Remote timing attack exploit against most Zeus/Zbot variants including Citadel, Ice9, Zeus 2.3, KINS/ZeusVM etc..
Switch branches/tags
Nothing to show
Clone or download
Fetching latest commit…
Cannot retrieve the latest commit at this time.
Permalink
Type Name Latest commit message Commit time
Failed to load latest commit information.
Zend
AES.class.php
Encryption.class.php
README.md
Repository.class.php
Zeus.class.php
zeus_rc4_algo_brute.php
zeus_reports_dirlen.php

README.md

zeus_reports_len

This exploit is a remote timing attack against Zeus C&C enabling the attacker to resolve the length in characters of the reports directory name by carefully measuring the response time of the server. The associated blog post - http://www.kerneronsec.com/2015/10/timing-attack-vulnerability-in-most.html

Rotem Kerner

Whats in the box ?

  • zeus_reports_dirlen.php - is the actual remote timing attack exploit which reveals the reports directory name length
  • zeus_rc4_algo_brute.php - as the name suggests, when given the right encryption key this tool lets you brute force the algorthim if it has the right cipher in its repository.
  • Zeus.class.php - a generic Zeus client class which is able to communicate with most zeus variants
  • Encryption.class.php - the cipher repository class, contains different variants of encryption ciphers used in zeus

TODO

  • optimize the sampling stage
  • optimize the "mesurable interval test"
  • Threading
  • recode in python?