Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- == Zorenium v2 (2014 - Released January 27th 2014)==
- APPLY FOR V3 BETA TESTING VIA THE CONTACT INFORMATION BELOW
- ***PLEASE NOTE, THE UPDATES LISTED BELOW ARE NOT THE COMPLETE FIXES***
- 18th March 2014 updates
- [Developers wanted to carry on the project whilst im away]
- *
- * There’s been a number of significant updates too the OS requirements on the core malware files,
- * Zorenium will now run on Ios 5-7 *
- * Zorenium will also run on most debian platforms as well as * the latest android * ipad tablets,
- *** Please note there is one or two issues with the debian (Root) Denial of service privilege exploit
- Thanks to (MASKED ALIAS)
- : we’ve also updated the rootkit, too a new version of the unreleased - TDL4 rootkit,
- (TDL-4 is a highly advanced, fourth generation rootkit found theres only a few botnets in the world which run the TDL-3/4 Rootkit and the name of the rootkit that runs the botnet (also known as Alureon). Over 4.5 million machines were infected with it in the first three months of 2011, and the botnet continued to grow after that.
- It was often by noted by journalists as "indestructible" in 2011, although it is removable with tools such as Kaspersky's TDSSKiller. It infects the master boot record of the target machine, making it harder to detect and remove. Major advancements include encrypting communications, decentralized controls using the Kad network, as well as deleting othermalware.)
- TDL + TDL 3 Will still be used to drop the banking dll files,
- All core files are dropped separately. Decreasing detection ratio.
- Zorenium still remains at an 0/40% detection ratio.
- And the only varients of the botnet found online are the publicly made files I’ve done my self
- Which was needed to test the bots functions.
- So individual files may be found, and also contain scrambled code. Making the files obselate.
- (Worm)
- Skype Spammer Development is now complete and is fully working in stand alone form. Using Skype APIs, yet still bypassing Skype’s warning message, zorenium will spam the entire contact list of infected hosts.
- - Fully Functional Ruskill It currently is known to ignore working completely on some bots (stability remains unaffected).
- - Dynamic Configuration Allows you to specify new server entries for existing bots to use instead of the same static entries. If dynamic entries cease to work, will revert back to initial static entries.
- **AntiAv Updates**
- We’ve made a fix to the following av’s which was denying us access to the system core after enabling the ruskill function…
- **AVS Patched**
- ArcaVir
- Avast!
- AVG
- Avira
- BullGuard
- Emsisoft Anti-Malware
- ESET NOD32 / Smart Security (XP Only)
- F-PROT
- F-Secure IS
- GData IS
- Ikarus AV
- K7 AntiVirus
- Kaspersky AV/IS
- Lavasoft Adaware AV
- MalwareBytes Anti-Malware
- McAfee
- Microsoft Security Essentials
- Norman AntiVirus
- Norton AntiVirus (Vista+ only)
- Outpost Firewall Pro
- Panda AV/IS
- Panda Cloud AV (Free version)
- PC Tools AntiVirus
- Rising AV/IS
- Sophos Endpoint AntiVirus
- Total Defense
- Trend Micro
- Vipre
- Webroot SecureAnywhere AV
- Windows Defender
- ZoneAlarm IS
- ***THERE ARE STILL MORE I NEED TO ADD TO THIS DOCUMENTION,
- BUT WITH PLAYING CATCH ME IF YOU CAN WITH THE CYBER TEAM,
- ITS IMPOSSIBLE TO STAY IN ONE PLACE UPDATING THIS DOCUMENT***
- STAY TUNED ***
- ---2014 march 1st updates
- ************Small updates
- Just to let you know, sales are still available to the same contact information,
- Despite playing catch me if you can with the cyber terrorism unit in the GB.
- Persistence:
- All bot resources (Process, Files & Start up) Are protected from termination or removal.
- With over 5 different kinds of protection modules.
- Automatic restart is enabled & Protection on this feature is also enforced
- FakeShutdown Modules have been implemented also.
- ********In lame terms********
- After alot of work, testing and money spent. We can now make the victims believe there SYSTEM is being shutdown on victim input,
- Thus means zorenium will throw fake images to make the user believe hes shutting down his machine.
- Zorenium will then shut down the screen to standby mode ( until the Poweron button is initialized )
- Whilst the user thinks he or she is shutting down there machine, we can stop (Delay) the CPU Fan, and other fans, which will
- make a racket making the user believe his or her system is still running.
- remember this method is not 100% Guaranteed to overheat the victims computer, causing it to force shutdown
- *****************************
- built with pre-generated 256 bit AES keys with Separate keys for the ssh features
- The bot Can be managed with the following protocols: IRC , HTTP & i2p.
- Uses custom string hasher & Then encrypted using stenography
- Inject:
- We have found an unused and powerful way of injection file & Code into each process
- either from ring0 or ring3 (kernel, usermode)
- For protection reasons, I Can not display the method of injection used by zorenium,
- as to this date the method as not been discussed yet alone detected by any type of malware before...
- FormGrabbing:
- When defined sites are picked out Zorenium will save only needed forms before they are sent out.
- Data will then be displayed via the Chosen C&C feature.
- FormGrabber grabs from the following browsers::
- ---Firefox(W/Without SSL)
- ---Iexplorer(W/Without SSL)
- ---Chrome(W/Without SSL)
- **2014***---- Added support for commonly used browsers With(with out) SSL Support
- We also re-implemented the method of HTTP Post Requests capturing,
- Similar to the BETAbot method, And the seperate process setup for the grab will allow us to interact with the end-user,
- and escalate process privileges.
- Bot Killer.
- Zoreniums kill methods will remove the top ten 2013 list of malwares & Soon to protect against
- All major malware you have come across.
- The BKiller scans process on start up and on registry start up for suspicious entries
- All code injected other then the bot and installed AV (Including crypted files using PE Methods) Will be terminated.
- Banking:
- All banking information are logged too a protocol/database of the buyers choice,
- We now monitor all major and low end online banking information, And each logged data
- is encrypted with a 256 bit AES Key then hashed with a private string hasher
- which is also encrypted using stenography, Please note
- each encryption key is seperate from the one zorenium uses on its core.
- ---CHRISTMAS USERKIT4 SPECIAL ADDON---
- Bot will create new hidden user account, logging the user out of the current whilst updates are made. bot will then depremote the current logged on user to certain privs whilst updating `lpzsHiddenAccount` with administration privs, The explorer's process is then mapped/hooked so we can trick `lpszCurrentUserLogged` into thinking hes still administrator, (until administrator task is required. I.E Services/System file edit)
- All file's on the hidden account will be protected + locked, changed to system files,
- Bot will also replicate a new Disk drive, with the core'dlls hidden within there, with a 256bit password everything on the fakedrive is encrypted and 100% Protected from av's, Running them is a different matter depending on detection of what file is ran from the drive.
- There's more which i wont state here,
- ------------------------------------------
- :::SOURCE DIR IMAGE (http://i.imgur.com/KBn0ECM.png) - Picture taken on November 15th::
- Compiled with Microsoft Visual Studio 2010 using the Microsoft compiler, cl.exe.
- Zorenium is written in C++, C++0x & C
- Development for Zorenium started on December the 4th 2012.
- Everything your reading, And will no doubt go on to testing,
- Works very effectively and efficiently..
- ---------*
- Zorenium is a simple & stable Banking, DDoS & Worm spreading malware bot with abilities to
- Hook and terminate the popular AVs and top 10 latest malware & worms,
- Zorenium is built with pre-generated 256 bit AES keys with Separate keys for the ssh features
- Strings are hashed with a custom string hasher then encrypted using stenography.
- The bot Can be managed with the following protocols: IRC , HTTP & i2p.
- AntiAv:
- Zorenium uses multiple methods of removal and can now shut down and restart over 40 different
- AntiVirus / Smart security & Firewall systems.
- Persistence:
- All bot resources (Process, Files & Start up) Are protected from termination or removal.
- With over 5 different kinds of protection modules.
- Automatic restart is enabled & Protection on this feature is also enforced.
- Inject:
- Zorenium uses 5 types of injection methods,
- For security reasons, I Can not display the method of injection.
- DDOS:
- 5 Different methods using randomized headers in HTTP DoS,
- UDP, Mass Reconnect, HTTPGet, Slowloris & ACK
- FormGrabbing:
- When defined sites are picked out Zorenium will save only needed forms before they are sent out.
- Data will then be displayed via the Chosen C&C feature.
- FormGrabber grabs from the following browsers::
- ---Firefox(W/Without SSL)
- ---Iexplorer(W/Without SSL)
- ---Chrome(W/Without SSL)
- Bot Killer.
- Zoreniums kill methods will remove the top ten 2013 list of malwares & Soon to protect against
- All major malware you have come across.
- The BKiller scans process on start up and on registry start up for suspicious entries
- All code injected other then the bot and installed AV (Including crypted files using PE Methods) Will be terminated.
- Banking:
- At the moment Zorenium as of (December the 18th) Only uses bank stealing modules against
- BSS Banking But towards 2014 we promise to deliver at least 10 Different banking modules & 2 Different methods of Stealing that important information.
- --Contact--
- Project: Zorenium
- Contact Info: E-MAIL Or Jabber Available Upon Request!!!
- OR IRC For help/Questions: irc.voidptr.cz:6667 (+6697 SSL) Channel Name: #Z
- -------------------------------------------
- =+Recent updates+= December 18th(2013);
- **Added support for ipv6
- **Added Another method for UACBypassing, we now support windows 8 all versions.
- **Added HTTPGet & SlowLaris.
- **Added AntiDebug Module & OSDetect Features for injection method(3).
- **Added unique UserID Storing & Retrieving methods for HTTP & p2p Control.
- **Modified EnumWindows Function to be its own module,
- ----We can now log what the user is running and virtually read what the user reads & sees,
- ------Screenshots can also be taken via this method also.
- **Modified the bitCoin Miner to use less CPU usage.
- =+November 20+ 2013 Updates+=
- **Added DDoS and Spread capability
- **Added BTC miner
- **Added Mailworm with spoofed header
- **Added Facebook API worm,
- **Added Skype worm
- **Added Dreambox/Cisco Router Scanner (each ip vuln will be put into the sql database,
- where then you can control your ip lists via your designated C&C Protocol)
- **Added hidden banking service application & Dropper for BSS Offline (mysql(Hooked))
- **Added SelfINitFunction
- (if operating system higher then windows 7 Zorenium.exe
- will drop a dll bypassing UAC and AV, After doing so,
- Bot will Inject the coreDll into defined proccess,
- After Writing/Memory mapping its self to available processes(<- For the anti(system) Module))
- **Added New (Eset SmartSecurity & Eset AntiVirus AntiModules)
- **Added AntiBot Module (Searches mapped processes & Memory for malware)
- **Added botkiller module for top 10 listed malware, Such names as (BetaBot,Zeus and kavos)
- **Added Registry monitoring (For the rootkit)
- **Added RootKit Install/Extract & Start
- **Added Userkit Install & Starter
- **Added Created New injection system for the UserKit
- **Added Base64 / Sha256 & RC4/6 Encryption.
- **Fixes to HTTP System ** Was a bug on the HookConnectEx() Function when os restarted and loaded the bot by dll.
- **Fixes to the Nix scanner ** Bug when defining more then 30 Threads with os 7
- **Fixes to the antiSystem ** Bot would still load certain functions when being ran via sandboxed,
- ** Bot will now stdout a fake microsoft windows update notifier BIN(Service,Program Before self deleting the bots core bins)
- **Fixes to the BSSGrabber
- *Data for the banking service application will now be sent over a secure p2p network
- *Bare in mind!! No data apart from the banking & BTC Data are sent between the bot and p2p network.
- The Binary file for this module will attempt to use the CoreAntiAV System to inject its way into
- Running av/firewalls adding itself to exception lists,
- Bin With i2p for command & control = Extra 100GBP
- Bin With tor & p2p For command & control = Extra 5000GBP
- Zorenium(Bin) Price: With rootkit, Miner & Banking modules 2000GBP
- Without The rootkit, Miner & Banking modules: 350GBP
- _________Please note increase/decrease in price plans may vary.
- ---------BitCoins are accepted!!!!!----------------------------
- **************NOTE***************
- IRC MODULES ARE NOT A REQUIREMENT, AND CAN BE DROPPED ON REQUEST, SAME GOES FOR THE OTHER PROTOCOLS.
- =======================V2 Files
- DNSQuery.cpp
- ZoreniumMain.cpp
- ZeusKill.cpp
- ws2Hook.cpp
- WinCrypt.cpp
- Utils2.cpp
- utils.cpp
- Utilities.cpp
- UserkitInstaller.cpp
- Unhook.cpp
- uHookKernel.cpp
- UACBypass.cpp
- Threadsystem.cpp
- ThreadKill.cpp
- TaskManager.cpp
- Sysinfo.cpp
- SHA256.cpp
- Service.cpp
- Screenshot.cpp
- RootkitInstaller.cpp
- RootKitExtract.cpp
- Registry.cpp
- PrinterExploit.cpp
- PortForward.cpp
- NOD32.cpp
- Nixscanner.cpp
- Mysql.cpp
- MemoryMap.cpp
- irc.cpp
- IPV6Tools.cpp
- CoreInject.cpp
- Inject4.cpp
- Inject3.cpp
- Inject2.cpp
- HTTPC.cpp
- Hooker.cpp
- SectionConfigData.cpp
- ring0ToRing3.cpp
- BMPConvertor.cpp
- Compiling...
- GChrome.cpp
- fWuaclt.cpp
- fMicrosoftBuff.cpp
- fChr.cpp
- fApiLoad.cpp
- fService.cpp
- FormGrabber.cpp
- fMySQL.cpp
- IRCDaemon.cpp
- Fakefile.cpp
- EnumWindows.cpp
- DRWeb.cpp
- DriverUtilitys.cpp
- Dreambox.cpp
- DNSChanger.cpp
- dllloader.cpp
- dInject.cpp
- Debugger.cpp
- Controljack.cpp
- Config.cpp
- Chrome.cpp
- BSSOffline.cpp
- BSSG.cpp
- BotSearch.cpp
- bootcrypt.cpp
- BootApi.cpp
- BKiller.cpp
- BitCoinMiner.cpp
- Base64.cpp
- APIMonitor.cpp
- ApiGrabber.cpp
- AntiDebug.cpp
- AntiAv.cpp
- ========================================================
- ========================================================
- ========================================================
- ========================================================
- --
Add Comment
Please, Sign In to add comment