Tag Archives: wsnpoem

When a Botmaster goes REALLY mad

Yesterday I came across a post on Sunbelt’s Blog concering bots which have a build in function to destroy the computers operating system (OS). The Sunbelt Blog reference to a blog post on the S21sec Blog:

This time we are taking a close look about what things could happen with an infected computer when the running bot receives an specific command about to kill the Operating System. Not all type of bots usually have this functionality, but banking Trojans usually have. We will take three examples (InfoStealer, Zeus/Zbot and Nethell/Ambler), these are the most common Trojans where we’ve definitely found in their binaries the malicious code that is responsible for the Execution of Windows.

Last week I received a copy from a ZeuS C&C server for analysis (53’878’694 records in database / 155GB) . The C&C server was hosting about 5 different ZeuS installations controlling more than 100′000 computers, mainly located in Poland and Spain.

I was just shocked as I saw that the ZeuS C&C was sending out the ZeuS command kos:

ZeuS C&C: Kill Operating System

But what is “kos”? The kos command is used by ZeuS to destroy the operating system (kill Operating System). From ZeuS help file (translated with Google):

kos – incapacitate OS, namely grip branches HKEY_CURRENT_USER registry and / or HKEY_LOCAL_MACHINE. If you have sufficient privileges – fly to “blue screen”, in other cases creates the brakes. Following these steps, loading OS will not be possible!

So what happened? The Operating System of every infected client which was connected to one of the malicious ZeuS C&Cs has been destroyed. That are about 100’000 affected computers!

Yeah, that happens when a Botmaster goes really mad…

Further reading:
Sunbelt Blog: Bots that destroy the operating system
S21sec Blog: When a Bot master goes mad – Kill the OS
abuse.ch ZeuS Tracker BETA

Insight a ZeuS C&C server

During my work on the ZeuS Tracker I often see insecure ZeuS installations that allow easy access to the ZeuS MySQL database or the ZeuS Admin Panel of a Command&Control server; In some cases the MySQL database appear for a short time on unprotected, public webservers without even a password protection, usually in order to transfer data between different criminal groups. Some time ago I had the occasion to copy such an unprotected database and mirror the ZeuS admin panel software on my own test system. This allowed me to study the Admin interface and document it in this post, so I can reveal you details about the ZeuS internals.

First of all I give you some information and statistical data about the ZeuS C&C server concerned:

Let’s say that the ZeuS C&C server is hosted on veryevilzeusdomain.tld. The botnet has a size of 3’985 infected clients (total installations). The server is currently offline and was hosted on AS9800 (UNICOM CHINA UNICOM). The C&C server was online for 25 days (2009-02-13 until 2009-03-09). During this period, the cybercriminal has captured over 3’677’358 datasets.

Below you can see some statistical data about this ZeuS Command&Control server:

Botnet size per day

ZeuS botnet size per day

Botnet geo location

ZeuS botnet geo location
Number of captured datasets

ZeuS crimeware: Number of captured datasets

Insight ZeuS

Let’s start with the ZeuS Admin Panel. Here we go…
Normally, the ZeuS Admin Panel is located on a file called “in.php”. Example:


The login page of the ZeuS Panel looks like this:

ZeuS Admin Panel: Login page

On the login page, you can choose between two different languages: Russia and English. After a successful login, you will be redirected to the statistical summary of the ZeuS installation:

ZeuS Admin Panel: statistical summary

On this page you are able to group the infected clients (bots) to different botnets. This can be very useful. For example: You can group infected machines which have a fast internet connection to one “botnet”. You can also see some interesting data like how many logs are in the database, the time of first install and the total bot count.

On the section botnet->Online bots you can see some information about each bot which is currently online:

ZeuS Admin Panel: Online bots

The function Screenshot is quit interesting. With this function the cybercriminal is able to get a screenshot of each infected system, which is currently online. As you can see, the ZeuS trojan installs a backdoor which creates a SOCKS proxy and a Web proxy on the infected system. The cybercriminal can use these proxies to hide his identity while he access eg. the victims online banking account to steal money from them. By clicking on a proxy, the cybercriminal can get some information about the proxy (e.g. on which port the proxy is installed or whether the proxy is already used or not):

ZeuS Admin Panel: Proxy information

On the tab Remote commands the cybercrime can define commands for a hole botnet, bots from a specified country or just a single computer:


For example, such command can advise a infected client to download more malicious code:

ZeuS Admin Panel: Send commands to the infected systems (bots)

Here is a list of commands, which are available in the ZeuS crimeware:

  • block_url
  • unblock_url
  • rexeci
  • lexeci
  • delsf
  • resetgrab
  • getmff
  • delmff
  • getcert
  • addsff
  • rexec
  • lexec
  • getfile
  • upcfg
  • kos
  • On the navigation tab Logs the cybercriminal is able to start a log search. There, he can set a filter and search for a specified string and/or a specified Log typ. The Logs search has also a function to search in a specified time range. For example: Let’s start a search for FTP credentials which the ZeuS crimeware has captured on the 6. march:

    ZeuS Panel: Search for stolen FTP credentials

    Here is a list of Log types which the cybercriminal can search for:

  • any
  • HTTP
  • HTTPs
  • FTP
  • POP3
  • Grabbed data
  • Protected Storage
  • IE history
  • Other
  • As you can see, the cybercriminal is also able to search for captured HTTPS credentials:

    ZeuS Panel: Search for captured HTTPS credentials

    On the screenshot above you can see that the crimeware has already stole credentials for online services like Windows Live and Google. But the crimeware is even worse: It is able to capture credentials for Online Banking accounts from HTTPS connections and from the protected storage (Pstore):

    ZeuS Panel: Stolen credentials for online banking accounts

    Last but not least on the System settings in the navigation the cybercriminal can add / edit profiles:

    ZeuS Panel: Add / Edit profile


    The ZeuS crimeware kit is a big security issue and is still spearing thru Drive-By infections and mass spam campaigns like the spoofed Delta Air Line spam on February 09 (Link).

    If we take a look into the ZeuS Tracker, we can see over 100 ZeuS config files which are currently online. Additionally the tracker has already captured over 250 unique binaries.

  • browse ZeuS binaries
  • browse ZeuS config files
  • I highly recommend corporate networks to use the ZeuS blocklist to block malicious traffic from and to well known ZeuS C&C servers on the corporate web gateway/ firewall.


    The test system I used for the screenshots below was never connected to the internet, so no outbound network accesses occured during those tests. It was not required to enter any passwords or other credentials on any servers to obtain this copy of the database or the ZeuS admin panel software I mirrored – all of that was available for short periods of time unprotected on the net. But, as stated above, many real live ZeuS systems actually are insecure and would allow third parties to break in – events, that seem to occur regularly when botnets from one group are stolen by other groups.