Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- Thanks sami ( http://www.opensc.ws/trojan-malware-samples/14648-zeus-source-code-10.html#post128913 ).
- 3rd paragraph:
- Setting up the bot
- Step by step installation:
- 1) From your existing package build, run the file 'local \ cp.exe', it
- Builder file konifguratsii and bot
- 2) Open the 'Builder'. Click 'Browse' and specify where the file
- configuration, the name of the MDM 'local \ config.txt'.
- 3) Click 'Edit config', as a result should start text
- editor. Migrate file like so:
- First:
- The original configuration file is a text file encoding
- Windows, and only needed to create the final configuration file
- (Which is a binary file to upload bot) and very
- Bot. In your bag build a sample configuration file must be located in
- folder 'local' and have a name config.txt. Open the file can be in any
- a text editor like 'Notepad' (Notepad).
- The file consists of entries, one entry in a row. Record also consists of
- parameters, first parameter typically defines the name of the record (but it is not
- always the case, for example, in cases when there is a listing of any data
- name is not). Options are separated by spaces, if in fact
- parameter found a space, or tab, this option should be
- enclosed in double quotes ("), is also usually applied to the name.
- The number of parameters is not restricted, as if the record has a name, it is
- read-insensitive
- Examples:
- username Kot Matroskin
- record name - username, option 1 - Kot, option 2 - Matroskin.
- username "James" Bond "
- record name - username, option 1 - James, option 2 - Bond.
- username "Volodia Putin"
- record name - username, option 1 - Volodia Putin.
- "Url" "http://sex.com/" index.php
- record name - url, option 1 - http://sex.com/, option 2 -
- index.php
- There are also special names of records that can share the file
- configurations as you like subsections, which may contain within
- yourself plenty of subdivisions and records. They are called partitions and
- consist of a name entry, and the parameter defining the section title
- (Register is also not included in this option), the end of the same section
- be indicated by end. Further documentation subentries
- with respect to subsections will will mark a - ". Ie recording
- name owned by username section userdata, will be designated as
- userdata-> username, etc.
- Examples:
- entry "userdata"
- fname "petia"
- lname "lolkin"
- end
- entry compdata
- name "pcvasya"
- entry devices - the contents of the section, example, when the records do not have a name,
- here is just an enumeration of devices.
- cdrom
- "Hdd"
- fdd
- end
- end
- There is also the ability to insert comments, the comment must
- be on a separate line and begin with ";". If
- it turns out that the first parameter in the record also begins with ";", then this
- parameter must be enclosed in quotation marks.
- Examples:
- ; Hello.I think that I'm hero!
- ; How are you /-it does not record
- "; I love you" - but that's recording.
- Second:
- Configuration file entries
- The file consists of two sections StaticConfig and DynamicConfig.
- StaticConfig, the value of this section are written directly to the file
- bot, ie in the exe, and define the basic behavior of a bot on your computer
- victim.
- Depending on your build, some details may not be for you
- values, all important parameters prescribed in the example, attached to
- package assembly.
- botnet [string] - Specifies the name of a botnet, which belongs to the boat.
- string - the name of a botnet, up to 4 characters, or 0 - to values
- default.
- Recommended value: botnet 0
- timer_config [number1] [number2] - defines the time intervals through
- which should be obtained updatings configuration file.
- number1 - Specifies time in minutes after which you should update the file
- configuration, in cases of successful upload last time.
- number2 - Specifies time in minutes after which you should update the file
- configuration in case of an error when booting the previous time.
- Recommended value: timer_config 60 5
- timer_logs [number1] [number1] - defines the time intervals through
- which should be sent to the accumulated logs on the server.
- number1 - Specifies the time in minutes through which to ship logs,
- in cases successfully sent last time.
- number2 - Specifies the time in minutes through which to ship logs,
- In case of error when sending the previous time.
- Recommended value: timer_logs February 2
- timer_stats [number1] [number2] - defines the time intervals through
- which should send statistics to the server. (Which includes inastally,
- presence in the online, open ports, services, socks, screenshots, etc.)
- number1 - Specifies the time in minutes through which to ship
- statistics, in cases successfully sent last time.
- number2 - Specifies the time in minutes through which to ship
- statistics, in the case of an error when sending previous file again.
- Recommended value: timer_logs October 20
- url_config [url] - URL of which is the main configuration file,
- parametor this is the most important, if the infection kompyuetra
- victim of a URL will not be available this configuration, the contamination does not
- is meaningless.
- url_compip [url] [number] - specifies the site where you can verify
- its IP, is used to determine NAT.
- url - specifies the URL of the site
- number - determines kolichetsvo bytes, which is enough to download from the site
- to see in the downloaded its IP.
- blacklist_languages [number1] [number2 ]...[ chisloX] - defines a list of
- language codes, Windows, for which the bot will always be in spyashem
- rehearse, ie it will not send logs and statistics, but will seek
- to the configuration file.
- chisloX - language code, such as RU - 1049, EN - 1033.
- DynamicConfig, the value of this section are written in the destination file
- configuration.
- Depending on your build, some details may not be for you
- values, all important parameters prescribed in the example, attached to
- package assembly.
- url_loader [url] - specifies the URL, by which you can download the update
- Bot. This option is relevant only if you run a botnet, a new
- version of the bot and prescribed configuration of it under the same URL, the old one
- configuration, in this case, older versions of the bot will start to renew itself,
- downloading a file, specified in this record.
- url_server [url] - specifies the URL, which will be sent to
- statistics, files, logs, etc. with the victim's computer.
- file_webinjects - specifies the local file, which is
- a list of Web izhektov. Description of the format of this file can be found here
- Subdivision AdvancedConfigs - lists the URL, which can be
- download the backup configuration file in case of no availability of basic
- file. Encouraged to complete this sub-section 1-3 URL, which will
- botnet save from destruction in case of unavailability of the main file
- configuration, resulting in easy transfer it to another server.
- Mandatory availability of files on that URL is not required, then the main thing to have
- opportunity to put the files on that URL. Files should stir it
- Only after the discovery of the main configuration file is not available if
- you always want to have the files on this URL, it should be updated
- them all in sync with the main configuration file. Backup files
- do not do not differ from the ground, and created the same way.
- Example:
- entry "AdvancedConfigs"
- "Http://url1/cdffd.ccc"
- "Http://url2/cdf34.dc"
- end
- Subdivision WebFilters - has two purposes:
- enumerates a list of masks URL, which must be recorded or
- excluded from the log, regardless of the type of request (GET, POST). If
- first character of the mask is '', then the coincidence of the URL with this mask,
- entry in the log will be produced (eg mask! "*" to prohibit entry
- All URL, except those listed before it).
- Sets the mask URL, at the beginning of treatment to which will be created
- screenshots of pressing the left mouse button (useful for crawling
- Virtual keyboards). This mask URL should begin with '@' character.
- Note: the URL listed in this section ignore the value
- parameter StaticConfig.ignore_http
- Example:
- entry "WebFilters"
- , The log will be written all the URL matches this mask.
- "Http://www.google.com/ *"
- , The log will not write all the URL matches this mask.
- "! Http:// * yahoo.com / *"
- ; After the opening of this page will be created in the screenshots
- click the left mouse button.
- "@ Http://www.rambler.ru/"
- end
- Subdivision WebFakes - lists the transparent URL-redirects (Fake
- sites), a detailed description of this section is here
- Subdivision TanGrabber - define rules for the TAN-grabber, a detailed
- description of this section is here
- Subdivision DnsMap - a list of DNS changes to be made in
- file% system32% \ drivers \ etc \ hosts.
- Recording format: [IP] [domain].
- IP - the new IP domain.
- domain - the domain name for which changes IP. If the domain name begins with
- symbol '', then this domain will have Dahlen from the file, of course, if he
- there will be found. The parameter is ignored and the IP can be anything.
- Example:
- entry "dnsmap"
- 127.0.0.1 microsoft.com
- 192.168.0.1 google.com
- 0.0.0.0! Yahoo.com
- end
- Third:)
- Then save the file.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement