Zeus: God of Crimewire Botnets
Zeus Botnet Overview
Zeus is a toolkit that provides a malware creator all of the tools required to build and administer a botnet. The Zeus tools are primarily designed for stealing banking information, but they can easily be used for other types of data or identity theft. A Control Panel application is used to maintain/update the botnet, and to retrieve/organize recovered information. A configurable Builder tool allows to create the executables that will be used to infect victim’s computers. These executables are usually detected as ZBot by anti-virus software.
There is no single Zeus botnet. The toolkit is a commercial product that is sold to many different users, and distributed freely to many more. Each of them can create one or more botnets of their own, so the number of Zeus botnets is likely quite large.
The latest version of the toolkit typically sells for about $700 USD to trusted buyers, with the bot source code possibly available for a much larger sum. After a few months the new toolkit version is released as a free “public” version, which is probably meant to serve as a promotion for the commercial version. The public version may not include all of the latest functions, and the documentation is minimal. Modified versions of the public toolkit have also been offered for sale at lower prices by third party developers, sometimes known as “modders”.
Configuration and Bot Creation
The first step in building a bot executable is to edit the configuration file. The configuration tells the bot how to connect to the botnet, and it also contains information on what user data to gather and how to do so. The configuration file is in two parts, as described below.
The StaticConfig is compiled into the bot by the Builder tool. It contains information that the bot will need when it is first executed. To update the StaticConfig the bots must be ordered to download a new bot version.
The available settings are:
- The name of the botnet that this bot belongs to.
- The amount of time to wait between dynamic configuration file downloads.
- The time interval between uploads of logs and statistical information to the drop server.
- The URL where the bot can get the dynamic config file.
- A URL where the bot can check its own IP address, to determine if it is behind a router or firewall.
- The encryption key that is used to hide information transmitted within the botnet.
- A language ID list that tells the bot to go into a dormant state if the infected computer’s language is on the list.
The DynamicConfig is downloaded by the bot immediately after it is installed on a victim’s computer. This file is downloaded at timed intervals by the bot, and can be used to change the behaviour of the botnet. Most of the entries control how information is collected from the infected computer.
Available settings include:
- A URL where the bot can download a new version of itself, if the command to do so is given.
- The URL of the drop server where logs, statistics and files will be uploaded and stored.
- Information used to inject additional fields into web pages viewed from the infected computer.
- A list of URLs where an emergency backup config file can be found.
- A set of URL masks used to cause or prevent logging of information.
- A set of URL masks to indicate that a screen image should be saved if the left mouse button is clicked.
- A list of pairs of URLs that are used to cause redirection from the first URL to the second.
- A set of URL masks used to collect TAN (Transaction Authentication) numbers – used by some banks for online authentication.
- A list of IP/URL pairs that are inserted into the infected computer’s hosts file to override DNS lookups.
Building the Bot
Once the configuration file is ready the Builder tool is used to build the encrypted dynamic configuration file and the bot executable file. The Builder first checks the computer it is running on to see if the Zeus bot is installed and gives the user the option to clean the system. This is probably meant to make it easier to test configuration settings. The Builder will then report system information as seen in Figure 1 below:
Figure 1: Zeus Builder – Information
Figure 2: Zeus Builder – Compiling configuration
Figure 3: Zeus Builder – Assembling configuration and binary
Bot Distribution and Installation
The Zeus bot has no built-in capability to spread to other computers. In most cases a spam campaign is used to distribute it, either as an attached file or a link. Some type of social engineering within the spam message is used to trick the victims into executing the bot. A wide variety of these tricks have been seen, often in forms that are persuasive and difficult to detect. The large number of social engineering tricks is a result of many individuals attempting to seed their own botnet, using the common Zeus platform.
The lack of worm-like spreading capabilities makes the bot suitable for targeted attacks, since the bot is less visible and less likely to be detected. In targeted attacks, it can be sent to the intended victim in various disguises until success is achieved.
When the bot is executed on a victim’s computer it goes through a number of steps to install and configure itself, and to connect to the botnet. The filenames given here are for the tested version, and sometimes are changed in new versions. Outlined below are the steps taken upon initial execution:
- The install function searches for the “winlogon.exe” process, allocates some memory within it and decrypts itself into the process.
- The bot executable is written to the hard drive as “C:WINDOWSsystem32sdra64.exe“.
- The directory “C:WINDOWSsystem32lowsec” is created. This directory is not visible in Windows Explorer but can be seen from the command line. Its purpose is to contain the following files:
- local.ds: Contains the most recently downloaded DynamicConfig file.
- user.ds: Contains logged information.
- user.ds.lll: Temporarily created if transmission of logs to the drop server fails.
- The Winlogon (“HKLM/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Winlogon“) registry key’s value is appended with the path of the bot executable: C:/WINDOWS/system32/sdra64.exe. This will cause the bot to execute when the computer restarts.
- The Windows XP firewall is disabled. This causes a Windows Security Center warning icon to appear in the system tray, the only visible indication that the computer has been infected.
- The bot broadcasts an “M-SEARCH” command to find UPnP network devices. This may be an attempt to access and reconfigure local routers.
- The bot sends an HTTP GET command to the configured botnet server to get the latest DynamicConfig file.
- The bot begins capturing and logging information from the infected computer. The DynamicConfig file largely determines what information is collected.
- The bot sends two HTTP POST commands to upload log (user.ds) and stat information to the botnet drop server.
- Three timers are set to values in the StaticConfig, each executing a function on time-out:
- Get new config file (DynamicConfig) from server (default 60 minutes).
- Post harvested data (user.ds) to server (default 1 minute).
- Post statistics to server (default 20 minutes).
- If a web page that is viewed from the infected computer is on the injection target list in the DynamicConfig, the additional fields from the list are injected into the page.
- If the HTTP “200 OK” reply to a POST contains a hidden script command, the bot executes it and returns a success or failure indication along with any data (see Communication section below).
Botnet Command and Control
Control Panel Installation
The Zeus Control Panel application is mainly used to track the state of controlled botnets and to send script commands to the bots. It also provides an organized way to view and access information collected by the bots from infected computers.
The Control Panel is an open source PHP application that can be run on an IIS or Apache web server. Some additional software, most of which is specified in the documentation, is also required. A MySQL user with appropriate permissions must also be set up. When the system is ready the Control Panel code can be copied into the web server directory. The install page can then be accessed from a browser. If any errors are made when filling in this form, the user is given a helpful message. Once this form is completed the remainder of the setup is done automatically.
Figure 4: Zeus Control – Installation configuration
After logging into the Control Panel, the initial page is displayed, as shown in Figure 5 below:
Figure 5: Zeus Control – Index
If the “OS” item on the menu is clicked we get a list of operating system versions in the network with a count of bots for each version. The next menu item is “Bots”, which initially displays the “Filter” form. Here the user can select “Inside NAT” or “Outside NAT”, “Online” or “Offline”, etc. to filter only the most interesting bots.
Figure 6: Zeus Control – Display Filter and Bot List
The “Bots action:” drop-down menu allows some more information to be obtained, for example the selected “Full information” option results in the additional details displayed in Figure 7. The user can add comments here, and the “Used” field can be set. The purpose of these seems to be to allow more exclusive filtering of the bots displayed on the list shown above.
Figure 7: Zeus Control – Full Information
Figure 8: Control Panel – Script List
Figure 9: Control Panel – Script Edit
Clicking the question mark next to “Context:” displays a list of currently available script commands with explanations. The commands can be used to collect more information, to make changes to the botnet or to give greater control of the infected computer.
Figure 10: Control Panel – Script Commands
Figure 11: Control Panel – Database Search
Figure 12: Control Panel – Password Capture Report
Figure 13: Control Panel – Files Search Dialog
Figure 14: Control Panel – Files Search Results
Certificate files that were captured when the getcerts command was given are located in the “certs” folder.
The file autorun.inf was uploaded using the command “getfile D:autorun.inf“, so it has been placed inside a folder named “D:“, based on its original path.
By clicking on a file name, any of the files can be downloaded or viewed. Alternatively, the checkboxes can be clicked for the items the user wants, and the “Create archive and download” option can be chosen under “Files action:”.
Under the “System:” section of the main menu, the “Information” item shows some version numbers for the Control Panel installation. The “Options” item allows changes to some setup options, including the botnet encryption key. Before the encryption key is changed, the bots must be ordered to download a new bot build with the new key.
Figure 15: Control Panel – System Options
Figure 16: Control Panel – User Options
All Zeus botnet communications pass between the bots and one or more servers. Only one physical server is needed, but additional ones can be used to distribute bot file updates and fallback configuration files.
Data sent through the Zeus botnet is encrypted with RC4 encryption. In this implementation a key stream is generated from the botnet password, and is XORed with the data. The same password is used to encrypt all data that is passed through the botnet. Changing the botnet password requires that all of the bot executables be updated to a build that includes the new password. The dynamic config file also must be updated and the server password changed from the Control Panel.
When a computer is infected with the Zeus bot, its first communication with the server is a request for the dynamic config file. Unlike other data sent through the network, the config file has already been encrypted by the Builder application and can be sent without further processing. Figure 17 shows the config file being requested by the bot, returned by the control server.
Figure 17: The bot gets the dynamic config file
Figure 18: The bot POSTs basic information
Figure 19: The server reply to the POST contains some data
Figure 20: The server reply to the POST contains a command
Web Page Injection
One important feature of the Zeus bot is its ability to dynamically inject dynamic into web pages viewed from an infected computer. This is done on-the-fly, as data passes from the server to the client browser. A snippet of the configuration data for this is shown below. It does a fairly straight forward search and insert operation:
set_url http://www.bank.com/login.html GP data_before name="password"*</tr> data_end data_inject <tr><td>PIN:</td><td><input type="text" name="pinnumber" id="pinnumber" /></td></tr> data_end data_after data_end
The set_url parameter identifies the page to be attacked, data_before contains the text to search for before the injection point and data_inject has the text that will be injected. Figure 21 shows a login page before and after injection.
Figure 21: Login form before and after injection
Below is the HTML source before injection. The data_before search text is highlighted.
<TR> <TD>Username:</TD> <TD><INPUT id=username name=username></TD></TR> <TR> <TD>Password:</TD> <TD><INPUT type=password name=password></TD></TR> <TR> <TD colSpan=2><INPUT type=submit value=Submit></TD></TR>
The following is the HTML source after injection, with the code inserted from the data_inject field discussed above.
<TR> <TD>Username:</TD> <TD><INPUT id=username name=username></TD></TR> <TR> <TD>Password:</TD> <TD><INPUT type=password name=password></TD></TR> <TR> <TD>PIN:</TD> <TD><INPUT id=pinnumber name=pinnumber></TD></TR> <TR> <TD colSpan=2><INPUT type=submit value=Submit></TD></TR>
The currently distributed configuration file contains default settings for injection attacks on more than 100 URLs. A well executed attack can be very difficult for a victim to distinguish from a genuine web page.
As you can see, ZBot can steal information through various methods, from simple keylogging to custom data from injected forms, and screenshot collection. The following is a video we have put together that shows a clean system (firewall enabled), infected with a ZBot variant. The video then shows the symptoms of an infection (firewall disabled, security alert) and goes on to display some typical user activities under watch, then retrieved at ease through the control panel: