Build your own ZBot

Our malware analysts stumbled upon a small archive which turned out to be a ZBot construction kit. It is very simple to use. The version we found is from end of August this year, newer versions are already available on the malware market.

ZBot construction kit from end of August.

ZBot construction kit from end of August.

It works with simple text configuration files. Pre-configured are plenty of online banks and social networks. The generated trojan will attempt to steal login information for the configured targets. Also the data dump and the control server get configured in the configuration file.

The configuration file of the ZBot construction kit is text-based.

The configuration file of the ZBot construction kit is text-based.

Also included is a file with search strings for different online sites. With this list, the trojan tries to collect the data which is worth some bucks on the black markets.

The ZBot variant searches within the web pages for certain strings which promise valuable data.

The ZBot variant searches within the web pages for certain strings which promise valuable data.

Many popular banks and social network sites are targeted, from different countries. The binary form of the configuration file which the drones on infected computers will download gets built by a simple mouse click. This way, the bot herder can update the targets for his drones very easily.

The configuration file for the drones is fetched from an online server and gets built with a simple mouse click.

The configuration file for the drones is fetched from an online server and gets built with a simple mouse click.

The trojan binary has to be built accordingly to this configuration so it connects to the right servers and data dumps. This process needs yet another single mouse click, and the cyber criminal has his perfectly tuned trojan.

The trojan gets built with another mouse click.

The trojan gets built with another mouse click.

Even for the data dumps and the control servers there is PHP software included, so you don’t need to know much about programming at all. Just upload those PHP files to a hacked, maybe even fast-flux’ed and/or bulletproof hosted control server and start the PHP install script and you’re done with everything.

Comfortable command & control of the botnet and the data dump is also included in the package.

Comfortable command & control of the botnet and the data dump is also included in the package.

In case this is all too complicated for the cyber criminal, a help file is included as well. It’s russian though instead of english, other than the rest of this malware construction kit.

If the kit is too complicated, a russian help file is of assistance.

If the kit is too complicated, a russian help file is of assistance.

It is amazing how sophisticated the malware and the malware construction kits in the underground are meanwhile. For very little money you get everything you need to start your own botnet and steal valuable information.

Luckily the ZBot construction kit and it’s generated trojans are detected by Avira products as TR/Spy.ZBot.dyy and as TR/Crypt.XPACK.Gen, respectively. But only 13 of 38 antivirus products from virustotal warn that there’s malware – some products from major players in the antivirus market still don’t detect these old ZBots.

Dirk Knop
Technical Editor