For those not tuned into the infosec world, Zeus is a do-it-yourself kit for bad guys to make computer viruses and other malware with a point and click interface.  Zeus has been defeating your anti virus and malware protection software for several years now and the reason for this is that bad guys can customize the payload with MANY different features and when you get hit with it on your computer, it ALWAYS has a different look and feel to it.  In other words, it can’t be detected based on a certain file name, file size, hash value or even necessarily a behavior because these features are all customizable and somewhat randomizable via a plethora of different options.  I have come across something online that will pull back the curtain and give you some insight as to how complex and well thought out this tool kit is.

Presumably the same person who posted the source code online has also graciously posted the instruction manual for Version 2.1.0.0, March 20, 2011 of the Zeus crimeware kit on pastehtml.  Reading over this instruction manual shows the level of sophistication of the authors of Zeus.  The manual gives many insights on how the piece of malware you create will be able to hide itself from the user and the operating system.  Here is a short (paraphrased) excerpt from the Bot-Protection section:

  1. All objects IE: files, MUTEXes and registry keys will be created with completely random and unique names.
  2. The code that first installs the bot is destroyed after the bot is installed.
  3. Files are not hidden from WinAPI, because anti-virus tools will find the file too easily.
  4. The bot can be updated on the fly without a reboot.
  5. The bot self-monitors it’s own integrity of it’s files, keys and other objects.

After the protection section, the manual spells out the server-side functions of the bot:

  1. Socks 4/4a/5 server with support for UDP and IPv6.
  2. Backconnect for any service (RDP, Socks, FTP, etc.) on the infected machine. I.e. may gain access to a computer that is behind a NAT, or, for example, which has prohibited connections by a firewall. For this feature to work there are used additional applications that run on any Windows-server on the Internet, which has a dedicated IP.
  3. Getting a screenshot of your desktop in real time.

Next, the manual spells out the different ways your custom piece of malware can hook into the wininet.dll or nspr4.dll’s to intercept http/https traffic going through IE or Firefox.  (pro-tip, keep Opera handy):

  1. Modification of the loaded pages content (HTTP-inject).
  2. Transparent pages redirect (HTTP-fake).
  3. Getting out of the page content the right pieces of data (for example the bank account balance).
  4. Temporary blocking HTTP-injects and HTTP-fakes.
  5. Temporary blocking access to a certain URL.
  6. Blocking logging requests for specific URL.
  7. Forcing logging of all GET requests for specific URL.
  8. Creating a snapshot of the screen around the mouse cursor during the click of buttons.
  9. Getting session cookies and blocking user access to specific URL.

The list goes on and on but shows that this is truly a swiss army knife of malware.  Skipping down to the C&C feature description section, there is a lot of focus on client tracking and geolocation along with some logging and notification features.  One particularly interesting section of features spells out the client details that are tracked:

  • Windows version, user language and time zone.
  • Location and computer IP-address (not for local).
  • Internet connection speed (measured by calculating the load time of a predetermined HTTP-resource).
  • The first and last time of communication with the server.
  • Time online.

When you read over the instructions, you realize what an incredible tool this could be for plain old white hat system administration.  The level of detail provided in the instructions is truly impressive and rivals most legitimate pieces of software that we’ve seen as of late.

The other conclusion we can easily draw is that the Zeus crimeware kit is clearly the work of a well-backed team of developers rather than some Russian dude in his basement.

Most of the document is incredibly interesting and I would urge you to take a peak to see what’s behind the curtain.  We discussed this on ISD Podcast on episode 386.  Take a listen for more details.