Guest User


a guest
Aug 31st, 2015
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 4.91 KB | None | 0 0
  1. Sphinx banking trojan is coded in C++ based on ZeuS source-code. It
  2. operates fully through the Tor network using Tor hidden service. Sphinx
  3. is immune to sinkholing, blacklisting and ZeuS tracker. You don't need
  4. bulletproof hosting when operating a Sphinx botnet however its still
  5. recommended.
  7. :: Malware:
  8. - Formgrabber and Webinjects for latest Internet Explorer, Mozilla
  9. Firefox and Tor Browser with cookie grabber and transparent page
  10. redirect(Webfakes).
  11. - Backconnect SOCKS, VNC.
  12. - Socks 4/4a/5 with UDP and IPv6 support
  13. - FTP, POP3 grabber
  14. - Certificate grabber
  15. - Keylogger
  16. - Installation
  18. Certificate grabber:
  19. By intercepting windows functions, Sphinx is able to intercept
  20. certificates when they are being used, for example, for signing a file.
  21. This is useful for getting file-signing certificates for signing your
  22. malware for bypassing all anti-virus
  24. Backconnect VNC:
  25. This is the most essential feature of a banking trojan. It allows you
  26. to make money transfers right from your victims computer. Your VNC is
  27. done on a different desktop than victim is using so its completely
  28. hidden. You can steal money from bank while victim is playing
  29. multiplayer games or watching movies. Forget about configuring browser,
  30. because when carding with Sphinx you don't need to. With Backconnect
  31. VNC you can also remove anti-virus/rapport software from victim. Port-
  32. forwarding for victim is not required due to use of Reverse connection.
  34. Backconnect SOCKS:
  35. Use your victims as a SOCKS proxy. Port-forwarding is not required due
  36. to use of Reverse connection.
  38. Webinjects:
  39. Used for speeding up report gathering. With Webinjects you can change
  40. the content of website and ask more information. You can do such things
  41. as asking for credit-card data from victims PayPal/Amazon/Ebay/Facebook
  42. for successful login. Webinjects use ZeuS format.
  44. Webfakes:
  45. Used to do phishing attacks without having to trick victim in to going
  46. in to a fake domain. When configured for bankofamerica, user will be
  47. transparently redirected to your phish site without changing url.
  49. Installation:
  50. At the moment, the bot is primarily designed to work under Vista/Seven,
  51. with enabled UAC, and without the use of local exploits. Therefore the
  52. bot is designed to work with minimal privileges (including the user
  53. "Guest"), in this regard the bot is always working within sessions per
  54. user (from under which you install the bot.). Bot can be set for each
  55. use in the OS, while the bots will not know about eachother. When you
  56. run the bot as "LocalSystem" user it will attempt to infect all users
  57. in the system.
  59. When you install, bot creates its copy in the user's home directory,
  60. this copy is tied to the current user and OS, and cannot be run by
  61. another user, or even more OS. The original copy of the same bot (used
  62. for installation), will be automatically deleted, regardless of the
  63. installation success.
  65. Communication:
  66. Session with the server through a variety of processes from an internal
  67. "white list" that allows you to bypass most firewalls. During the
  68. session, the bot can get the configuration to send the accumulated
  69. reports, report their condition to the server and receive commands to
  70. execute on the computer. The session takes place via HTTP-protocol, all
  71. data sent by a bot and received from the server is encrypted with a
  72. unique key for each botnet.
  76. :: Webpanel:
  77. Sphinx command and control has not changed from ZeuS. Old ZeuS fans
  78. will be pleased to use again this comfortable bot network control
  79. system. Its coded in PHP using extensions mbstring and mysql.
  81. Features:
  82. - XMPP notification
  83. - Statistics
  84. - Botlist
  85. - Scripts
  87. XMPP notification:
  88. You can receive notifications from the Control Panel in the Jabber-
  89. account.
  91. At the moment there is a possibility of receiving notifications about a
  92. user entering a defined HTTP/HTTPS-resources. For example, it is used
  93. to capture user session in an online bank.
  95. Scripts:
  96. You can control the bots by creating a script for them. Currently,
  97. syntax and scripting capabilities, are very primitive.
  99. Botlist:
  100. - Filtering the list by country, botnets, IP-addresses, NAT-status,
  101. etc.
  102. - Displaying desktop screenshots in real time (only for bots outside
  103. NAT).
  104. - Mass inspection of the Socks-servers state.
  105. -Displays detailed information about the bots. Of the most important
  106. here are:
  107. * Windows version, user language and time zone.
  108. * Location and computer IP-address (not for local).
  109. * Internet connection speed (measured by calculating the load
  110. time of a predetermined HTTP-resource).
  111. * The first and last time of communication with the server.
  112. * Time in online.
  113. - Ability to set comment for each bot.
  115. Statistics:
  116. - Number of infected computers.
  117. - Current number of bots in the online.
  118. - The number of new bots.
  119. - Daily activity of bots.
  120. - Country statistics.
  121. - Statistics by OS.
  124. We recommend using Internet Explorer traffic for exploit-kit to get
  125. maximal profit when using Sphinx.
Add Comment
Please, Sign In to add comment