Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Sphinx banking trojan is coded in C++ based on ZeuS source-code. It
- operates fully through the Tor network using Tor hidden service. Sphinx
- is immune to sinkholing, blacklisting and ZeuS tracker. You don't need
- bulletproof hosting when operating a Sphinx botnet however its still
- recommended.
- :: Malware:
- - Formgrabber and Webinjects for latest Internet Explorer, Mozilla
- Firefox and Tor Browser with cookie grabber and transparent page
- redirect(Webfakes).
- - Backconnect SOCKS, VNC.
- - Socks 4/4a/5 with UDP and IPv6 support
- - FTP, POP3 grabber
- - Certificate grabber
- - Keylogger
- - Installation
- Certificate grabber:
- By intercepting windows functions, Sphinx is able to intercept
- certificates when they are being used, for example, for signing a file.
- This is useful for getting file-signing certificates for signing your
- malware for bypassing all anti-virus
- Backconnect VNC:
- This is the most essential feature of a banking trojan. It allows you
- to make money transfers right from your victims computer. Your VNC is
- done on a different desktop than victim is using so its completely
- hidden. You can steal money from bank while victim is playing
- multiplayer games or watching movies. Forget about configuring browser,
- because when carding with Sphinx you don't need to. With Backconnect
- VNC you can also remove anti-virus/rapport software from victim. Port-
- forwarding for victim is not required due to use of Reverse connection.
- Backconnect SOCKS:
- Use your victims as a SOCKS proxy. Port-forwarding is not required due
- to use of Reverse connection.
- Webinjects:
- Used for speeding up report gathering. With Webinjects you can change
- the content of website and ask more information. You can do such things
- as asking for credit-card data from victims PayPal/Amazon/Ebay/Facebook
- for successful login. Webinjects use ZeuS format.
- Webfakes:
- Used to do phishing attacks without having to trick victim in to going
- in to a fake domain. When configured for bankofamerica, user will be
- transparently redirected to your phish site without changing url.
- Installation:
- At the moment, the bot is primarily designed to work under Vista/Seven,
- with enabled UAC, and without the use of local exploits. Therefore the
- bot is designed to work with minimal privileges (including the user
- "Guest"), in this regard the bot is always working within sessions per
- user (from under which you install the bot.). Bot can be set for each
- use in the OS, while the bots will not know about eachother. When you
- run the bot as "LocalSystem" user it will attempt to infect all users
- in the system.
- When you install, bot creates its copy in the user's home directory,
- this copy is tied to the current user and OS, and cannot be run by
- another user, or even more OS. The original copy of the same bot (used
- for installation), will be automatically deleted, regardless of the
- installation success.
- Communication:
- Session with the server through a variety of processes from an internal
- "white list" that allows you to bypass most firewalls. During the
- session, the bot can get the configuration to send the accumulated
- reports, report their condition to the server and receive commands to
- execute on the computer. The session takes place via HTTP-protocol, all
- data sent by a bot and received from the server is encrypted with a
- unique key for each botnet.
- :: Webpanel:
- Sphinx command and control has not changed from ZeuS. Old ZeuS fans
- will be pleased to use again this comfortable bot network control
- system. Its coded in PHP using extensions mbstring and mysql.
- Features:
- - XMPP notification
- - Statistics
- - Botlist
- - Scripts
- XMPP notification:
- You can receive notifications from the Control Panel in the Jabber-
- account.
- At the moment there is a possibility of receiving notifications about a
- user entering a defined HTTP/HTTPS-resources. For example, it is used
- to capture user session in an online bank.
- Scripts:
- You can control the bots by creating a script for them. Currently,
- syntax and scripting capabilities, are very primitive.
- Botlist:
- - Filtering the list by country, botnets, IP-addresses, NAT-status,
- etc.
- - Displaying desktop screenshots in real time (only for bots outside
- NAT).
- - Mass inspection of the Socks-servers state.
- -Displays detailed information about the bots. Of the most important
- here are:
- * Windows version, user language and time zone.
- * Location and computer IP-address (not for local).
- * Internet connection speed (measured by calculating the load
- time of a predetermined HTTP-resource).
- * The first and last time of communication with the server.
- * Time in online.
- - Ability to set comment for each bot.
- Statistics:
- - Number of infected computers.
- - Current number of bots in the online.
- - The number of new bots.
- - Daily activity of bots.
- - Country statistics.
- - Statistics by OS.
- We recommend using Internet Explorer traffic for exploit-kit to get
- maximal profit when using Sphinx.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement