Botnets Unearthed – The ZEUS BOT – InfoSec Institute

An interesting article by Aditya Balapure from

Zeus, also known as ZBot/WSNPoem, is famous for stealing banking information by using man in the browser keystroke logging and form grabbing. As the term suggests, man in the browser (MITB) is basically a proxy Trojan horse which uses man in the middle techniques to attack users. It attacks by exploiting vulnerabilities in the browser security to modify web pages and manipulate monetary transactions by changing or adding details that are malicious. The worst part is that no form of an application level or sessions layer security like SSL can protect such a form of attack. The best way to protect against these is out-of-band transaction verification. Form grabbing is a technique of capturing web form data in various browsers. Very recently Happy Hacker was arrested; he was alleged to be the mastermind behind the Zeus banking Trojan. Zeus comes as a toolkit to build and administer a botnet. It has a control panel that is used to monitor and update patches to the botnet. It also has a so-called builder tool that allows the creation of executables that are used to infect the user computers. Zeus comes as a commercial product for users who can buy it from underground markets and easily setup their own botnet. It is estimated to cost around $700 plus for the advanced versions.

Features of Zeus

Some of the features that this botnet displays are:

  • Captures credentials over HTTP, HTTPS, FTP, POP3
  • Steals client-side X.509 public key infrastructure certificates
  • Has an integrated SOCKS proxy
  • Steals/deletes HTTP and flash cookies
  • Captures screenshots and scrapes HTML from target sites
  • Modifies the local hosts file
  • Groups the infected user systems into different botnets to distribute command and control
  • Has search capabilities which may be used through a web form
  • The configuration file is encrypted
  • Has a major function to kill the operating system
  • Contacts command and control server for additional tasks to perform
  • Has a unique bot identification string
  • Sends a lot of information to C&C server, such as the version of the bot, operating system, local time, geographic locations, etc.

You can read the full article on their site.


0 replies

Leave a Reply

Want to join the discussion?
Feel free to contribute!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.