Zeus Over Tor cannot be shut down by Spamhaus or Zeus-Tracker or any methods currently employed by organizations hell bent on removing the zeus threat. It can't be shut down because you cannot find the ip address of the hosting from the hidden service address and so thus cannot report to the hosting company that you are indeed hosting malware. Furthermore Zeus Over Tor does not require you to register a domain, you have a hidden service address and as such you can easily move your botnet within one hour and your hidden service domain cannot be shut down because with hidden service there is no domain registration. The domain is generated dynamically when you create your hidden service. This feature alone makes Zeus Over Tor the most resilient and easy to maintain financial malware currently available on the market, bar none.
Sphinx Banking Trojan - Zeus Over Tor
A trojan based on ZeuS 184.108.40.206 source-code that has been in active development for 10 months in C++ by a full-time malware developer. Sphinx uses Tor Hidden service technology to evade blacklists, zeus tracker and requirement for bulletproof hosting and domain. Tor hidden service addresses are generated automatically by Tor and are free of charge. We recommend using multiple Bridges for your command and control to improve privacy. By using Bridges your server ISP wont even know you're running Tor. Sphinx uses the latest stable Tor version (currently: 0.2.7.6) and it is injected in svchost.exe at runtime. Bot is coded to work with the lowest privilegies. It does not need UAC and works even on Guest accounts. All import table is hashed and strings are encrypted with different output for hash and strings on each version. Even with the large feature list we have made sure that Sphinx works with almost ALL crypters. Bot is packed using our own Position-independent code, self-decrypting packer. Being Position-independent code it means the crypter does not even have to handle relocations so crypting Sphinx cannot get any more easier than this but the output still requires it to have .reloc section.
Using browser hooks Sphinx is able to modify response content from the browser while still bypassing SSL certificate. Browser response content modification is done within config file which is downloaded by bot on execution and stored locally to not slow down browser. You can create Auto-tranfer-system (Avtozaliv) or simple injects to get Fullz, CC, etc. Webinjects use the familiar ZeuS format which all Inject and ATS developers are familiar with. Supported browsers are Microsoft Internet Explorer and Mozilla Firefox. Google Chrome support is coming soon.
Using browser hooks Sphinx is able to redirect a site of your choosing to your phish site transparently. This means it will still look like the legit site (even SSL certificate) but the content will be your phish site. Only Internet Explorer and Mozilla Firefox are supported. Google Chrome support is coming soon.
Using browser hooks Sphinx is able to grab ALL entered data from the browser. All grabbed data are uploaded to comamnd and control instantly with full header so you get data + full information including User-Agent. Sphinx grabbs both GET and POST, both HTTP and HTTPS. Supported browsers are Microsoft Internet Explorer, Mozilla Firefox and Google Chrome.
Before uploading grabbed data from Formgrabber, Sphinx will scan the data for possible credit-card data and validate it using luhn algorithm. Possible Credit-card will be uploaded as different Report - "Credit-card". This feature can be enabled/disabled for GET and POST requests.
Track 2 grabber
Using System Wide Injection Sphinx is able to scan local memory of every process instead of remote memory like competitor point-of-sales malware have done in the past (Dexter, Alina, etc). Scanning local memory is much faster, less resource intensive and more stealth. Unlike Dexter/Alina, Sphinx wont miss a single Track 2 because Sphinx does not scan memory as 3072 byte blocks but as whole region.
Using System Wide Injection Sphinx is able to capture all key strokes entered by the user. This feature is only active with the Formgrabber. All entered keystrokes will be uploaded to command and control with Formgrabber report. Does not use GetKeyAsyncState or SetWindowsHookEx.
Grabs cookies from Internet Explorer upon execution and reports them to command and control.
Mozilla Firefox and Google Chrome support is coming soon.
Use your bot IP address to access their accounts and do transfers. Be sure to use the User-Agent you get from Formgrabber Reports. This feature also uses the hidden service technology and will cause a firewall popup from explorer.exe on startup. Hidden service technology bypasses NAT and will not require your bots to port-forward. This feature can be disabled.
Backconnect SOCKS 4/4a/5
The option of SOCKS 4/4a/5 can be turned off and with this feature disabled does not cause a firewall popup on your bots. Tor hidden service technology is disabled for this feature and will require you to run the Backconnect server on a windows server which allows you to port-forward. Do not run the Backconnect Server on same server where you're hosting the Panel behind Tor hidden service because this feature does expose the IP address of your backconnect server to your bots.
Backconnect Hidden VNC
Use VNC to remote-control your bots to access their accounts and do transfers directly from their computer on a different hidden desktop. Tor hidden service technology is disabled for this feature and will require you to run the Backconnect server on a windows server which allows you to port-forward. Do not run the Backconnect Server on same server where you're hosting the Panel behind Tor hidden service because this feature does expose the IP address of your backconnect server to your bots. Hidden VNC currently only works properly on Windows XP and Vista. In future versions this feature will be fully working on Windows 7, 8 and 10.
Using certificate import hooks Sphinx is able to grab certificates before they are used. This is useful because it can be used for campaigns to sign your malware.
By using WinSock hooks, Sphinx is able to grab FTP and POP3 data before they even reach their destination.
[*] Windows Mail
[*] Macromedia Flash,
[*] Windows Address Book,
[*] Windows Contacts,
[*] FTP Flash Exp 3,
[*] FTP Total Commander,
[*] FTP Far Manager,
[*] FTP WinScp
[*] FTP Commander,
Launch distributed denial-of-service attacks on anything you want. Supported methods are - UDP, Rapid connect/disconnect, HTTP-GET. Both RCD and HTTP-GET support .onion targets. You can run attacks for the time of your choosing or unlimited - until bot_ddos_stop is executed.
Sphinx will inject itself in a digitally signed process before running its malicious functions such as System-wide-injection and Installation to bypass runtime detections.
Sphinx will inject itself in all running processes so it can know when a new process is created and hook it at the very very start.
Sphinx will create a folder in ProgramData under random name and copy itself from a digitally signed process to it also under a random name. It will then create a registry key in HKCU to run on every startup. The original executable is deleted. This feature can be disabled on request.
If user finds and deletes the executable held in ProgramData, it will be automatically and almost instantly written back.
IF user finds the HKCU key and deletes it, it will be automatically and almost instantly written back.
Winsock is used to communicate with command and control and to download config.
Files are downloaded using WinSock and dropped in Temp and executed using WriteFile and CreateProcess respectively. Onion addresses are supported.
Same as Download-Execute but after execution bot will remove itself.
Bot will remove itself.
#~:Panel Feature List
You can see in a graph the following information - Bots by country, Bots, Bots by Operating System, Online Bots, Total Bots, Total Reports, Total active bots in 24 hours.
You can also split botnets by botnet name and see individual statistics for each botnet.
You can filter botlist by botnet names, specifical bots, Ip addresses and countrys. Also NAT status, show only online bots, only new bots, used status and comment. The botlist shows the following information - Bot ID, Botnet name, Version, IPv4, Hidden Service (for SOCKS), Country, Online time, Latency and Comment.
You can select individual or all bots and check all their SOCKS if they are working with a single click. You can create a command for selected bots. You can view Today reports. You can see last 7 days reports. You can see their full information and full information with current screenshot. The screenshot feature only works if you have enabled SOCKS in your build and user has hit "Allow" for firewall.
The full information page shows the following information - Bot ID, Botnet name, OS version, OS language, GMT, Country, IPv4, Hidden Service address, Latency, SOCKS port, Time of first report, Time of last report, Online time, if its In the list of new bots, if its in list of used and comment. In this same page you can create a comment for the bot. And of course the screenshot.
You can Enable/Disable active commands and reset them. You can create new commands. You can see the current commands by their name, status(Enabled/Disabled), Creation time, Limit of sends(amount of bots that will execute it), Sended, Executes and Errors (bot reports if command failed).
You can create a command for specific bots, specific botnet names, specific countrys, you can limit the amount of bots that will execute it.
You can view all your reports starting from Formgrabber and ending with Track 2 data. The form grabber data retrieval menu is seperated by HTTP GET, HTTP POST, HTTPS GET, HTTPS POST.
You can filter the search by Date (from, to), Bots, Botnets, IP Addresses and Countrys. You can search for a string and also filter by type of report.
Reports can be shown as plain text or normal - Bot name + IP + URL.
Use this feature to get announcements when a bot enters a site of your choosing on your jabber.
This feature requires you to setup an account on some jabber server and enter the details + your contact jabber.
Price $800.00 USD
You can purchase Sphinx using only Bitcoin.
Jabber: email@example.com firstname.lastname@example.org email@example.com