Our malware analysts stumbled upon a small archive which turned out to be a ZBot construction kit. It is very simple to use. The version we found is from end of August this year, newer versions are already available on the malware market.
It works with simple text configuration files. Pre-configured are plenty of online banks and social networks. The generated trojan will attempt to steal login information for the configured targets. Also the data dump and the control server get configured in the configuration file.
Also included is a file with search strings for different online sites. With this list, the trojan tries to collect the data which is worth some bucks on the black markets.
Many popular banks and social network sites are targeted, from different countries. The binary form of the configuration file which the drones on infected computers will download gets built by a simple mouse click. This way, the bot herder can update the targets for his drones very easily.
The trojan binary has to be built accordingly to this configuration so it connects to the right servers and data dumps. This process needs yet another single mouse click, and the cyber criminal has his perfectly tuned trojan.
Even for the data dumps and the control servers there is PHP software included, so you don’t need to know much about programming at all. Just upload those PHP files to a hacked, maybe even fast-flux’ed and/or bulletproof hosted control server and start the PHP install script and you’re done with everything.
In case this is all too complicated for the cyber criminal, a help file is included as well. It’s russian though instead of english, other than the rest of this malware construction kit.
It is amazing how sophisticated the malware and the malware construction kits in the underground are meanwhile. For very little money you get everything you need to start your own botnet and steal valuable information.
Luckily the ZBot construction kit and it’s generated trojans are detected by Avira products as TR/Spy.ZBot.dyy and as TR/Crypt.XPACK.Gen, respectively. But only 13 of 38 antivirus products from virustotal warn that there’s malware – some products from major players in the antivirus market still don’t detect these old ZBots.