Author Topic: Citadel Zeus bot - New clone of Zeus after ICE IX  (Read 13862 times)

0 Members and 1 Guest are viewing this topic.


July 29, 2012, 04:18:08 pm
Reply #1

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Ruining the bad guy's day

August 30, 2012, 08:31:56 am
Reply #2

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
CITADEL 1.3.45 BOTNET(EXTREME EDITION)
http://pastebin.com/gRqQ2693

Quote
CITADEL 1.3.45 BOTNET(EXTREME EDITION)

CONTACT jABBER: aquabox@jabber.org

We offer you a decent solution for creating and updating your botnet.
We are not trying to reinvent the wheel or create a revolutionary product. Just finalized the already well-established in the work of Zeus, greatly expanding its functionality and adapted to modern conditions of survival under the new name. Software written for himself in the idea of ​​creating a "social circle of support," read about it below.
The changes were made directly to the bot as well as a Web component.
No "beautiful icons" you will not find us. You pay only for the new functionality below and motivation encoders for product support.

List of new features for the bot:
  • Fixed a bug in the VNC Vista / Windows 7. Now we can fully work with Internet Explorer (remember, there was a problem with the rendering of IE)
  • Support for Mozilla Firefox 7.0 (fixed an issue where not sent reports to the latest versions of the browser)
  • Crypto-protection (body decrypted in memory).
  • Redirects DNS (not through the hosts). You can block / redirect any URLs without fear that they will notice heuristics. For example AV-block or redirect servers are pagu bank to another host.

! BONUS! List URLs of popular anti-virus software to block comes.
  • Version information in the report sotfa. Will send you a detailed version of the browser Holder together with the report. It helps in simulated settings Holder.
  • Extra level of protection for the server on trackers - Login Key.
  • Mechanism autintefikatsii boot config (no direct URLs.) It gives full protection from the established trackers.
  • Support grabber Google Chrome. [Tested on the latest 15.x/16.x/17.x].
  • Support injector Google Chrome. [Tested on the latest 15.x/16.x/17.x].
[+} Added caching of search functions, which speeds up the installation of hooks Chrome.
  • Added ability to execute system commands CMD at the start of the bot (section CMDList) sending a report to the server. For example, you need to for installs, the team went a result of "ipconfig / all", or a list of all available ball. It is useful in analyzing the internal structure of companies. (For example, often come across bots in LAN with the names of ACCOUNTANT_PC, POS_SERV, DATABASE ...)
  • Added a mechanism to verify the safety hooks on some Windows.
  • Heuristic analysis environment a sheet with a stop to unwanted software (greatly increases stealth), included all the popular anti-virus software.
  • Fixed minor bugs.
  • Video Grabber. A unique opportunity to monitor the work of your injector "eyes holder" in the config file specifies a list of sites and the length of video recording in seconds, at call on a given link is activated video recording format. Mkv. It is recommended to configure your server to receive files 60 MB 10.
  • Removed the delete cookies when installs, considering it knocks "fingerprint" when working with Holder bays.
  • Added support for HTTP 1.0 and the extended headers (eg responz not always look like "HTTP/1.1 200 OK", is "HTTP/1.1 200 follow document", in this case, after the code is 200 more words) applies to browsers Firexfox & Chrome
  • Added a gate generator (in case you want your files to an intermediate host for a round-trip).
  • Completely redone encrypt (data, record logs / video, download configs, etc) in the Citadel, to replace the outdated RC4 used in Zeus, came to AES 128. Recall that gave asechku RC4, when mass produced were different decryptors config / injector for Zeus, and the hosts began to palitsya abuse.ch.

Now, in addition to the built-RC4, which is encrypted with your personal signature, the software is also built-in AES encryption, the output we get the AES128 secure handling bot <-> gate. No ZeusDecryptor'y (ThreatExpert) and automate reversing will not interfere with your comfort in the moment (Jan 2012).
  • All the basic functionality, the remainder is present from Zeus. I think you should not write it here again.
  • Fixed a bug report IN records from Web-filters in the configuration with the "!" (Neglect), which was to exclude all references given, and instead did the opposite and write to a log.
  • Added new option in the filter config-file, and it is a function to send or not send the cookies on the server.

Option static config disable_cookies 0/1 indicates whether to disable grabbing cookies (1 - disable 0 - enable).
Manual, also, cookies may be obtained from the admin team user_cookies_get, if you really need.
  • Added the function of any open page deflotovym user's browser on the boat.

For example, if you want to cheat any counter or statistics on voting or want to dop.dohod with your botnet shopami opening page (as well as: pharmaceutical, gambling, drop-projects, etc.). A great way to advertise the necessary Page!
A new option url_open <url>
  • New type of filter WebFilters in the configuration file in the assembly.

Two new parameters: P and G.
Parameter P is given to the link points to a record only POST requests (all others are ignored), with this link.
The parameter G indicates the recording just GET requests (all others are ignored) with the given link.
Parameters can not be combined, ie should indicate any one of them.
  • Added a modular software system that gives us:

* Scalability and load any operating functional bot-oriented for the Citadel.
All modules are loaded from the server and dynamically decompressed in memory, which eliminates their detection.
Storage and transfer to the outside world only in encrypted form.
The modules are loaded in a process of trust, so weighty save memory.
Great handling - modules can be disabled via the config.
  • Video Grabber remade on a modular basis. Now the weight of the build nekriptovannogo <190 kb. Always.
  • Added new option timer_modules (timings for loading modules).
  • Added support for new Google Chrome browser 17, and fixed a bug with handling Flash'a in it.
  • Added support for macros. Introduced macros:% BOTID%,% BOTNET%

* Can be inserted into any part of the injector macro data and upload to your server (AS / injected), transferred the name of the boat and the name of a botnet.
  • Added commands four modules (on / off, Disable / enable the download.)
  • Added new option disable_httpgrabber 1/0 for Chrome: eliminates the handling of conventional HTTP (not HTTPS) requests.
  • Added a full account in the User-Agent reports HTTP (S) grabber allows cloning holdersky UserAgent through any type of utility CCTools.
  • Added an entry screen resolution reports HTTP (S) grabber, an example of "Screen (w: h): 1600:900" - useful when cloning settings Holder, many banks are paying attention.
  • Changed the protocol to send video files to reduce load on the server (some have had problems with the load on the server and it is strongly inhibited)
  • Added ability to send jabber-notifications to multiple recipients in admin Citadel.
  • Added ability to specify multiple url_config'ov (the way to the main config file), used to be this: if you have the basic configuration is not available at the time installs a bot, then the backup can not be downloaded, and now this problem will not be trying to pull off and the bot config from another URL'a (You can enter up to 20 reserve).
  • Fixed a bug in Google Chrome (17x) leads to a sub-hang, when you open multiple tabs with injected.
  • Added new command:

- Getting information about installed software (the list - the company | product | version) on your computer: info_get_firewall
- Getting information about the installed antivirus on your computer: info_get_antivirus
- Getting information about the installed firewall on your computer: info_get_firewall
The information comes as a separate report for each bot. Soon integrate the bulk statistics of the installed software in admin Citadel.
  • The algorithm for a number of antiemulyatsii AB (not considered kriptor, software has become invisible for a few proaktivok).
  • Fixed a problem running as SYSTEM.
  • Added Jabber-specific notifications upon detection of bots specified by mask (eg a mask * corporate *, will look botid with such a coincidence), even if they did not send any log files, the script will notify you in Jabber-communication about the appearance of a bot . Now you do not miss the eye past the security bots.
  • The admin has a new section of "Efficiency and Security", we had integrated with the service scan4you, and now you can one-click check all of your executables builds at once in the admin palevnost Citadel, well, you can set automatic scan every file day, and if one of your files by more than third palitsya antivirus, you will immediately receive a notification in your Jabber, so you can

immediately replace the exe file. Now, the mechanism will work for you automatically, too lazy to health!
  • Some customers have complained that only 40% of bots to the new updated version of the exe, the rest can not upgrade for some unknown reason. Indeed, the bug was from the time of Zeus, we have investigated and corrected. Now, a new parameter in the config file: timer_autoupdate 8

In which set the time (in hours), how often to download exe file and restart the server (RC4 key must match). 80% of the bots are now updated successfully, and the crypt perezalivat exe, survival increased by 37.1%, your bots will have the most fresh and clean build.
  • Changed the system to send reports to a server in previous versions of each report, place the unit sends a POST request to the gate, in the new scheme, reports are sent a pack of a few pieces, it allows to minimize the number of sessions on the server and the server load is minimal, to withstand a large number of bots online.
  • Video format from bots changed to. Webm (HTML5), we have built online video player admin Citadel, now you can watch videos right in your brauezere (recommended Opera). Of the possibilities: Fast назад-вперед/фулл-скрин/поиск video BotID, IP-address, date.

But that was not enough and we went on, many of you use (it is time to use and develop all industries combined) AZ and personal admin for injector / akkov collection, etc. Would you like from your admin to watch over the bay, or how you inject on the boat? It's easy! We created the API-system, you can now send BotID or IP-address of the script, and the API will return to you ready to code HTML-embed all the videos on the bot and you can insert and watch at least a narod.ru, without going to the admin Citadel.
  • Added a handy parser parser system commands (CMDList) in the control panel, you can now see the new format as a table, the results of the system commands such as: ipconfig, a list of PCs on a LAN, a list of processes, etc.
  • Now when you install the build on the bot will automatically be sent to the one-time admin cleduschaya information: installed firewalls, antivirus software installed, installed programs.

You can look for a particular boat, and for the entire botnet. We have created a separate section, where you can see all the statistics in the form of visual graphics and calculations. Now you know whom to fight.
  • Added ability to "Selected logs", you can tag any interesting account (account) when searching for data in the admin and then easily find it unnecessarily, he will be allocated a different color.
  • Implemented injector compatible with UTF-8 (now injected, you can insert any of the languages ​​such as Japanese, Chinese, etc.)
  • A crypt in the admin panel Citadel. This section in the admin panel that allows you to update the bot exe file directly from the web. At any time, you can redownload the right exe file and boots it will download in a timely manner. History is in the format of downloads: File | Date Downloads | Paid (Y / N)

Regarding the latter point, we divided the powers and created a separate category of users with "kriptera" - these users have access to your panel as you wish, and the only privilege of the user - the ability to update the exe file, and you can mark in the table, paid concrete crypts or not.
You can enable jabber-notification of result checking scan4you.
  • Added full-screen screenshots (option in the config file - "@ @").
  • Improved avtoapdeytinga: If you are faced with a big load on the server when you upgrade (or bots do not move to the new admin panel), this fix corrects this situation. Fix includes:

- Old report from the previous version are removed during the upgrade exe (tmp file), an additional safety net.
- Heavy Records (video and other file report) further validated and removed in case of problems (for example, if the file already downloaded)
- Changed the initialization apdeytinga, resulting in isklchyuchen deadloc and the opportunity to further update when a file system error.
  • Fixed the problem of garbage in the admin log: Logging removed completely Flash-movies (swf / flv) from logs and the whole Facebook, because a lot of trash talking from them.
  • Module "Qualitative test WebSocks" is now built into the admin panel, no extra scripts. Shows: country, state, city, hostname, uptime and ping lag.

Ability to enter this section without a password, for convenience when you need urgent Sox smile.gif
  • Module "log parser" is now built into the admin panel, no extra scripts. The interface is much improved, the ability to create "the chosen domain," "archive logs" and the ability to parse https or http domain names to choose from. Builds up a visual table of all domain names that appear in the logs.
  • Added "Notes" in the admin Citadel, something like a online notepad. Admin interface is adapted for tablets iPad / Galaxy Tab.
  • Improved module "VNC-admin panel", now it is built directly into the admin Citadel, no extra scripts. All set to 1 click. Many new features, namely:

- Ability to work with the API, you pass BotID or IP-address of the script, for example through the inject, and it sets the VNC / BackConnect Socks-connection by sending data to connect you with Jabber. You can call the script at any time, apply to AZ.
- Instead of each report in the "Database Search" appeared four buttons: "Add to Favorites", "Connect VNC", "Connect BC Socks", "Autoconnect VNC", "Autoconnect BC SOCKS"
- AutoConnect VNC when this option is enabled, the bot will install vnc-connection at each resume online, unless you disable it.
- AutoConnect BC Socks when this option is enabled, the bot will set backconnect socks connection for each output in the online, the other options provide one-time connection.
- Now you can automatically generate VNC / BC SOCKS-connection as soon as the boat came from the right account for URL-mask, parse hotcakes.
- Next to each account for URL-mask write date of last entry in this ACC (last login), you no longer need to check on the activity of accounts - for you it will make scripts.
- Ability of any notice of a few Jabber'ov immediately.
  • Fixed problem with chain hooks in Chrome.
  • When you start user_execute with the flag "-f" to force is put only apdeytinga exe and will not be run as a installer.
  • Optimized work gate, thus reducing the load. Simplifying admin installer that allows you to install all modules in one click.
  • Added support for new version of Chrome 18 [injected / formgrabbing]
  • Added button "All reports bot" in the admin, you can view the beginning and end of the reporting on the specific bot.
  • Fixed a bug with manual command dns_filter_add, blocking URLs are now working correctly.
  • Fixed bug with display of exe files on the main page, now deleted exe disappear automatically.
  • Fixed a bug with the work of the Task Scheduler scan4you, a daily check of the exe file is working correctly.
  • Added a unified system of CRON-one cron-job runs all tasks now: jabber-notice inspection of files, work units, etc.
  • Added ability to delete a video from admin.
  • Added a reference to the notes in Jabber bot in the VNC-module.
  • Updated GeoIP database (late 2011).
  • Last of the domain AdvancedConfigs triggered with a delay, is made in order to protect your backup URLs from automatically grabbing hanipotami.
  • Fixed a script in the zip archive data in the admin (fsarc.php)
  • Settings Jabber-account and all parameters are now made in the general settings.
  • Now you can specify the path in the config file with httpS :/ / (unsigned certificates held)
  • Fixed case-sensitivity to inject now <BODY> and <body> the same entity. All injected insensitive.
  • Completely redesigned interface web admin, user-friendly.





This basic configuration Builds. Price $ 1500 price negotiable

Important Note:
Our software does not work on Russian systems, if found Russian or Ukrainian keyboard layout - the software allows failure. This introduction is done in order to combat the CIS downloads. Treat it as you want, for us it is a taboo.
If you want to test and develop the work of injected - put the English-language system that links to an image + VMWare we give to save you time searching.

Additional modules:

List of new features for web-admin (individual modules):
  • Implemented a full VNC-admin panel to work with the bots.

Now you can:
- Gather you need the office and into a separate database acca, in a separate script. It has a comfortable viewing records, you can view a list of online bots and data came akkam.
- Create a VNC-connection in 2 clicks with any boat.
- View statistics on live / dead akkam (for bots).
- Editing / changes to the notes came accounts.
- Automatic jabber-notification of updates, or if the bot has appeared online. You come ready-made IP: PORT in zhabber to connect to VNC protocol.
- Ability to sort the bots to online / used / unused status.
- Identify and BotID VNC-connection is automatically established as soon as the bot will be online.
- Ability to work with the API, you pass BotID or IP-address of the script, for example through the inject, and it sets the VNC / BackConnect Socks-connection by sending data to connect you with Jabber. You can call the script at any time, apply to AZ.
- Instead of each report in the "Database Search" appeared four buttons: "Add to Favorites", "Connect VNC", "Connect BC Socks", "Autoconnect VNC", "Autoconnect BC SOCKS"
- AutoConnect VNC when this option is enabled, the bot will install vnc-connection at each resume online, unless you disable it.
- AutoConnect BC Socks when this option is enabled, the bot will set backconnect socks connection for each output in the online, the other options provide one-time connection.
- Now you can automatically generate VNC / BC SOCKS-connection as soon as the boat came from the right account for URL-mask, parse hotcakes.
- Next to each account for URL-mask write date of last entry in this ACC (last login), you no longer need to check on the activity of accounts - for you it will make scripts.
- Ability of any notice of a few Jabber immediately.
    Cost $200


  • Module quality checks on the validity of Socks.

Ability to specify multiple databases of different botnets. Gives 99.9% of the validity of proxies, checking through the expense of web surfing.
Cost: $ 49.00

  • Module MiniAV

Allows you to clean your PC from someone else's boat Malvar, the module is activated every 4 hours and remove all of the Zeus-modification systems, such as Zeus1, 2, Ice9, etc. Vitality of your build go up a few times, it is recommended to those who have met in my logs wrong gates and uses traffic exchanges. In the near future will add a signature to remove feykav and substitution issue.
Cost: $ 100

  • Plugin auto-crypt exe files.

Temporarily withdrawn from sale.

  • Parser module logs.

Probably, many faced a problem when the botnet was getting a lot of logs and more. With the current level of data retrieval on the database - it takes a very long time.
We have developed a script that allows you to include in the list of several databases at once and bring you a list of all found http / https links, as well as data on them.
There is the possibility of caching, as well as notes, for your convenience.
Cost: $ 295.00

  • Module "CardSwipe".

Allows you to rob from the HTTPS / WinSocket maps and dumps, and sends them as a separate report, which you can find individually.
The search is performed by the traffic analysis algorithm LUHN10. Accuracy - 25%
Module Price: $ 100LR

  • Automatic FTP-iframer akkov with logs:

- Automatic processing of all FTP-prishednih akkov in the logs, as well as the ability to manually start the right time.
- All work is done by a script pad, pour it on any host, and the work begins. Admin interface and communicate with a gasket over HTTP, through cron'a.
- A self-test phase, checks the suitability of laying and everything is setup correctly exposed.
- CRON-system every minute ifreymer asks how he's doing: how many jobs done, but in turn, how ready. If you have accounts with whom he had already finished - they pulled out and saved. In these ifreymere acca removed to save memory.
- A mechanism of protection against freezing in complex ifreymera FTP-akkov (such a problem you might have encountered when the script stopped and nothing happened, even after a restart)
- The possibility of asking ifreyminga depth (1 to level 50), in other words how many sub folders inside we go.
- The possibility of asking for file masks, as well as ignore list.
- Multiple modes: intelligent (not to damage the PHP / JS / ASP scripts), write to the end, rewriting, just check on the validity of
- Implemented check for duplicates.
- Replacement of old ifreym new code. If the changed HTML-code - it does not add stupid, and will replace the old one.
- Option "acca ifreymit only yesterday." Day to give it to remove from the list, you need FTP.
- Option: reifreyming accounts after N days. Each account after N days will be processed again.
- Easy and detailed statistics.
- Of the minuses: low speed, for a week, on average, are not processed more than 3,000 FTP-accounts.
A full description is provided in the manual, after the acquisition.
The cost of the module: $ 500.00

  • Double-Cleaner


The script allows you to clean the logs from the bot takes HTTP/HTTPS/FTP/POP3 reports.
The load on the database is minimal, works well in conjunction with the module "Web log parser."
Turned on and off in the settings of the admin.
Benefits: faster search the database, the database is smaller.
The cost of the module: $ 90

  • Protection System GeoIP


The set of scripts allows you to hide your configuration file, exe and the gate of your junk at the request of the country and unwanted bots will receive a 404 response.
Good helps to protect against trackers and reverser. Enabled and disabled in the settings.
Of the minuses: able to withstand only small (up to 2000 bots online) botnets, because PHP is not designed for such heavy and dirty work.
Budget option from the abuse. Recommended only for small VIP-compartmentalized botnets in order to transfer the securities to a particular botnet bots.
Price: $ 100

  • Keylogger


At the request of our customers in the CPM, have altered the module to intercept amassed keys (derived from Zeus).
The module allows you to capture, separate and combined applications to send data to the admin panel as separate reports.
For example, you need to intercept the keystrokes of the process "calc.exe", you enter the name of the configuration process and all the data on it will be sent to the admin panel.
Effective when dealing with the banking software (+ java), which is put on the PC Holder or poker software.
Price: $ 100

All modules can only be purchased when buying the basic version, they are not sold separately. With the purchase of the module, you will be eligible for further updates and support for this module on our part.

Complete VIP: $ 3000.00

UNDER CONSTRUCTION:
  • Full search & reference files on the hard disk, a list of masks specified in the config file. For example "passwords *. Txt"


SERVICE & SOCIAL CIRCLE:

It's no secret that the products in our niche, without support from the developers - a piece of junk on your hard disk.
Therefore, the product should be developed taking into account the wishes of our customers, one problem - you have probably experienced developers to ignore IM, because a lot of customers, and a developer of smile.gif
Time is money - we made you a special system such as the social network for our customers.
Citadel CRM Store allows you to take part in product development, namely:
- Tell us about bug reports and bugs in software, all tickets are considered Desk and you will receive a timely response to your issue, do not need more to get the author to icq / jabber 'e.
- Each client has the right to create an unlimited number of applications within the system, in which he may put forward a proposal to create a new module / revision, which it needs in the functional software. Each application can be either public or private (accessible only to you)
- Each client has the right to vote in favor of the idea put forward by other mimbar and offer good value for money for the implementation of the revised / module. At the end of voting, the decision by developers: make the module or not, depending on the outcome of a vote among the customers.
- Each client has a right to comment on any application and communicate with other mimbar, now you will be interested to find partners and associates, as well as to participate actively in discussions with developers.
- You can see all the stages of the process of creating the module, if it is approved mimbar. We will promptly update the status and timing in the application.
- You can make an advance payment, if the module has been approved (50%), after prepayment mimbar, this project begins to move forward, unnecessarily is paid directly to the encoder and no laziness or inactivity you will not find us. Everything is transparent: each stage of development is shown in detail.
- Easy-jabber notification of new comments or new applications created.
You will appreciate the new format works!

Buying basic equipment, shall be charged a monthly rental fee of $ 125 (you can pay for several months in advance), which is included in this fee:
- We are interested in working with our customers. The forums are often painstakingly wrote that "we support the product ... blabla" but in the end turns out that the updates come out every three months, or even the author disappears from the ends. The problem is the motivation of the authors. You support us - we support you. It's simple.
- You receive a monthly update Builder (20 numbers), which includes an updated anti-virus protection (encryption of the body bots, heuristic analysis to the injector in the process).
- You get access to the CRM: the right of initiative on the creation of new enhancements, improvements, voting for the other projects and the ability to communicate with others in the mimbar Citadel CRM Store.
- Support from our side: the answers to your questions (in tickets), assistance with installation and recommendations for use. It is prohibited to transfer your personal account in CRM to anyone else.
- In the near future to connect to the CRM system, web programmers, dealing exclusively injected (incl. Writing AZ). Our customers will be able to create TK within the system to announce the time and cost - and coders to take on the task. If you write quality injects - contact us to discuss.


Demo available on request (issued within 24 hours).
Builder is bound to your PC, you can create an unlimited number of domains.
You pay only user posted image (fast exchange WM-LR can be on forums such as mmgp.ru). Webmoney not accept.

Fold your request in the format:
"I want to buy basic equipment, as well as modules VNC, autocript and socks. How much will it cost discount
contact aquabox@jabber.org
Ruining the bad guy's day

December 05, 2012, 09:22:13 am
Reply #3

SysAdMini

  • Administrator
  • Hero Member

  • Offline
  • *****

  • 3323
Ruining the bad guy's day