Leveraging ZeuS to send spam through social networks

We were able to analyze a pack to make zombies of ZeuS at spammers through social networks. Specifically, the module is analyzed developed for use in Vkontakte.ru, the Russian clone of Facebook.

This crimeware has been created by someone calling himself Deex of Freedomscripts Team and sold for the modest price of USD 100 (via WebMoney).

The pack includes several configuration files, which make it:

• config.ini: has defined the target (friends or online, although so far only seems to work the first option) and password of the administrator control panel. When selecting friends, messages are sent to all our contacts, but are not online at that time.
• message.txt: contains the text of the message to send.
• title.txt: contains the title of the message to send.
• results.txt: here were keeping the infected user statistics (vkontakte identifier, IP and number of messages sent).
• webinjects.txt: HTML code injected in the sitting of infected PCs sending spam trigger.

The contents of that file should be added (or completely replace) the file of the same name necessary to build binaries of ZeuS, and then reconstruct the configuration file and the executable of ZeuS.

Once the victim's PC is infected with this executable as well as sending a typical ZeuS reports, will check the page you visited and if the addition of Vkontakte.ru and be in English (does not work in other languages) , activate the injection of code in the page, which always maintains the appearance of authenticity.

From that moment, all requests are processed by the HTML page that handles getconfig.php later call to the real page to avoid suspicion, showing the user the actual content as you surf vkontakte.ru its pages; while below, sends a message every time you click a link from the page js.php, as seen in the following snippet from log:

The result can be seen in the sent items, where all messages that have been sending our contacts:

All this is managed from a panel of independent control of ZeuS, which requires no database to run, since configuration and reporting are in separate text files.

The control panel is simple enough. It has a blank login page with a box to put the password that gives access to the panel itself, with a menu of 5 options:

• Reports: shows the result of sending spam. In our example, the ID has sent 20 messages from the specified IP.

• Inject: shows the code injection (webinjects.txt) and links to three pages responsible for performing tasks involving the shipment.
  

• Settings: From here you can manage the configuration files to change the password and set the title and body of the message to send. This data is stored in the configuration files mentioned above.

• Help: A brief page with some indication of what this pack and the two component parts: Inject and Admin.

• Logout. To exit the control panel.

In short, this package demonstrates how easy it's to take advantage of belonging to a botnet zombies under the control of ZeuS for the sending of messages through social networks.

Although this case concerns only in the first instance, to Vkontakte.ru, adapt it to other social networks or use it for other attacks through web pages, such as making fraudulent clicks, it would be pretty easy.

Related Information

ZeuS Botnet y su poder de reclutamiento zombi
ZeuS, spam y certificados SSL
Eficacia de los antivirus frente a ZeuS
Especial!! ZeuS Botnet for Dummies
Botnet. Securización en la nueva versión de ZeuS
Fusión. Un concepto adoptado por el crimeware actual
ZeuS Carding World Template. (...) la cara de la botnet
Entidades financieras en la mira de la botnet Zeus II
Entidades financieras en la mira de la botnet Zeus I
LuckySploit, la mano derecha de Zeus
ZeuS Botnet. Masiva propagación de su troyano II
ZeuS Botnet. Masiva propagación de su troyano I

Ernesto Martin
Crimeware Researcher in Malware Intelligence