test?
Thanks for sharing
ReplyDeleteThis comment has been removed by the author.
ReplyDeletepassword: freetrojanbotnet.com
ReplyDelete