== Zorenium v2 (2014 - Released January 27th 2014)==
APPLY FOR V3 BETA TESTING VIA THE CONTACT INFORMATION BELOW
***PLEASE NOTE, THE UPDATES LISTED BELOW ARE NOT THE COMPLETE FIXES***
18th March 2014 updates
[Developers wanted to carry on the project whilst im away]
*
* There’s been a number of significant updates too the OS requirements on the core malware files,
* Zorenium will now run on Ios 5-7 *
* Zorenium will also run on most debian platforms as well as * the latest android * ipad tablets,
*** Please note there is one or two issues with the debian (Root) Denial of service privilege exploit
Thanks to (MASKED ALIAS)
: we’ve also updated the rootkit, too a new version of the unreleased - TDL4 rootkit,
(TDL-4 is a highly advanced, fourth generation rootkit found theres only a few botnets in the world which run the TDL-3/4 Rootkit and the name of the rootkit that runs the botnet (also known as Alureon). Over 4.5 million machines were infected with it in the first three months of 2011, and the botnet continued to grow after that.
It was often by noted by journalists as "indestructible" in 2011, although it is removable with tools such as Kaspersky's TDSSKiller. It infects the master boot record of the target machine, making it harder to detect and remove. Major advancements include encrypting communications, decentralized controls using the Kad network, as well as deleting othermalware.)
TDL + TDL 3 Will still be used to drop the banking dll files,
All core files are dropped separately. Decreasing detection ratio.
Zorenium still remains at an 0/40% detection ratio.
And the only varients of the botnet found online are the publicly made files I’ve done my self
Which was needed to test the bots functions.
So individual files may be found, and also contain scrambled code. Making the files obselate.
(Worm)
Skype Spammer Development is now complete and is fully working in stand alone form. Using Skype APIs, yet still bypassing Skype’s warning message, zorenium will spam the entire contact list of infected hosts.
- Fully Functional Ruskill It currently is known to ignore working completely on some bots (stability remains unaffected).
- Dynamic Configuration Allows you to specify new server entries for existing bots to use instead of the same static entries. If dynamic entries cease to work, will revert back to initial static entries.
**AntiAv Updates**
We’ve made a fix to the following av’s which was denying us access to the system core after enabling the ruskill function…
**AVS Patched**
ArcaVir
Avast!
AVG
Avira
BullGuard
Emsisoft Anti-Malware
ESET NOD32 / Smart Security (XP Only)
F-PROT
F-Secure IS
GData IS
Ikarus AV
K7 AntiVirus
Kaspersky AV/IS
Lavasoft Adaware AV
MalwareBytes Anti-Malware
McAfee
Microsoft Security Essentials
Norman AntiVirus
Norton AntiVirus (Vista+ only)
Outpost Firewall Pro
Panda AV/IS
Panda Cloud AV (Free version)
PC Tools AntiVirus
Rising AV/IS
Sophos Endpoint AntiVirus
Total Defense
Trend Micro
Vipre
Webroot SecureAnywhere AV
Windows Defender
ZoneAlarm IS
***THERE ARE STILL MORE I NEED TO ADD TO THIS DOCUMENTION,
BUT WITH PLAYING CATCH ME IF YOU CAN WITH THE CYBER TEAM,
ITS IMPOSSIBLE TO STAY IN ONE PLACE UPDATING THIS DOCUMENT***
STAY TUNED ***
---2014 march 1st updates
************Small updates
Just to let you know, sales are still available to the same contact information,
Despite playing catch me if you can with the cyber terrorism unit in the GB.
Persistence:
All bot resources (Process, Files & Start up) Are protected from termination or removal.
With over 5 different kinds of protection modules.
Automatic restart is enabled & Protection on this feature is also enforced
FakeShutdown Modules have been implemented also.
********In lame terms********
After alot of work, testing and money spent. We can now make the victims believe there SYSTEM is being shutdown on victim input,
Thus means zorenium will throw fake images to make the user believe hes shutting down his machine.
Zorenium will then shut down the screen to standby mode ( until the Poweron button is initialized )
Whilst the user thinks he or she is shutting down there machine, we can stop (Delay) the CPU Fan, and other fans, which will
make a racket making the user believe his or her system is still running.
remember this method is not 100% Guaranteed to overheat the victims computer, causing it to force shutdown
*****************************
built with pre-generated 256 bit AES keys with Separate keys for the ssh features
The bot Can be managed with the following protocols: IRC , HTTP & i2p.
Uses custom string hasher & Then encrypted using stenography
Inject:
We have found an unused and powerful way of injection file & Code into each process
either from ring0 or ring3 (kernel, usermode)
For protection reasons, I Can not display the method of injection used by zorenium,
as to this date the method as not been discussed yet alone detected by any type of malware before...
FormGrabbing:
When defined sites are picked out Zorenium will save only needed forms before they are sent out.
Data will then be displayed via the Chosen C&C feature.
FormGrabber grabs from the following browsers::
---Firefox(W/Without SSL)
---Iexplorer(W/Without SSL)
---Chrome(W/Without SSL)
**2014***---- Added support for commonly used browsers With(with out) SSL Support
We also re-implemented the method of HTTP Post Requests capturing,
Similar to the BETAbot method, And the seperate process setup for the grab will allow us to interact with the end-user,
and escalate process privileges.
Bot Killer.
Zoreniums kill methods will remove the top ten 2013 list of malwares & Soon to protect against
All major malware you have come across.
The BKiller scans process on start up and on registry start up for suspicious entries
All code injected other then the bot and installed AV (Including crypted files using PE Methods) Will be terminated.
Banking:
All banking information are logged too a protocol/database of the buyers choice,
We now monitor all major and low end online banking information, And each logged data
is encrypted with a 256 bit AES Key then hashed with a private string hasher
which is also encrypted using stenography, Please note
each encryption key is seperate from the one zorenium uses on its core.
---CHRISTMAS USERKIT4 SPECIAL ADDON---
Bot will create new hidden user account, logging the user out of the current whilst updates are made. bot will then depremote the current logged on user to certain privs whilst updating `lpzsHiddenAccount` with administration privs, The explorer's process is then mapped/hooked so we can trick `lpszCurrentUserLogged` into thinking hes still administrator, (until administrator task is required. I.E Services/System file edit)
All file's on the hidden account will be protected + locked, changed to system files,
Bot will also replicate a new Disk drive, with the core'dlls hidden within there, with a 256bit password everything on the fakedrive is encrypted and 100% Protected from av's, Running them is a different matter depending on detection of what file is ran from the drive.
There's more which i wont state here,
------------------------------------------
:::SOURCE DIR IMAGE (http://i.imgur.com/KBn0ECM.png) - Picture taken on November 15th::
Compiled with Microsoft Visual Studio 2010 using the Microsoft compiler, cl.exe.
Zorenium is written in C++, C++0x & C
Development for Zorenium started on December the 4th 2012.
Everything your reading, And will no doubt go on to testing,
Works very effectively and efficiently..
---------*
Zorenium is a simple & stable Banking, DDoS & Worm spreading malware bot with abilities to
Hook and terminate the popular AVs and top 10 latest malware & worms,
Zorenium is built with pre-generated 256 bit AES keys with Separate keys for the ssh features
Strings are hashed with a custom string hasher then encrypted using stenography.
The bot Can be managed with the following protocols: IRC , HTTP & i2p.
AntiAv:
Zorenium uses multiple methods of removal and can now shut down and restart over 40 different
AntiVirus / Smart security & Firewall systems.
Persistence:
All bot resources (Process, Files & Start up) Are protected from termination or removal.
With over 5 different kinds of protection modules.
Automatic restart is enabled & Protection on this feature is also enforced.
Inject:
Zorenium uses 5 types of injection methods,
For security reasons, I Can not display the method of injection.
DDOS:
5 Different methods using randomized headers in HTTP DoS,
UDP, Mass Reconnect, HTTPGet, Slowloris & ACK
FormGrabbing:
When defined sites are picked out Zorenium will save only needed forms before they are sent out.
Data will then be displayed via the Chosen C&C feature.
FormGrabber grabs from the following browsers::
---Firefox(W/Without SSL)
---Iexplorer(W/Without SSL)
---Chrome(W/Without SSL)
Bot Killer.
Zoreniums kill methods will remove the top ten 2013 list of malwares & Soon to protect against
All major malware you have come across.
The BKiller scans process on start up and on registry start up for suspicious entries
All code injected other then the bot and installed AV (Including crypted files using PE Methods) Will be terminated.
Banking:
At the moment Zorenium as of (December the 18th) Only uses bank stealing modules against
BSS Banking But towards 2014 we promise to deliver at least 10 Different banking modules & 2 Different methods of Stealing that important information.
--Contact--
Project: Zorenium
Contact Info: E-MAIL Or Jabber Available Upon Request!!!
OR IRC For help/Questions: irc.voidptr.cz:6667 (+6697 SSL) Channel Name: #Z
-------------------------------------------
=+Recent updates+= December 18th(2013);
**Added support for ipv6
**Added Another method for UACBypassing, we now support windows 8 all versions.
**Added HTTPGet & SlowLaris.
**Added AntiDebug Module & OSDetect Features for injection method(3).
**Added unique UserID Storing & Retrieving methods for HTTP & p2p Control.
**Modified EnumWindows Function to be its own module,
----We can now log what the user is running and virtually read what the user reads & sees,
------Screenshots can also be taken via this method also.
**Modified the bitCoin Miner to use less CPU usage.
=+November 20+ 2013 Updates+=
**Added DDoS and Spread capability
**Added BTC miner
**Added Mailworm with spoofed header
**Added Facebook API worm,
**Added Skype worm
**Added Dreambox/Cisco Router Scanner (each ip vuln will be put into the sql database,
where then you can control your ip lists via your designated C&C Protocol)
**Added hidden banking service application & Dropper for BSS Offline (mysql(Hooked))
**Added SelfINitFunction
(if operating system higher then windows 7 Zorenium.exe
will drop a dll bypassing UAC and AV, After doing so,
Bot will Inject the coreDll into defined proccess,
After Writing/Memory mapping its self to available processes(<- For the anti(system) Module))
**Added New (Eset SmartSecurity & Eset AntiVirus AntiModules)
**Added AntiBot Module (Searches mapped processes & Memory for malware)
**Added botkiller module for top 10 listed malware, Such names as (BetaBot,Zeus and kavos)
**Added Registry monitoring (For the rootkit)
**Added RootKit Install/Extract & Start
**Added Userkit Install & Starter
**Added Created New injection system for the UserKit
**Added Base64 / Sha256 & RC4/6 Encryption.
**Fixes to HTTP System ** Was a bug on the HookConnectEx() Function when os restarted and loaded the bot by dll.
**Fixes to the Nix scanner ** Bug when defining more then 30 Threads with os 7
**Fixes to the antiSystem ** Bot would still load certain functions when being ran via sandboxed,
** Bot will now stdout a fake microsoft windows update notifier BIN(Service,Program Before self deleting the bots core bins)
**Fixes to the BSSGrabber
*Data for the banking service application will now be sent over a secure p2p network
*Bare in mind!! No data apart from the banking & BTC Data are sent between the bot and p2p network.
The Binary file for this module will attempt to use the CoreAntiAV System to inject its way into
Running av/firewalls adding itself to exception lists,
Bin With i2p for command & control = Extra 100GBP
Bin With tor & p2p For command & control = Extra 5000GBP
Zorenium(Bin) Price: With rootkit, Miner & Banking modules 2000GBP
Without The rootkit, Miner & Banking modules: 350GBP
_________Please note increase/decrease in price plans may vary.
---------BitCoins are accepted!!!!!----------------------------
**************NOTE***************
IRC MODULES ARE NOT A REQUIREMENT, AND CAN BE DROPPED ON REQUEST, SAME GOES FOR THE OTHER PROTOCOLS.
=======================V2 Files
DNSQuery.cpp
ZoreniumMain.cpp
ZeusKill.cpp
ws2Hook.cpp
WinCrypt.cpp
Utils2.cpp
utils.cpp
Utilities.cpp
UserkitInstaller.cpp
Unhook.cpp
uHookKernel.cpp
UACBypass.cpp
Threadsystem.cpp
ThreadKill.cpp
TaskManager.cpp
Sysinfo.cpp
SHA256.cpp
Service.cpp
Screenshot.cpp
RootkitInstaller.cpp
RootKitExtract.cpp
Registry.cpp
PrinterExploit.cpp
PortForward.cpp
NOD32.cpp
Nixscanner.cpp
Mysql.cpp
MemoryMap.cpp
irc.cpp
IPV6Tools.cpp
CoreInject.cpp
Inject4.cpp
Inject3.cpp
Inject2.cpp
HTTPC.cpp
Hooker.cpp
SectionConfigData.cpp
ring0ToRing3.cpp
BMPConvertor.cpp
Compiling...
GChrome.cpp
fWuaclt.cpp
fMicrosoftBuff.cpp
fChr.cpp
fApiLoad.cpp
fService.cpp
FormGrabber.cpp
fMySQL.cpp
IRCDaemon.cpp
Fakefile.cpp
EnumWindows.cpp
DRWeb.cpp
DriverUtilitys.cpp
Dreambox.cpp
DNSChanger.cpp
dllloader.cpp
dInject.cpp
Debugger.cpp
Controljack.cpp
Config.cpp
Chrome.cpp
BSSOffline.cpp
BSSG.cpp
BotSearch.cpp
bootcrypt.cpp
BootApi.cpp
BKiller.cpp
BitCoinMiner.cpp
Base64.cpp
APIMonitor.cpp
ApiGrabber.cpp
AntiDebug.cpp
AntiAv.cpp
========================================================
========================================================
========================================================
========================================================
--