{"id":5063,"date":"2010-09-20T05:02:49","date_gmt":"2010-09-20T13:02:49","guid":{"rendered":"http:\/\/www.labs.com\/research\/blog\/?p=5063"},"modified":"2024-02-20T20:15:20","modified_gmt":"2024-02-21T04:15:20","slug":"zeus-crimeware-toolkit","status":"publish","type":"post","link":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/","title":{"rendered":"Zeus Crimeware Toolkit"},"content":{"rendered":"

The Zeus botnet has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of stealing personal information–by infecting users’ computers and capturing all the information entered on banking sites. Apart from stealing passwords, this bot has variety of methods implemented for stealing identities and controlling victims’ computers.<\/p>\n

Over the years Zeus has been released in a lot of versions, adding or changing functionality, and is highly flexible in its configuration. So this is just a snapshot of one version (1.2.7.19), giving an overview of its functionality.<\/p>\n

In the first part of this blog I will disclose the process involved in building and distributing a Zeus botnet in the wild. In the second part, I will discuss how Zeus captures personal information by injecting code dynamically, and finally I’ll offer some thoughts on command and control.<\/p>\n

Zeus serves as a heads up for all those who believe that banking transactions on HTTPS can never be intercepted.<\/p>\n

Zeus builder toolkit<\/span><\/strong><\/h2>\n

I\u2019ve been busy researching how Zeus is built and distributed in the wild. It has been a pretty high-profile botnet since it was discovered, due to its high rate of infections. During our research activity I was able to get hold of a Zeus builder toolkit. It was priced at US$700 to $1,500 then; a few months later, a free version of this toolkit was public.<\/p>\n

Building and Configuring Zeus Bot<\/span><\/strong><\/h2>\n

The process of building and configuring the Zeus bot requires just a couple of steps.<\/p>\n

Step 1) \u00c2\u00a0Configuration specification:<\/p>\n

Specifying all the static configuration parameters in the configuration file.<\/p>\n

The \u201cedit config\u201d\u009d button will allow you to enter various parameters to control the botnet as \u00c2\u00a0described below.<\/p>\n

timer_logs <\/span><\/em>:<\/span> Time interval to upload the logs to server
\n<\/span>timer_stats <\/span><\/em>:\u00c2\u00a0Time interval to upload infection statistics to server
\n<\/span>url_config <\/span><\/em>:\u00c2\u00a0Server URL for fetching the config file
\n<\/span>url_compip<\/span><\/em> :\u00c2\u00a0Server URL for reporting the victim
\n<\/span>encryption_key<\/span><\/em> :\u00c2\u00a0Encryption key to encrypt config file
\n<\/span>url_loader <\/span><\/em>:\u00c2\u00a0URL for fetching latest version of the zeus.exe
\n<\/span>url_server <\/span><\/em>:\u00c2\u00a0Command and control server
\n<\/span>file_webinjects<\/span><\/em>:\u00c2\u00a0This parameter is the file name containing HTML web injection code.
\n<\/span>AdvancedConfigs <\/span><\/em>:\u00c2\u00a0URL for fetching the backup config file
\n<\/span>WebFilters <\/span><\/em>:\u00c2\u00a0Contains the masked list of URLs that should be monitored for capturing login\u00c2\u00a0credentials.
\n<\/span>WebDataFilters<\/span><\/em>: Contains the list of URLs that should be monitored for specific string matches. If patterns such as “Passw” or “login” is matched, data is captured and sent to C&C server, e.g.,\u00c2\u00a0http:\/\/mail.rambler.ru\/*” “passw;login”
\n<\/span>WebFakes<\/span><\/em>: URLs that should be redirected to the fake websites<\/span><\/span><\/p>\n

TANGrabber:<\/em><\/p>\n

\n
TAN (Transaction Authentication Number) Grabber is a Zeus feature that allows the bot master to specify the banking sites to monitor and the specific patters to search for in the transaction data posted to the bank websites. Zeus will match these specified data patterns, capture them, and post them on the C&C server. The Bot master can enter other banking sites here and Zeus will add them in the final encrypted configuration file when the \u201cBuild config” button is clicked.<\/div>\n
I entered the fake banking URL in the config file below, marked in Red, <\/span><\/span>just to check its presence when the encrypted configuration file is built.<\/div>\n<\/div>\n

Step 2) Building an encrypted configuration file<\/p>\n

Let\u2019s have a look what happens when we press the \u201cBuild config\u201d\u009d button. The toolkit will build the final encrypted configuration file with an option to save it. This configuration file is then uploaded by the bot master on the C&C server.<\/p>\n

Step 3) Building the bot executable<\/p>\n

The bot master can build the Zeus executable with the \u201cBuild loader\u201d\u009d button option.<\/p>\n

Zeus Network Communications<\/p>\n

When the bot is executed in a virtual machine, initially it communicates over HTTP and sends a GET request to the command and control server to retrieve the configuration file. The server replies with the requested configuration file. This request is made repeatedly on the basis of the timer value configured in the configuration file.<\/p>\n

The bot sends the information of the infected computer to the control server according to the \u201curl_server\u201d\u009d parameter specified in the configuration file.<\/p>\n

One interesting observation<\/strong><\/h2>\n

Upon closer analysis of the Zeus network communications, we have come across an interesting similarity between the GET response from the server and the next POST request sent by the bot.<\/p>\n

As observed above, we see this similarity in the initial part of the GET response from the server and the POST request from the bot, starting at the third byte after the HTTP header ends. We have made similar observations with the older versions of the Zeus bot. This consistent trait is something we can use to implement generic detection for this bot on a network gateway!<\/p>\n

HTML injection on SSL-secured banking transactions<\/span><\/strong><\/p>\n

As banking websites evolved, they have added an extra layer of security to mitigate keystroke-logging attacks. On the other hand, continuously evolving malwares have also come out with new techniques to bypass these security measures and steal login credentials. Password-stealing botnets such as Zeus now use HTML code-injection techniques, whereby a bot on the infected computer injects HTML code into the legitimate web pages of the banking site to request additional personal information not required during the transactions. This lures the users into inputting more credentials than required. They are captured by the bot and posted to the Zeus bot masters command and control server.<\/p>\n

This shows even forms that are supposed to be HTTPS encrypted can be manipulated by a bot to entice the user into typing arbitrary amounts of personal information, which can be captured (using key logging) and sent off to the C&C master.<\/p>\n

Heuristic detection for web injection<\/strong> activity<\/strong>:<\/h2>\n

Another technique that can be used is detecting the difference in the HTML form fields.\u00c2\u00a0 The idea is to detect the change in the number of HTML form fields while accessing the banking site and when the data is posted on the server. This can be detected on the Network gateway. In the case of Zeus, as the banking sites are accessed over HTTPS, the perimeter device needs to be armed with SSL man-in-the-middle functionality to detect this form of network traffic.<\/p>\n

Intercepting mouse clicks and capturing virtual keyboard screenshots<\/span><\/strong><\/h2>\n

Banking websites have come up with the virtual keyboard technique to mitigate the keystroke-logging attacks. Zeus counterattacks this security feature by capturing the screenshots on each mouse click. Each click will be intercepted and a screenshot captured that will be sent to the drop server which is then combined sequentially to extract the entered password as shown below.<\/p>\n

Analysis of the decrypted configuration file<\/span><\/strong><\/h2>\n

Once a machine is infected with the Zeus bot, you can use the Zeus decoder tool available here<\/a> to decrypt the encrypted config file.<\/p>\n

Let\u2018s take a look at the decrypted config file. We see the HTML injection code that this bot has added into it.<\/p>\n

http:\/\/172.16.230.183\/bt.exe<\/p>\n

http:\/\/172.16.230.183\/gate.php<\/p>\n

!*.microsoft.com\/*<\/p>\n

!http:\/\/*myspace.com*<\/p>\n

https:\/\/www.gruposantander.es\/*<\/p>\n

!http:\/\/*odnoklassniki.ru\/*<\/p>\n

!http:\/\/vkontakte.ru\/*<\/p>\n

@*\/login.osmp.ru\/*<\/p>\n

@*\/atl.osmp.ru\/*<\/p>\n

https:\/\/banking.*.de\/cgi\/ueberweisung.cgi\/*<\/p>\n

*&tid=*<\/p>\n

*&betrag=*<\/p>\n

https:\/\/internetbanking.gad.de\/banking\/*<\/p>\n

KktNrTanEnz<\/p>\n

https:\/\/www.citibank.de\/*\/jba\/mp#\/SubmitRecap.do<\/p>\n

SYNC_TOKEN=*<\/p>\n

https:\/\/www.mybank.com\/loginform.as<\/span><\/span>p<\/span><\/p>\n

(Fake banking URL that I added while building the config file.)<\/p>\n

HTML injection code in the config file:<\/strong><\/h2>\n

Following is the abbreviated list of banking sites targeted by this bot; it’s found in the decrypted configuration file.<\/p>\n

https:\/\/online.wellsfargo.com\/signon*<\/p>\n

https:\/\/www.paypal.com\/*\/webscr?cmd=_account<\/p>\n

https:\/\/www.paypal.com\/*\/webscr?cmd=_login-done*<\/p>\n

https:\/\/www#.usbank.com\/internetBanking\/LoginRouter<\/p>\n

https:\/\/easyweb*.tdcanadatrust.com\/servlet\/*FinancialSummaryServlet*<\/p>\n

https:\/\/www#.citizensbankonline.com\/*\/index-wait.jsp<\/p>\n

https:\/\/onlinebanking.nationalcity.com\/OLB\/secure\/AccountList.aspx<\/p>\n

https:\/\/www.suntrust.com\/portal\/server.pt*parentname=Login*<\/p>\n

https:\/\/www.53.com\/servlet\/efsonline\/index.html*<\/p>\n

https:\/\/web.da-us.citibank.com\/*BS_Id=MemberHomepage*<\/p>\n

https:\/\/onlineeast#.bankofamerica.com\/cgi-bin\/ias\/*\/GotoWelcome<\/p>\n

https:\/\/online.wamu.com\/Servicing\/Servicing.aspx?targetPage=AccountSummary<\/p>\n

https:\/\/onlinebanking#.wachovia.com\/myAccounts.aspx?referrer=authService<\/p>\n

https:\/\/resources.chase.com\/MyAccounts.aspx<\/p>\n

https:\/\/bancaonline.openbank.es\/servlet\/PProxy?*<\/p>\n

https:\/\/extranet.banesto.es\/*\/loginParticulares.htm<\/p>\n

https:\/\/banesnet.banesto.es\/*\/loginEmpresas.htm<\/p>\n

https:\/\/empresas.gruposantander.es\/WebEmpresas\/servlet\/webempresas.servlets.*<\/p>\n

https:\/\/www.gruposantander.es\/bog\/sbi*?ptns=acceso*<\/p>\n

https:\/\/www.bbvanetoffice.com\/local_bdno\/login_bbvanetoffice.html<\/p>\n

https:\/\/www.bancajaproximaempresas.com\/ControlEmpresas*<\/p>\n

https:\/\/www.citibank.de*<\/p>\n

https:\/\/probanking.procreditbank.bg\/main\/main.asp*<\/p>\n

https:\/\/ibank.internationalbanking.barclays.com\/logon\/icebapplication*<\/p>\n

https:\/\/ibank.barclays.co.uk\/olb\/x\/LoginMember.do<\/p>\n

https:\/\/online-offshore.lloydstsb.com\/customer.ibc<\/p>\n

https:\/\/online-business.lloydstsb.co.uk\/customer.ibc<\/p>\n

https:\/\/www.dab-bank.com*<\/p>\n

http:\/\/www.hsbc.co.uk\/1\/2\/personal\/internet-banking*<\/p>\n

https:\/\/www.nwolb.com\/Login.aspx*<\/p>\n

https:\/\/home.ybonline.co.uk\/login.html*<\/p>\n

https:\/\/home.cbonline.co.uk\/login.html*<\/p>\n

https:\/\/welcome27.co-operativebank.co.uk\/CBIBSWeb\/start.do<\/p>\n

https:\/\/welcome23.smile.co.uk\/SmileWeb\/start.do<\/p>\n

https:\/\/www.halifax-online.co.uk\/_mem_bin\/formslogin.asp*<\/p>\n

\n

https:\/\/www2.bancopopular.es\/AppBPE\/servlet\/servin*<\/p>\n

https:\/\/www.bancoherrero.com\/es\/*<\/p>\n

https:\/\/pastornetparticulares.bancopastor.es\/SrPd*<\/p>\n

https:\/\/intelvia.cajamurcia.es\/2043\/entrada\/01entradaencrip.htm<\/p>\n

https:\/\/www.caja-granada.es\/cgi-bin\/INclient_2031<\/p>\n

https:\/\/www.fibancmediolanum.es\/BasePage.aspx*<\/p>\n

https:\/\/carnet.cajarioja.es\/banca3\/tx0011\/0011.jsp<\/p>\n

https:\/\/www.cajalaboral.com\/home\/acceso.asp<\/p>\n

https:\/\/www.cajasoldirecto.es\/2106\/*<\/p>\n

https:\/\/www.clavenet.net\/cgi-bin\/INclient_7054<\/p>\n

https:\/\/www.cajavital.es\/Appserver\/vitalnet*<\/p>\n

https:\/\/banca.cajaen.es\/Jaen\/INclient.jsp<\/p>\n

https:\/\/www.cajadeavila.es\/cgi-bin\/INclient_6094<\/p>\n

https:\/\/www.caixatarragona.es\/esp\/sec_1\/oficinacodigo.jsp<\/p>\n

http:\/\/caixasabadell.net\/banca2\/tx0011\/0011.jsp<\/p>\n

https:\/\/www.caixaontinyent.es\/cgi-bin\/INclient_2045<\/p>\n

https:\/\/www.caixalaietana.es\/cgi-bin\/INclient_2042<\/p>\n

https:\/\/www.cajacirculo.es\/ISMC\/Circulo\/acceso.jsp<\/p>\n

https:\/\/areasegura.banif.es\/bog\/bogbsn*<\/p>\n

https:\/\/www.bgnetplus.com\/niloinet\/login.jsp<\/p>\n

https:\/\/www.caixagirona.es\/cgi-bin\/INclient_2030*<\/p>\n

https:\/\/www.unicaja.es\/PortalServlet*<\/p>\n

https:\/\/www.sabadellatlantico.com\/es\/*<\/p>\n

https:\/\/oi.cajamadrid.es\/CajaMadrid\/oi\/pt_oi\/Login\/login<\/p>\n

https:\/\/www.cajabadajoz.es\/cgi-bin\/INclient_6010*<\/p>\n

https:\/\/extranet.banesto.es\/npage\/OtrosLogin\/LoginIBanesto.htm<\/p>\n

https:\/\/montevia.elmonte.es\/cgi-bin\/INclient_2098*<\/p>\n

https:\/\/www.cajacanarias.es\/cgi-bin\/INclient_6065<\/p>\n

https:\/\/oie.cajamadridempresas.es\/CajaMadrid\/oie\/pt_oie\/Login\/login_oie_1<\/p>\n

https:\/\/www.gruppocarige.it\/grps\/vbank\/jsp\/login.jsp<\/p>\n

https:\/\/bancopostaonline.poste.it\/bpol\/bancoposta\/formslogin.asp<\/p>\n

https:\/\/privati.internetbanking.bancaintesa.it\/sm\/login\/IN\/box_login.jsp<\/p>\n

https:\/\/hb.quiubi.it\/newSSO\/x11logon.htm<\/p>\n

https:\/\/www.iwbank.it\/private\/index_pub.jhtml*<\/p>\n

https:\/\/web.secservizi.it\/siteminderagent\/forms\/login.fcc<\/p>\n

https:\/\/www.isideonline.it\/relaxbanking\/sso.Login*<\/p>\n<\/div>\n

Botnet Command and Control<\/strong><\/span><\/div>\n

This toolkit comes with a control panel installation that is typically used to track the botnet infections. This is a PHP application that can be run on a web server along with the other required database software (MYSQL). It also enables the attacker to remotely control and send commands to the victims’ computers.<\/p>\n

I opened one of the scripts that came with this toolkit and I found the bot can be given the following commands:<\/p>\n

$_COMMANDS_LIST = array<\/p>\n

(<\/p>\n

‘reboo<\/span>t<\/span>‘<\/span> => ‘Reboot computer.’,<\/p>\n

‘<\/span>kos<\/span>‘ <\/span>=> ‘Kill OS.’,<\/p>\n

shutdown<\/span>‘ =>\u00c2\u00a0 ‘Shutdown computer.’,<\/p>\n

‘bc_add [service] [ip] [port]<\/span>‘ => ‘Add backconnect for [service] using server witn address [ip]:[port].’,<\/p>\n

‘bc_del [service] [ip] [port]’ <\/span>=> ‘Remove backconnect for [service] (mask is allowed) that use connection to [ip]:[port] (mask is allowed).’,<\/p>\n

‘block_url [url]<\/span>‘\u00c2\u00a0\u00c2\u00a0 => ‘Disable access to [url] (mask is allowed).’,<\/p>\n

‘unblock_url [url]’<\/span> => ‘Enable access to [url] (mask is allowed).’,<\/p>\n

‘block_fake [url]<\/span>‘\u00c2\u00a0\u00c2\u00a0 => ‘Disable executing of HTTP-fake\/inject with mask [url] (mask is allowed).’,<\/p>\n

‘unblock_fake [url]<\/span>‘ => ‘Enable executing of HTTP-fake\/inject with mask [url] (mask is allowed).’,<\/p>\n

‘rexec [url] [args]<\/span>‘\u00c2\u00a0\u00c2\u00a0 => ‘Download and execute the file [url] with the arguments [args] (optional).’,<\/p>\n

‘rexeci [url] [args]’ <\/span>=> ‘Download and execute the file [url] with the arguments [args] (optional) using interactive user.’,<\/p>\n

‘lexec [file] [args]’<\/span> => ‘Execute the local file [file] with the arguments [args] (optional).’,<\/p>\n

‘lexeci [file] [args]<\/span>‘ => ‘Execute the local file [file] with the arguments [args] (optional) using interactive user.’,<\/p>\n

‘addsf [file_mask…]’<\/span> => ‘Add file masks [file_mask] for local search.’,<\/p>\n

‘delsf [file_mask…]’ <\/span>=> ‘Remove file masks [file_mask] from local search.’,<\/p>\n

‘getfile [path]’<\/span> => ‘Upload file or folder [path] to server.’,<\/p>\n

‘getcerts’<\/span> => ‘Upload certificates from all stores to server.’,<\/p>\n

‘resetgrab’ <\/span>=> ‘Upload to server the information from the protected storage, cookies, etc.’,<\/p>\n

‘upcfg [url]’ <\/span>=> ‘Update configuration file from url [url] (optional, by default used standard url)’,<\/p>\n

‘rename_bot [name]<\/span>‘ => ‘Rename bot to [name].’,<\/p>\n

‘getmff’ <\/span>=> ‘Upload Macromedia Flash files to server.’,<\/p>\n

‘delmff’ <\/span>=> ‘Remove Macromedia Flash files.’,<\/p>\n

‘sethomepage [url]’ <\/span>=> ‘Set homepage [url] for Internet Explorer.’<\/p>\n

We found an interesting feature of this toolkit during the botnet building process: If the bot master accidently infects his own computer, he can remove the botnet with the \u201cRemove spyware from this system\u201d\u009d button. Too bad that command isn’t available to Zeus’ victims.<\/p>\n

 <\/p>\n","protected":false},"excerpt":{"rendered":"

The Zeus botnet has been in the wild since 2007 and it is among the top botnets active today. This…<\/p>\n","protected":false},"author":1088,"featured_media":102265,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[442],"tags":[],"coauthors":[786],"class_list":["post-5063","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-mcafee-labs"],"acf":[],"yoast_head":"\nZeus Crimeware Toolkit | McAfee Blog<\/title>\n<meta name=\"description\" content=\"The Zeus botnet has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Zeus Crimeware Toolkit | McAfee Blog\" \/>\n<meta property=\"og:description\" content=\"The Zeus botnet has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/\" \/>\n<meta property=\"og:site_name\" content=\"McAfee Blog\" \/>\n<meta property=\"article:publisher\" content=\"https:\/\/www.facebook.com\/McAfee\/\" \/>\n<meta property=\"article:published_time\" content=\"2010-09-20T13:02:49+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-02-21T04:15:20+00:00\" \/>\n<meta property=\"og:image\" content=\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Glass-focused-on-virus-in-digital-code-illustration-659x500-1.jpg\" \/>\n\t<meta property=\"og:image:width\" content=\"659\" \/>\n\t<meta property=\"og:image:height\" content=\"500\" \/>\n\t<meta property=\"og:image:type\" content=\"image\/jpeg\" \/>\n<meta name=\"author\" content=\"Chintan Shah\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@McAfee\" \/>\n<meta name=\"twitter:site\" content=\"@McAfee\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Chintan Shah\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"11 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/\"},\"author\":{\"name\":\"Chintan Shah\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569\"},\"headline\":\"Zeus Crimeware Toolkit\",\"datePublished\":\"2010-09-20T13:02:49+00:00\",\"dateModified\":\"2024-02-21T04:15:20+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/\"},\"wordCount\":2151,\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Glass-focused-on-virus-in-digital-code-illustration-659x500-1.jpg\",\"articleSection\":[\"McAfee Labs\"],\"inLanguage\":\"en-US\"},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/\",\"name\":\"Zeus Crimeware Toolkit | McAfee Blog\",\"isPartOf\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\"},\"primaryImageOfPage\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#primaryimage\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#primaryimage\"},\"thumbnailUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Glass-focused-on-virus-in-digital-code-illustration-659x500-1.jpg\",\"datePublished\":\"2010-09-20T13:02:49+00:00\",\"dateModified\":\"2024-02-21T04:15:20+00:00\",\"description\":\"The Zeus botnet has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of\",\"breadcrumb\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/\"]}]},{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#primaryimage\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Glass-focused-on-virus-in-digital-code-illustration-659x500-1.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Glass-focused-on-virus-in-digital-code-illustration-659x500-1.jpg\",\"width\":659,\"height\":500,\"caption\":\"virus scan\"},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Blog\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Other Blogs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"McAfee Labs\",\"item\":\"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/\"},{\"@type\":\"ListItem\",\"position\":4,\"name\":\"Zeus Crimeware Toolkit\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#website\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"name\":\"McAfee Blog\",\"description\":\"Internet Security News\",\"publisher\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#organization\",\"name\":\"McAfee\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png\",\"width\":1286,\"height\":336,\"caption\":\"McAfee\"},\"image\":{\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/McAfee\/\",\"https:\/\/x.com\/McAfee\",\"https:\/\/www.linkedin.com\/company\/mcafee\/\",\"https:\/\/www.youtube.com\/McAfee\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569\",\"name\":\"Chintan Shah\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/4bd41c8738b3a7e04f993101170b3377\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg\",\"contentUrl\":\"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg\",\"caption\":\"Chintan Shah\"},\"description\":\"Chintan Shah is currently working as a Security Researcher with McAfee Intrusion Prevention System team and holds broad experience in the network security industry. He primarily focuses on Exploit and vulnerability research, building Threat Intelligence frameworks, Reverse engineering techniques and malware analysis. Chintan had researched and uncovered multiple targeted and espionage attacks in the past blogging about them. His interests lies in software fuzzing for vulnerability discovery, analyzing exploits, malwares and translating to product improvement.\",\"url\":\"https:\/\/www.mcafee.com\/blogs\/author\/chintan-shah\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Zeus Crimeware Toolkit | McAfee Blog","description":"The Zeus botnet has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"og_locale":"en_US","og_type":"article","og_title":"Zeus Crimeware Toolkit | McAfee Blog","og_description":"The Zeus botnet has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of","og_url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/","og_site_name":"McAfee Blog","article_publisher":"https:\/\/www.facebook.com\/McAfee\/","article_published_time":"2010-09-20T13:02:49+00:00","article_modified_time":"2024-02-21T04:15:20+00:00","og_image":[{"width":659,"height":500,"url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Glass-focused-on-virus-in-digital-code-illustration-659x500-1.jpg","type":"image\/jpeg"}],"author":"Chintan Shah","twitter_card":"summary_large_image","twitter_creator":"@McAfee","twitter_site":"@McAfee","twitter_misc":{"Written by":"Chintan Shah","Est. reading time":"11 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#article","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/"},"author":{"name":"Chintan Shah","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569"},"headline":"Zeus Crimeware Toolkit","datePublished":"2010-09-20T13:02:49+00:00","dateModified":"2024-02-21T04:15:20+00:00","mainEntityOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/"},"wordCount":2151,"publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Glass-focused-on-virus-in-digital-code-illustration-659x500-1.jpg","articleSection":["McAfee Labs"],"inLanguage":"en-US"},{"@type":"WebPage","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/","url":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/","name":"Zeus Crimeware Toolkit | McAfee Blog","isPartOf":{"@id":"https:\/\/www.mcafee.com\/blogs\/#website"},"primaryImageOfPage":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#primaryimage"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#primaryimage"},"thumbnailUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Glass-focused-on-virus-in-digital-code-illustration-659x500-1.jpg","datePublished":"2010-09-20T13:02:49+00:00","dateModified":"2024-02-21T04:15:20+00:00","description":"The Zeus botnet has been in the wild since 2007 and it is among the top botnets active today. This bot has an amazing and rarely observed means of","breadcrumb":{"@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/"]}]},{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#primaryimage","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Glass-focused-on-virus-in-digital-code-illustration-659x500-1.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2020\/06\/Glass-focused-on-virus-in-digital-code-illustration-659x500-1.jpg","width":659,"height":500,"caption":"virus scan"},{"@type":"BreadcrumbList","@id":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/zeus-crimeware-toolkit\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Blog","item":"https:\/\/www.mcafee.com\/blogs\/"},{"@type":"ListItem","position":2,"name":"Other Blogs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/"},{"@type":"ListItem","position":3,"name":"McAfee Labs","item":"https:\/\/www.mcafee.com\/blogs\/other-blogs\/mcafee-labs\/"},{"@type":"ListItem","position":4,"name":"Zeus Crimeware Toolkit"}]},{"@type":"WebSite","@id":"https:\/\/www.mcafee.com\/blogs\/#website","url":"https:\/\/www.mcafee.com\/blogs\/","name":"McAfee Blog","description":"Internet Security News","publisher":{"@id":"https:\/\/www.mcafee.com\/blogs\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.mcafee.com\/blogs\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/www.mcafee.com\/blogs\/#organization","name":"McAfee","url":"https:\/\/www.mcafee.com\/blogs\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2023\/02\/mcafee-logo.png","width":1286,"height":336,"caption":"McAfee"},"image":{"@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/www.facebook.com\/McAfee\/","https:\/\/x.com\/McAfee","https:\/\/www.linkedin.com\/company\/mcafee\/","https:\/\/www.youtube.com\/McAfee"]},{"@type":"Person","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/48a67aca4e443a833854424927b55569","name":"Chintan Shah","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/www.mcafee.com\/blogs\/#\/schema\/person\/image\/4bd41c8738b3a7e04f993101170b3377","url":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg","contentUrl":"https:\/\/www.mcafee.com\/blogs\/wp-content\/uploads\/2019\/09\/Chintan-Shah-96x96.jpg","caption":"Chintan Shah"},"description":"Chintan Shah is currently working as a Security Researcher with McAfee Intrusion Prevention System team and holds broad experience in the network security industry. He primarily focuses on Exploit and vulnerability research, building Threat Intelligence frameworks, Reverse engineering techniques and malware analysis. Chintan had researched and uncovered multiple targeted and espionage attacks in the past blogging about them. His interests lies in software fuzzing for vulnerability discovery, analyzing exploits, malwares and translating to product improvement.","url":"https:\/\/www.mcafee.com\/blogs\/author\/chintan-shah\/"}]}},"_links":{"self":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/5063","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/users\/1088"}],"replies":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/comments?post=5063"}],"version-history":[{"count":1,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/5063\/revisions"}],"predecessor-version":[{"id":183401,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/posts\/5063\/revisions\/183401"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media\/102265"}],"wp:attachment":[{"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/media?parent=5063"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/categories?post=5063"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/tags?post=5063"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/www.mcafee.com\/blogs\/wp-json\/wp\/v2\/coauthors?post=5063"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}