This is the third blog in this series. The prior blogs describe how the cyber gang managed to gain access to many users’ machines using the Blackhole Exploit Kit.

“Catch Me If You Can” Trojan Banker Zeus Strikes Again (Part 2 of 5)

In this blog we will discuss the Smoke Loader bot controller that was used to control the infected machines. We will examine its capabilities and show the importance of the bot controller as part of the entire cybercrime attack.

The Smoke Loader Bot Controller

Smoke Loader is a new bot controller that manages a user’s compromised PC. The developer of Smoke Loader offers several capabilities according to the user guide (translated from Russian):

- Sequentially load up to 10 different EXEs and launch them
- Geo-targeting (install for specific countries only)
- Ability to load files via URL
- Auto-start and covert operation (camouflage as a trusted process)
- Detailed stats in admin on the number of installs and launches
- Bot auto-update through the admin panel (locally and remotely)
- Bot loss prevention in case the domain is blocked
- Small loader size ~ 6-12 KB
- A “seller’s” version of the builder can be used (more precise stats)
- “Guest” access to the stats
- Easy to encrypt (no additional dlls, overlays, etc.)

The bot also collects users’ personal data from FTP clients, browsers, instants messaging, poker clients and mail clients:

Pricing (WMZ – Web Money):

- Loader only (non-resident version) – 150 WMZ
- Loader only (resident version) – 250 WMZ
- Grabber LITE – 100 WMZ **
- Grabber FULL – 150 WMZ **
- SOCKS-module – 50 WMZ (no back-connect) **
- Loader rebuild – 10 WMZ
- Updates: small fixes – free, others are agreed upon separately
- Custom grabber can be made for your needs

Once the malware is installed on a victim’s system, it communicates with its Command and Control Server. The manager of this scam collaborates with several cybercriminals who spread malware using their own unique methods. The bot reports the geographic location of the compromised machine to the Smoke Loader server.

Figure 1: Smoke loader statistics control panel

To minimize the risk of detection, the Zeus Trojan is distributed only to infected systems located in the U.K.
-    “Online Countries” indicates concurrent online bots, along with the country
-    “Loads” indicates the summary of bots that download the Trojan (Zeus)
-    “Runs” indicates the summary of bots that reported a successful execution

Using the control panel of Smoke Loader, the administrator sends the bots updated malware from time to time:

Figure 2: Smoke Loader executable management control panel

The screenshot above describes the capabilities of the Smoke Loader administrator to send the exact malware (Zeus Trojan) to the specific target PCs.

In the next blog and the most interesting one in the series, we will show how the cyber gang makes money of the infected machines. We will expose the art of the Trojan Bank operation end to end.