Remote Administration Tool Zeus BotNet –> (RAT)


Remote Administration Tool Zeus BotNet (RAT)

Zeus is a Trojan horse that steals banking information by Man-in-the-browser keystroke logging and Form Grabbing. Zeus is spread mainly through drive-by downloads and phishing schemes. First identified in July 2007 when it was used to steal information from the United States Department of Transportation, it became more widespread in March 2009. In June 2009, security company Prevx discovered that Zeus had compromised over 74,000 FTP accounts on websites of such companies as the Bank of America, NASA, Monster.com, ABC, Oracle, Play.com, Cisco, Amazon, and  Business Weeks.

In late 2010, a number of Internet security vendors including McAfee and Internet Identity claimed that the creator of Zeus had said that he was retiring and had given the source code and rights to sell Zeus to his biggest competitor, the creator of the SpyEye trojan . However, those same experts warned the retirement was a ruse and expect the cracker to return with new tricks. As of 13 May 2011, the source code and compiled binaries are found to be hosted on GitHub.

Required to launch the Bot :

1. Remote Administration Tool(RAT) Zeus BotNet (Download)

2. Web Server + Database Server (in this example we use XAMPP)

Remote Administration Tool(RAT) Zeus BotNet:

1. Firstly, we need to install the web server and database server. Since we’re using XAMPP

and make sure your XAMPP apache and MySQL service was started and running.

2. Open the internet browser and type http://localhost/phpmyadmin. Input the username and password, by default the username is root and password leave it empty. After that create a new database, I named it bot, but you can change it into whatever you want. This database name will be used for the installation of remote administration tool.

Remote Administration Tool Zeus BotNet (RAT)

3. The next step we need to download the remote administration tool file and extract it, you will find 3 main folder builder, other, and server[php]. Create a new folder inside C:\xampp\htdocs. I give the folder name as bot, then copy the server[php] contents into C:\xampp\htdocs\bot.

Remote Administration Tool Zeus BotNet (RAT)

4. Now back again into our web browser and type http://localhost/bot/install into the address bar. Input all required field with the correct information.

Remote Administration Tool Zeus BotNet (RAT)

Information:

- The host address for MySQL filled with your database server IP address. If you run XAMPP it should be your IP address.

Remote Administration Tool Zeus BotNet (RAT)

- Database is filled with information about our database name that already created in step 2.

- Encryption key you can filed with any characters with length from 1 – 255

click Install to start installing.

Notes: If you get this error

ERROR:Failed connect to MySQL server: Host ‘myusername’ is not allowed to connect to this MySQL server

You need to do the following step by step

a. Open your PHPMyAdmin http://localhost/phpmyadmin and click the Privileges tab. Click edit button to edit the root user privileges.

Remote Administration Tool Zeus BotNet (RAT)

b. In the edit user page, scroll down and find the login information section. Change the Host from localhost to Any host and press Go button.

Remote Administration Tool Zeus BotNet (RAT)

5. This is the information preview if zeus remote administration tool web server was successfully installed.

Remote Administration Tool Zeus BotNet (RAT)

6. The next step is configuring and create the zeus bot client. Open the builder folder and open config.txt configuration file. Change the url_config, url_loader and url_server configuration according to your setting, you can see my setting in the picture below.

Remote Administration Tool Zeus BotNet (RAT)

Note: don’t forget to edit the path of webinjects.txt.

7. Now for the next step, open the zsb.exe file. In the picture below I’ve already create the step by step to build the bot executable. Just follow the step.

Remote Administration Tool Zeus BotNet (RAT)

8. After all the build bot config and bot executable on step 7, now we have the new file config.bin and bot.exe. Copy those two file into the htdocs folder. Mine was inside C:\xampp\htdocs\bot.

Remote Administration Tool Zeus BotNet (RAT)

9. Now let’s says we will send the generated bot.exe to the victim. After victim execute the file we can check our attacker server. Open the browser and type http://localhost/bot/cp.php and insert your username and password.

Remote Administration Tool Zeus BotNet (RAT)

10. We can see the new infected victim in the web interface and even view the desktop screenshot of the victim.

Remote Administration Tool Zeus BotNet (RAT)

Conclusion:

1. When victim already infected, attacker can gather many information from the victim including all internet activities and even gather all the website username and password since this tool can act as a key logger and capturing the log in information.

2. To prevent the attack of this trojan, always update your operating system and anti-virus and do not click any link that looks suspicious in your mail or chat messenger.

Hope its useful.

About these ads

2 thoughts on “Remote Administration Tool Zeus BotNet –> (RAT)

Leave a Reply

Please log in using one of these methods to post your comment:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s