Before ZeuS author Monstr/Slavik handed over his source code to SpyEye author Harderman/Gribodemon, the last known ZeuS version was 220.127.116.11. The ZeuS crimeware, which exponentially grew in popularity the past couple of years, is arguably the most popular toolkit in the threat landscape. Given this, it isn’t surprising to see that the ZeuS crimeware was updated quite a number of times in 2010.
The last release of the 18.104.22.168 version—22.214.171.124—is still being bought and sold by various resellers in the cybercrime underground. There are no significant visual differences with previous versions as far as the main ZeuS Builder is concerned.
Differences can be found in the infection routines of the ZeuS binaries produced. Some of the notable changes are:
- Support for almost all versions of Windows (XP/Vista/Seven/Server 2003/Server 2003 R2/Server 2008/Server 2008 R2)
- Support for 64-bit versions of Windows (limited to 32-bit processes only)
- Works even if User Account Control (UAC) is enabled and if the user has minimal privileges (e.g., “Guest” users)
- Multiuser session infection (when the bot is run under the LocalSystem account, it will attempt to infect all of the users’ files on the system)
- Injection module for Firefox
- Bot protection (unique/random object names such file names, mutexes, registries, etc.; auto-updating without requiring system rebooting)
This version may also be packaged with a reverse Virtual Network Computing (VNC) function for an additional price, which allows the user to open a hidden remote desktop session on an infected machine.
Most of the time, the control panel for 126.96.36.199 does not feature changes apart from the necessary technical updates for command-and-control (C&C) compatibility. However, we have seen one version sold underground that does have a modified control panel called the “Ghost” Panel.
The “Ghost” Panel
Although not part of the original ZeuS toolkit, this panel offers a number of unique features that are useful to ZeuS-using cybercriminals.
Stripped PHP Scripts
Note that the Web panel version says “Stripped.” This means that the PHP scripts of the Web panel have been optimized for smaller file sizes. Smaller script sizes will be more efficient when these Web panel scripts are uploaded to Web-hosting sites.
This option filters the types of information that will be saved in the database. Nonfinancial information such as social networking site credentials will not be stored. This ensures that the database of stolen information stays manageable in terms of size without what the cybercriminal considers “irrelevant” information. This feature is especially beneficial to carders—cybercriminals who sell/trade credit card and bank account-related credential dumps to other cybercriminals.
This feature allows the configuration file to be easily updated with new target sites. The attacker does not need to rebuild the configuration file and to manually upload the new configuration file. The panel automatically takes care of this for the user.
Different Folder and File Names
As a security measure, the “Ghost” Web panel uses different file and folder names from the conventional ZeuS control panel. This protects the panel from being rapidly analyzed by automated tools or even by security researchers who are already familiar with the conventional file and folder names of the ZeuS Web panel.
The Anti-Zeus Tracker feature is actually just a script that the seller/user configures in the .htaccess file. The script is like a blacklist where sellers/users input compiled known IP addresses of malware-monitoring sites like ZeuS Tracker, Spamhaus, and the like. It blocks the IP addresses of these monitoring sites so they receive an HTTP error whenever they try to access the ZeuS Web panel. This particular feature has been around for quite a while, however, and is not specifically unique to the “Ghost” panel. Below is a screenshot of the script code.
These last two features allegedly allow this control panel to be a “Ghost” or “untraceable,” hence the name. There have been reports about the panel being unstable but we haven’t been able to confirm the said claim. Other features of this specific version are Joomla spoofing (the server looks like a legitimate website complete with a fake Joomla login page), the ability to work on free “ZeuS-proof” hosting sites, and compatibility with all browsers, including for mobile devices.
Conducting cybercrime becomes much easier with tools like this, as it provides great convenience for cybercriminals, difficulty for security researchers, and more threats for potential victims. Thus, we here at Trend Micro are doing what we can to stop attacks aided by tools like this to protect our product users.