Guest User

Betabot & Zorenium source leak

a guest
Mar 18th, 2014
2,733
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 14.36 KB | None | 0 0
  1. == Zorenium v2 (2014 - Released January 27th 2014)==
  2. APPLY FOR V3 BETA TESTING VIA THE CONTACT INFORMATION BELOW
  3.  
  4. ***PLEASE NOTE, THE UPDATES LISTED BELOW ARE NOT THE COMPLETE FIXES***
  5. 18th March 2014 updates
  6. [Developers wanted to carry on the project whilst im away]
  7. *
  8. * There’s been a number of significant updates too the OS requirements on the core malware files,
  9. * Zorenium will now run on Ios 5-7 *
  10. * Zorenium will also run on most debian platforms as well as * the latest android * ipad tablets,
  11. *** Please note there is one or two issues with the debian (Root) Denial of service privilege exploit
  12.  
  13.  
  14. Thanks to (MASKED ALIAS)
  15. : we’ve also updated the rootkit, too a new version of the unreleased - TDL4 rootkit,
  16.  
  17. (TDL-4 is a highly advanced, fourth generation rootkit found theres only a few botnets in the world which run the TDL-3/4 Rootkit and the name of the rootkit that runs the botnet (also known as Alureon). Over 4.5 million machines were infected with it in the first three months of 2011, and the botnet continued to grow after that.
  18. It was often by noted by journalists as "indestructible" in 2011, although it is removable with tools such as Kaspersky's TDSSKiller. It infects the master boot record of the target machine, making it harder to detect and remove. Major advancements include encrypting communications, decentralized controls using the Kad network, as well as deleting othermalware.)
  19.  
  20. TDL + TDL 3 Will still be used to drop the banking dll files,
  21. All core files are dropped separately. Decreasing detection ratio.
  22.  
  23. Zorenium still remains at an 0/40% detection ratio.
  24. And the only varients of the botnet found online are the publicly made files I’ve done my self
  25. Which was needed to test the bots functions.
  26. So individual files may be found, and also contain scrambled code. Making the files obselate.
  27.  
  28. (Worm)
  29. Skype Spammer Development is now complete and is fully working in stand alone form. Using Skype APIs, yet still bypassing Skype’s warning message, zorenium will spam the entire contact list of infected hosts.
  30. - Fully Functional Ruskill It currently is known to ignore working completely on some bots (stability remains unaffected).
  31. - Dynamic Configuration Allows you to specify new server entries for existing bots to use instead of the same static entries. If dynamic entries cease to work, will revert back to initial static entries.
  32. **AntiAv Updates**
  33. We’ve made a fix to the following av’s which was denying us access to the system core after enabling the ruskill function…
  34. **AVS Patched**
  35. ArcaVir
  36. Avast!
  37. AVG
  38. Avira
  39. BullGuard
  40. Emsisoft Anti-Malware
  41. ESET NOD32 / Smart Security (XP Only)
  42. F-PROT
  43. F-Secure IS
  44. GData IS
  45. Ikarus AV
  46. K7 AntiVirus
  47. Kaspersky AV/IS
  48. Lavasoft Adaware AV
  49. MalwareBytes Anti-Malware
  50. McAfee
  51. Microsoft Security Essentials
  52. Norman AntiVirus
  53. Norton AntiVirus (Vista+ only)
  54. Outpost Firewall Pro
  55. Panda AV/IS
  56. Panda Cloud AV (Free version)
  57. PC Tools AntiVirus
  58. Rising AV/IS
  59. Sophos Endpoint AntiVirus
  60. Total Defense
  61. Trend Micro
  62. Vipre
  63. Webroot SecureAnywhere AV
  64. Windows Defender
  65. ZoneAlarm IS
  66. ***THERE ARE STILL MORE I NEED TO ADD TO THIS DOCUMENTION,
  67. BUT WITH PLAYING CATCH ME IF YOU CAN WITH THE CYBER TEAM,
  68. ITS IMPOSSIBLE TO STAY IN ONE PLACE UPDATING THIS DOCUMENT***
  69. STAY TUNED ***
  70.  
  71.  
  72. ---2014 march 1st updates
  73.  
  74. ************Small updates
  75. Just to let you know, sales are still available to the same contact information,
  76. Despite playing catch me if you can with the cyber terrorism unit in the GB.
  77.  
  78.  
  79. Persistence:
  80. All bot resources (Process, Files & Start up) Are protected from termination or removal.
  81. With over 5 different kinds of protection modules.
  82. Automatic restart is enabled & Protection on this feature is also enforced
  83. FakeShutdown Modules have been implemented also.
  84.  
  85.  
  86. ********In lame terms********
  87. After alot of work, testing and money spent. We can now make the victims believe there SYSTEM is being shutdown on victim input,
  88. Thus means zorenium will throw fake images to make the user believe hes shutting down his machine.
  89.  
  90. Zorenium will then shut down the screen to standby mode ( until the Poweron button is initialized )
  91. Whilst the user thinks he or she is shutting down there machine, we can stop (Delay) the CPU Fan, and other fans, which will
  92. make a racket making the user believe his or her system is still running.
  93.  
  94. remember this method is not 100% Guaranteed to overheat the victims computer, causing it to force shutdown
  95. *****************************
  96.  
  97. built with pre-generated 256 bit AES keys with Separate keys for the ssh features
  98. The bot Can be managed with the following protocols: IRC , HTTP & i2p.
  99.  
  100. Uses custom string hasher & Then encrypted using stenography
  101.  
  102.  
  103. Inject:
  104. We have found an unused and powerful way of injection file & Code into each process
  105. either from ring0 or ring3 (kernel, usermode)
  106.  
  107. For protection reasons, I Can not display the method of injection used by zorenium,
  108. as to this date the method as not been discussed yet alone detected by any type of malware before...
  109.  
  110. FormGrabbing:
  111. When defined sites are picked out Zorenium will save only needed forms before they are sent out.
  112. Data will then be displayed via the Chosen C&C feature.
  113. FormGrabber grabs from the following browsers::
  114. ---Firefox(W/Without SSL)
  115. ---Iexplorer(W/Without SSL)
  116. ---Chrome(W/Without SSL)
  117. **2014***---- Added support for commonly used browsers With(with out) SSL Support
  118. We also re-implemented the method of HTTP Post Requests capturing,
  119. Similar to the BETAbot method, And the seperate process setup for the grab will allow us to interact with the end-user,
  120. and escalate process privileges.
  121.  
  122. Bot Killer.
  123. Zoreniums kill methods will remove the top ten 2013 list of malwares & Soon to protect against
  124. All major malware you have come across.
  125. The BKiller scans process on start up and on registry start up for suspicious entries
  126. All code injected other then the bot and installed AV (Including crypted files using PE Methods) Will be terminated.
  127.  
  128. Banking:
  129. All banking information are logged too a protocol/database of the buyers choice,
  130. We now monitor all major and low end online banking information, And each logged data
  131. is encrypted with a 256 bit AES Key then hashed with a private string hasher
  132. which is also encrypted using stenography, Please note
  133. each encryption key is seperate from the one zorenium uses on its core.
  134.  
  135.  
  136.  
  137. ---CHRISTMAS USERKIT4 SPECIAL ADDON---
  138. Bot will create new hidden user account, logging the user out of the current whilst updates are made. bot will then depremote the current logged on user to certain privs whilst updating `lpzsHiddenAccount` with administration privs, The explorer's process is then mapped/hooked so we can trick `lpszCurrentUserLogged` into thinking hes still administrator, (until administrator task is required. I.E Services/System file edit)
  139. All file's on the hidden account will be protected + locked, changed to system files,
  140. Bot will also replicate a new Disk drive, with the core'dlls hidden within there, with a 256bit password everything on the fakedrive is encrypted and 100% Protected from av's, Running them is a different matter depending on detection of what file is ran from the drive.
  141. There's more which i wont state here,
  142.  
  143. ------------------------------------------
  144.  
  145.  
  146. :::SOURCE DIR IMAGE (http://i.imgur.com/KBn0ECM.png) - Picture taken on November 15th::
  147. Compiled with Microsoft Visual Studio 2010 using the Microsoft compiler, cl.exe.
  148. Zorenium is written in C++, C++0x & C
  149. Development for Zorenium started on December the 4th 2012.
  150. Everything your reading, And will no doubt go on to testing,
  151. Works very effectively and efficiently..
  152. ---------*
  153.  
  154.  
  155. Zorenium is a simple & stable Banking, DDoS & Worm spreading malware bot with abilities to
  156. Hook and terminate the popular AVs and top 10 latest malware & worms,
  157. Zorenium is built with pre-generated 256 bit AES keys with Separate keys for the ssh features
  158. Strings are hashed with a custom string hasher then encrypted using stenography.
  159. The bot Can be managed with the following protocols: IRC , HTTP & i2p.
  160.  
  161. AntiAv:
  162. Zorenium uses multiple methods of removal and can now shut down and restart over 40 different
  163. AntiVirus / Smart security & Firewall systems.
  164.  
  165. Persistence:
  166. All bot resources (Process, Files & Start up) Are protected from termination or removal.
  167. With over 5 different kinds of protection modules.
  168. Automatic restart is enabled & Protection on this feature is also enforced.
  169.  
  170. Inject:
  171. Zorenium uses 5 types of injection methods,
  172. For security reasons, I Can not display the method of injection.
  173.  
  174. DDOS:
  175. 5 Different methods using randomized headers in HTTP DoS,
  176. UDP, Mass Reconnect, HTTPGet, Slowloris & ACK
  177.  
  178. FormGrabbing:
  179. When defined sites are picked out Zorenium will save only needed forms before they are sent out.
  180. Data will then be displayed via the Chosen C&C feature.
  181. FormGrabber grabs from the following browsers::
  182. ---Firefox(W/Without SSL)
  183. ---Iexplorer(W/Without SSL)
  184. ---Chrome(W/Without SSL)
  185.  
  186.  
  187. Bot Killer.
  188. Zoreniums kill methods will remove the top ten 2013 list of malwares & Soon to protect against
  189. All major malware you have come across.
  190. The BKiller scans process on start up and on registry start up for suspicious entries
  191. All code injected other then the bot and installed AV (Including crypted files using PE Methods) Will be terminated.
  192.  
  193. Banking:
  194. At the moment Zorenium as of (December the 18th) Only uses bank stealing modules against
  195. BSS Banking But towards 2014 we promise to deliver at least 10 Different banking modules & 2 Different methods of Stealing that important information.
  196.  
  197.  
  198.  
  199. --Contact--
  200. Project: Zorenium
  201. Contact Info: E-MAIL Or Jabber Available Upon Request!!!
  202. OR IRC For help/Questions: irc.voidptr.cz:6667 (+6697 SSL) Channel Name: #Z
  203.  
  204.  
  205.  
  206. -------------------------------------------
  207. =+Recent updates+= December 18th(2013);
  208.  
  209. **Added support for ipv6
  210. **Added Another method for UACBypassing, we now support windows 8 all versions.
  211. **Added HTTPGet & SlowLaris.
  212. **Added AntiDebug Module & OSDetect Features for injection method(3).
  213. **Added unique UserID Storing & Retrieving methods for HTTP & p2p Control.
  214. **Modified EnumWindows Function to be its own module,
  215. ----We can now log what the user is running and virtually read what the user reads & sees,
  216. ------Screenshots can also be taken via this method also.
  217. **Modified the bitCoin Miner to use less CPU usage.
  218.  
  219.  
  220.  
  221. =+November 20+ 2013 Updates+=
  222.  
  223. **Added DDoS and Spread capability
  224.  
  225. **Added BTC miner
  226.  
  227. **Added Mailworm with spoofed header
  228. **Added Facebook API worm,
  229. **Added Skype worm
  230. **Added Dreambox/Cisco Router Scanner (each ip vuln will be put into the sql database,
  231. where then you can control your ip lists via your designated C&C Protocol)
  232.  
  233. **Added hidden banking service application & Dropper for BSS Offline (mysql(Hooked))
  234.  
  235. **Added SelfINitFunction
  236. (if operating system higher then windows 7 Zorenium.exe
  237. will drop a dll bypassing UAC and AV, After doing so,
  238. Bot will Inject the coreDll into defined proccess,
  239. After Writing/Memory mapping its self to available processes(<- For the anti(system) Module))
  240.  
  241. **Added New (Eset SmartSecurity & Eset AntiVirus AntiModules)
  242. **Added AntiBot Module (Searches mapped processes & Memory for malware)
  243. **Added botkiller module for top 10 listed malware, Such names as (BetaBot,Zeus and kavos)
  244.  
  245. **Added Registry monitoring (For the rootkit)
  246. **Added RootKit Install/Extract & Start
  247. **Added Userkit Install & Starter
  248. **Added Created New injection system for the UserKit
  249.  
  250. **Added Base64 / Sha256 & RC4/6 Encryption.
  251.  
  252. **Fixes to HTTP System ** Was a bug on the HookConnectEx() Function when os restarted and loaded the bot by dll.
  253. **Fixes to the Nix scanner ** Bug when defining more then 30 Threads with os 7
  254. **Fixes to the antiSystem ** Bot would still load certain functions when being ran via sandboxed,
  255. ** Bot will now stdout a fake microsoft windows update notifier BIN(Service,Program Before self deleting the bots core bins)
  256.  
  257. **Fixes to the BSSGrabber
  258. *Data for the banking service application will now be sent over a secure p2p network
  259. *Bare in mind!! No data apart from the banking & BTC Data are sent between the bot and p2p network.
  260. The Binary file for this module will attempt to use the CoreAntiAV System to inject its way into
  261. Running av/firewalls adding itself to exception lists,
  262.  
  263. Bin With i2p for command & control = Extra 100GBP
  264. Bin With tor & p2p For command & control = Extra 5000GBP
  265.  
  266. Zorenium(Bin) Price: With rootkit, Miner & Banking modules 2000GBP
  267. Without The rootkit, Miner & Banking modules: 350GBP
  268. _________Please note increase/decrease in price plans may vary.
  269. ---------BitCoins are accepted!!!!!----------------------------
  270.  
  271. **************NOTE***************
  272. IRC MODULES ARE NOT A REQUIREMENT, AND CAN BE DROPPED ON REQUEST, SAME GOES FOR THE OTHER PROTOCOLS.
  273. =======================V2 Files
  274. DNSQuery.cpp
  275. ZoreniumMain.cpp
  276. ZeusKill.cpp
  277. ws2Hook.cpp
  278. WinCrypt.cpp
  279. Utils2.cpp
  280. utils.cpp
  281. Utilities.cpp
  282. UserkitInstaller.cpp
  283. Unhook.cpp
  284. uHookKernel.cpp
  285. UACBypass.cpp
  286. Threadsystem.cpp
  287. ThreadKill.cpp
  288. TaskManager.cpp
  289. Sysinfo.cpp
  290. SHA256.cpp
  291. Service.cpp
  292. Screenshot.cpp
  293. RootkitInstaller.cpp
  294. RootKitExtract.cpp
  295. Registry.cpp
  296. PrinterExploit.cpp
  297. PortForward.cpp
  298. NOD32.cpp
  299. Nixscanner.cpp
  300. Mysql.cpp
  301. MemoryMap.cpp
  302. irc.cpp
  303. IPV6Tools.cpp
  304. CoreInject.cpp
  305. Inject4.cpp
  306. Inject3.cpp
  307. Inject2.cpp
  308. HTTPC.cpp
  309. Hooker.cpp
  310. SectionConfigData.cpp
  311. ring0ToRing3.cpp
  312. BMPConvertor.cpp
  313. Compiling...
  314. GChrome.cpp
  315. fWuaclt.cpp
  316. fMicrosoftBuff.cpp
  317. fChr.cpp
  318. fApiLoad.cpp
  319. fService.cpp
  320. FormGrabber.cpp
  321. fMySQL.cpp
  322. IRCDaemon.cpp
  323. Fakefile.cpp
  324. EnumWindows.cpp
  325. DRWeb.cpp
  326. DriverUtilitys.cpp
  327. Dreambox.cpp
  328. DNSChanger.cpp
  329. dllloader.cpp
  330. dInject.cpp
  331. Debugger.cpp
  332. Controljack.cpp
  333. Config.cpp
  334. Chrome.cpp
  335. BSSOffline.cpp
  336. BSSG.cpp
  337. BotSearch.cpp
  338. bootcrypt.cpp
  339. BootApi.cpp
  340. BKiller.cpp
  341. BitCoinMiner.cpp
  342. Base64.cpp
  343. APIMonitor.cpp
  344. ApiGrabber.cpp
  345. AntiDebug.cpp
  346. AntiAv.cpp
  347. ========================================================
  348. ========================================================
  349. ========================================================
  350. ========================================================
  351. --
Add Comment
Please, Sign In to add comment