Zeus/Zbot source code leaked on net: Does it go by other names - likeBifrost?

[Virus Guy]

There are many reports today that source code for the Zeus/Zbot trojan
has been "leaked" to the internet.

I did some searching and found this file: Zeus 1.2.1.0.rar

It's about 950 kb in size and seems to contain mostly script files
(.php).

Submitting the rar file to virustotal gives 37 / 42 hits.

Seems that almost every AV program is giving a different name to this
detection. A few of these names are:

Bifrost / Bifrose
Trojan.Agent.VB.BBG
TrojanDownloader.Agent.bitt
BKDR_POISON.MCL


VT does not seem to have fully unpacked the RAR file that I submitted,
because when I unpack and submit some of the individual .php files
separately, VT gives no indication that its seen them before.

One file (cfg.bin) was previously ID'd by only one AV app as suspicious
(Win32.Zbot.Config) but a current detection is flagging it by only one
AV app as Rogue.Agent/Gen-Nullo[BIN].

So do I actually have a copy of this so-called leaked version of
Zeus/Zbot - or is this something else?

==================

http://www.eweek.com/c/a/Security/Z...n-More-Banking-Malware-to-Hit-the-Web-253343/

The code is not so readily available that any kid can get ahold of it,
Kevin Stevens, a senior threat engineer at Trend Micro, told eWEEK. It
has been leaked to various groups for more than a month but became more
open just a few days ago. Stevens even saw a “few people” sharing the
code within their LinkedIn groups.


http://www.csis.dk/en/csis/blog/3229/

http://www.csis.dk/en/csis/blog/3176/

You should pay attention to the screen dump (posted above) which on the
buttom left side is referring to a file named: "peinfector.cpp". This
could be the child project of Zbot known as "Murofet", but again this is
pure speculation on our side.

 

[Virus Guy]

I doubt it but does it contain C/C++ source code in .c or .cpp files?

It contains 51 files in total. None of them are .c or .cpp. 43 of them
are .php files. I think this link should get you a copy of this .rar
file if you want it:

http://www.filestube.com/b238c839f8cafdf003e9,g/Zeus-1-2-1-0.html

Otherwise, do a search for

'zeus 1.2.1.0 version - opensc.ws - trojan programming forum'

and you should find it.

Only 1 exe file (Builder 1.2.1.0.exe) in that archive, which seems to be
the "most infected" file. I wonder why they would call it "zeus
1.2.1.0" if it's not actually zeus or zbot. ?


AhnLab-V3 Win-Trojan/Agent.278528.BM
AntiVir TR/Dropper.Gen
Antiy-AVL Trojan/Win32.Agent.gen
Avast Win32:VB-LAU
Avast5 Win32:VB-LAU
AVG BackDoor.Generic10.AUGD
BitDefender Trojan.Agent.VB.BBG
CAT-QuickHeal TrojanDownloader.Agent.bitt
ClamAV Trojan.Agent-81099
Commtouch W32/Backdoor2.DXPJ
Comodo Worm.Win32.VB.~ACA
DrWeb BackDoor.Bifrost.788
eSafe Win32.TRDropper
eTrust-Vet Win32/Bifrose.GE
F-Prot W32/Backdoor2.DXPJ
F-Secure Trojan.Agent.VB.BBG
Fortinet W32/VBKrypt.FTK!tr
GData Trojan.Agent.VB.BBG
Ikarus VirTool.Win32.VBInject
Jiangmin TrojanDownloader.Agent.baxg
K7AntiVirus Trojan-Downloader
Kaspersky Trojan-Downloader.Win32.Agent.bitt
McAfee Backdoor-CEP.gen
McAfee-GW-Ed Heuristic.BehavesLike.Win32.Downloader.A
Microsoft VirTool:Win32/VBInject.gen!Z
NOD32 Win32/Bifrose.NFW
Norman W32/Smalldrp.AUFZ
nProtect Trojan-Downloader/W32.Agent.278528.BW
Panda Trj/Downloader.MDWNDARY
PCTools Trojan-Downloader.Agent!sd6
Prevx Medium Risk Malware
Rising Trojan.Win32.VBCode.ga
Sophos Mal/VB-GI
Symantec Trojan Horse
TheHacker Trojan/Downloader.Agent.bitt
TrendMicro BKDR_POISON.MCL
TrendMicro-HC BKDR_POISON.MCL
VBA32 Win32.Bifrose.NFW
VIPRE Trojan.Win32.Buzus (v)
ViRobot Trojan.Win32.Downloader.344064.P
VirusBuster Trojan.VBCrypt.AO

 

[FromTheRafters]

Virus Guy wrote:
[...]

From documentation in version 2.0.8.9

•Version 2.0.1.0, 28.04.2010

Now using an external crypter, with respect to these canceled some
features of the previous version:
1.Modified to bind to the user/OS.
2.Bot is no longer able to recrypt itself during installation.
3.Minor improvements to HTTP-injects.

•Version 2.0.2.0, 10.05.2010

1.Forced change of Mozilla Firefox security settings for normal
HTTP-injects.
2.Command "user_homepage_set" uses home page is mandatory for IE and
Firefox (i.e. the page will be restored even if the user makes a change)
as long as no command is canceled.

•Version 2.0.3.0, 19.05.2010

1.With regard to the fact that HTTP-injects are mostly written by people
who understand little of HTTP, HTML, etc., removed warning "*NO MATCHES
FOUND FOR CURRENT MASK*". Because due to abuse of the mark "*" masked
URL, this warning appears very often.
•Version 2.0.4.0, 31.05.2010

1.In control panel, fixed a bug in the module "Botnet-> Bots", which
does not allow to search by IP.
2.In the configuration file, added the option
"StaticConfig.remove_certs", to disable the automatic deletion of
certificates from the user store when install the bot.
3.In the configuration file, added the option
"StaticConfig.disable_tcpserver", which allows you to disable the
TCP-server (DISABLE: socks-server, screenshots in real time). This
option is introduced to prevent warnings from the "Windows Firewall".
4.Ripped certificates stored on the server with an indication of the
user, from which they are received.
•Version 2.0.5.0, 08.06.2010

1.For scripts added commands "bot_httpinject_enable" an
"bot_httpinject_disable".
2.Fixed minor bugs in HTTP-grabber.

•Version 2.0.6.0, 22.06.2010

1.In nspr4.dll, in a particular format of the HTTP-response from server,
this reply was not analyzed correctly (resulting, for example, in
disabling the HTTP-injects).

•Version 2.0.7.0, 15.07.2010

1.Disable the built-in bot encryption.
•Version 2.0.8.0, 17.08.2010

1.To the parameters HTTP-injects was added a new option "I" (compare URL
insensitive) and "C" (comparison of context insensitive).

•Version 2.1.0.0, 20.03.2011

1.RDP + VNC BACKCONNECT ADDED

==========

It looks like you got a very old version. Is the recently "leaked"
version 2.1.0.0?

 

[David H. Lipman]

From: "FromTheRafters" <[email protected]>

FTR:

Did you get my email ?

 

[David H. Lipman]

From: "David H. Lipman" <[email protected]>

OK - Reply to your reply was sent ;-)

 

[Virus Guy]

I see that I probably have found an old version of this Zeus code.

I can also see that there is a sick and twisted set of luzers that are
rather busy with this malware, as shown by the following thread
(below). Apparently it has been known since March 30 that the Zeus code
was public.

Does anyone here know the extend to which the characters that inhabit
opensc.ws are major players in the botnet scene?

I can't seem to get anything on the vimeo link below. Is it just me, or
is there any actual content at that link?

------------------------

http://www.opensc.ws/tutorials-articles/13689-zeus-2-0-8-9-hidden-service-setup-tutorial.html

09-03-2011
drebin21 (is Senior Member)
Zeus-2.0.8.9 Hidden Service Setup Tutorial
This is my Zeus-2.0.8.9 setup tutorial.

Using Tor with a hidden service through a log-less VPN makes
tracking your Zeus botnet just about impossible. The bots
connect via tor2web. Whenever you see a URL like
http://duskgytldkxiuqc6.onion/, that's a Tor hidden Web
service. Just replace .onion with .tor2web.org to use
the tor2web proxy network. Example:
https://duskgytldkxiuqc6.tor2web.org/cp.php
Enjoy the tutorial.

Remember this can also work on vps's if you use openvpn.

10-03-2011
tristan6100 (is Banned)
i thought u need to pay for zeus 2.0.8.9

drebin21
This is a tutorial if already have it. But yes I am selling it.

tristan6100
ah ok sorry

drebin21
I am no longer selling dont bug me about this. It's going
to be public soon. Someone leaked it I think.

Saperman (is Senior Member)
drebin21, watch your back.

quantumbenxh
I'd love to see this working with a botnet that is bigger
than 100 bots.

wilight
where can i find zeus 2.0.8.9 download link ?

pwnsauce (is Senior Member)
I have a feeling that this is how I will be making my next
botnet for tests, very interesting tutorial! Never thought
about using TOR hidden services desite being more than
familiar with it uses...

Pernat1y
I'm not selling or buying anything. I'm not verifying
your soft for blackmarket. Can't install botnet? New
pack don't work? I don't f**king care. Stop PMing me
about your problems

twilight
in google ?? ahhah zeus ? without $$$ ?

tristan61000
yes. latest (and the last) builder is public
eh kinda, theyre all public but with a pass

gribo
well thats mean can infect only victims how use toor
thats sucks

Gibon
tor is not good to hide you work , they keep logs and FBI
can demand the TOR owners to release any information needed
to trace the identity of the user. It has happened before

30-03-2011
Pernat1y
sources - yes. builder is publicly available

whyhim
good tut..but cant you reverse your logs on tor?

kubanezi
TOR = bullshit
better use HF VPN

logitech
Get iPredator Sweden VPN no logs.

 

[FromTheRafters]

I see that I probably have found an old version of this Zeus code.

I can also see that there is a sick and twisted set of luzers that are
rather busy with this malware, as shown by the following thread
(below). Apparently it has been known since March 30 that the Zeus code
was public.

If I'm not mistaken, it is the source code to the bot generating kit
that just got leaked. So, it's 'be the first one on your block to have a
botnet' time. Script kiddies can all be bot-herders now, and so can the
government.

Heh, the government could "leak" something like that and round up a lot
of script kiddies that way. )

Does anyone here know the extend to which the characters that inhabit
opensc.ws are major players in the botnet scene?

Not me.

I can't seem to get anything on the vimeo link below. Is it just me, or
is there any actual content at that link?

I get a message to get a better browser or download Flash. Maybe they
just don't like my User-Agent string.

[...]