ZeuS 2.0.8.9 and the Ghost Panel
Before ZeuS author Monstr/Slavik handed over his source code to SpyEye author Harderman/Gribodemon, the last known ZeuS version was 2.0.8.9. The ZeuS crimeware, which exponentially grew in popularity the past couple of years, is arguably the most popular toolkit in the threat landscape. Given this, it isn’t surprising to see that the ZeuS crimeware was updated quite a number of times in 2010.
 |
The last release of the 2.0.8.0 version—2.0.8.9—is still being bought and sold by various resellers in the cybercrime underground. There are no significant visual differences with previous versions as far as the main ZeuS Builder is concerned.
 |
Differences can be found in the infection routines of the ZeuS binaries produced. Some of the notable changes are:
- Support for almost all versions of Windows (XP/Vista/Seven/Server 2003/Server 2003 R2/Server 2008/Server 2008 R2)
- Support for 64-bit versions of Windows (limited to 32-bit processes only)
- Works even if User Account Control (UAC) is enabled and if the user has minimal privileges (e.g., ”Guest” users)
- Multiuser session infection (when the bot is run under the LocalSystem account, it will attempt to infect all of the users’ files on the system)
- Injection module for Firefox
- Bot protection (unique/random object names such file names, mutexes, registries, etc.; auto-updating without requiring system rebooting)
This version may also be packaged with a reverse Virtual Network Computing (VNC) function for an additional price, which allows the user to open a hidden remote desktop session on an infected machine.
Most of the time, the control panel for 2.0.8.9 does not feature changes apart from the necessary technical updates for command-and-control (C&C) compatibility. However, we have seen one version sold underground that does have a modified control panel called the “Ghost” Panel.
The “Ghost” Panel
Although not part of the original ZeuS toolkit, this panel offers a number of unique features that are useful to ZeuS-using cybercriminals.
Stripped PHP Scripts
 |
Note that the Web panel version says “Stripped.” This means that the PHP scripts of the Web panel have been optimized for smaller file sizes. Smaller script sizes will be more efficient when these Web panel scripts are uploaded to Web-hosting sites.
No-Sh*t Reports
 |
This option filters the types of information that will be saved in the database. Nonfinancial information such as social networking site credentials will not be stored. This ensures that the database of stolen information stays manageable in terms of size without what the cybercriminal considers “irrelevant” information. This feature is especially beneficial to carders—cybercriminals who sell/trade credit card and bank account-related credential dumps to other cybercriminals.
Dynamic Configuration
 |
This feature allows the configuration file to be easily updated with new target sites. The attacker does not need to rebuild the configuration file and to manually upload the new configuration file. The panel automatically takes care of this for the user.
Different Folder and File Names
 |
As a security measure, the “Ghost” Web panel uses different file and folder names from the conventional ZeuS control panel. This protects the panel from being rapidly analyzed by automated tools or even by security researchers who are already familiar with the conventional file and folder names of the ZeuS Web panel.
Anti-ZeuS Tracker
The Anti-Zeus Tracker feature is actually just a script that the seller/user configures in the .htaccess file. The script is like a blacklist where sellers/users input compiled known IP addresses of malware-monitoring sites like ZeuS Tracker, Spamhaus, and the like. It blocks the IP addresses of these monitoring sites so they receive an HTTP error whenever they try to access the ZeuS Web panel. This particular feature has been around for quite a while, however, and is not specifically unique to the “Ghost” panel. Below is a screenshot of the script code.
 |
These last two features allegedly allow this control panel to be a “Ghost” or “untraceable,” hence the name. There have been reports about the panel being unstable but we haven’t been able to confirm the said claim. Other features of this specific version are Joomla spoofing (the server looks like a legitimate website complete with a fake Joomla login page), the ability to work on free “ZeuS-proof” hosting sites, and compatibility with all browsers, including for mobile devices.
Conducting cybercrime becomes much easier with tools like this, as it provides great convenience for cybercriminals, difficulty for security researchers, and more threats for potential victims. Thus, we here at Trend Micro are doing what we can to stop attacks aided by tools like this to protect our product users.
Post from: TrendLabs | Malware Blog – by Trend Micro
ZeuS 2.0.8.9 and the Ghost Panel
Spotlight
Cloud Computing
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
- Desktop virtualization can enhance security performance
- Cybersecurity cooperation becoming military necessity
Virtualization
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Internet Safety
- Virtualization-specific challenges could threaten data security
- Evolving threats put security skills in high demand
- Virtualization security requires education, access control management
- Tips for launching effective virtual security tools
Vulnerabilities & Exploits
CTO Insights
First Line of Defense
Newsletter
Stay up to date with the latest news and information on online threats.
Recent News
- FBI trying to train financial execs on cyber threats
- Wall Street has data security concerns over Bloomberg reporting
- Security in backups means more than just encryption
- Employees must buy into the company policy for better cloud security
Tag Cloud
cloud cloud computing cloud computing security Cloud Security Compliance & Regulations Consumerization Current News cybercrime Data Privacy data security Encryption Government Policy Internet Protection Internet Safety Internet Safety - DO NOT USE Internet Security Malware Mobile Security Mobility Policy Policy - DO NOT USE Privacy Privacy & Policy Private Cloud Public Cloud Reports Research Spotlight threat intelligence threat research Trend Labs Underground Economy virtualization Vulnerabilities Vulnerabilities - DO NOT USE web security web threats
Comments
No comments yet