Citadel Zeus Bot is under active development and new version 1.3.3 is released by its coder Aquabox.
The author post is directly copied from underground forum and translated to english for your convenience. Thanks to @Sherb1n.
Citadel v1.3.3.0 Spring Edition!
It's springtime, a time when everything changes and functionality goes into full bloom. Pimp out your ride for the summer!
Our product has become quite unique, so we're going to give an overview of all the features you can start using right away to get even more profit out of the new version:
1) Admin control panel has a new section, "Performance and Security", which has been integrated with the scan4you service; now you can run AV detection checks for all of your exe builds with a single click, right from the Citadel control panel. You can also set up automated daily scans, so that if one of your files gets burned by more than 3 AVs, you'll receive an instant Jabber notification and will be able to replace the exe right away. Now that this task is automated, you can feel free to be lazy!
2) Some customers complained that only 40% of their bots were getting updated to the new exe versions, while the rest were failing to update for an unknown reason. Indeed, that turned out to be a bug from the old ZeuS times; we did some research and fixed it. Now config has a new parameter: timer_autoupdate 8, which sets how often (in hours) the bot will download and restart the exe from the server (RC4 key should match). 80% of bots are now successfully updating; go ahead, encrypt and re-upload your exe, with the uptime improved by 37.1%, your bots will have the freshest and cleanest builds.
3) Server reporting system has been rewritten. In previous versions, every report generated a separate POST request to the gate; in the new schema, reports are sent in batches. This reduces the number of open sessions and minimizes the server load, allowing the server to support a larger number of bots online.
4) Video recording format has been changed to .webm (HTML5); an online video player has been built into the Citadel control panel, and now you can watch the videos right in your browser (Opera is recommended). Features: rewind, fast-forward / full-screen / search for videos by BotID, IP address, date.
But that's not all, we didn't stop there: many of you are using AT (and it's about time everyone else started using it to develop this industry collectively), and personal admin servers for your injects/account collections, etc. Wouldn't you like to watch videos of how well your auto-transfers and injections work, right from your admin panel on that server? That's easy! We've created an API system for this: just send your BotID or IP address to the script, and the API will send back an HTML embed code for all the videos uploaded by that bot. You can embed and watch this video wherever you want, even on narod.ru, without having to visit the Citadel server.
5) An improved system command (CMDList) analyzer/parser has been added to the admin panel. Now you can use the new table layout to view the output of system commands like ipconfig, the list of machines on the local network, the list of running processes, etc.
6) Now, upon installation, the bot will automatically send to the server a one-time report with the following information: installed firewalls, installed AV products, installed programs.
This information can be viewed for each bot separately, or for the entire botnet. We've created a new admin panel section where you can see all these stats, visual graphs and calculations. Now you know who you're up against.
7) "Favorite logs" - this new feature allows you to mark any account (or report) of interest when searching for data in admin; the accounts will be highlighted, and you can easily find them later.
8) A new "CardSwipe" module has been developed. It can grab card numbers and dumps out of HTTPS/WinSocket traffic and send them as a separate report.
The module uses LUHN10 algorithm to analyze traffic. Margin of error - 25%.
Price: $250 LR.
9) Injects are now compatible with UTF-8, and can be customized for any language (Japanese, Chinese, etc.)
10) Want to find new clients or business partners in your line of work? Consider placing your banner ad with the Citadel CRM.
Number of ad spaces: only 3 (234x60), two are still available; we only accept ads for relevant vendors and services (installs, encryption, traffic, etc., business partner search). Contact support through Jabber for a price quote.
As always, this update is free for our current clients. Place your requests through Jabber or CRM. (The update kits will be delivered on March 15, at 11:30PM).
New clients will receive a discount when buying the full package!
Citadel V 1.1
http://cyb3rsleuth.blogspot.co.uk/2012/01/citadel-zeus-bot.html
Monday, 19 March 2012
Friday, 2 March 2012
Chinese Threat Actor Part 3
Sin Digoo Identified
Archive on socialup.net reveals ICQ info of Jeno aka Tawnya aka xxgchappy
http://web.archive.org/web/20100106025256/http://www.socialup.net/contacts.php
ICQ 567950703
Creation date: 18 Nov 2009 02:17:06
Expiration date: 18 Nov 2010 02:17:06
Registrant Contact:
personal
eric charles ()
Fax:
Santa Cruz 1156 High Street
california, california 95064
US
Administrative Contact:
personal
eric charles (jeno_1980@hotmail.com)
+1.831459019
Fax: +1.831459019
Santa Cruz 1156 High Street
california, california 95064
US
Twitter
https://twitter.com/leedoctor
http://www.blackhatworld.com/blackhat-seo/members/73099-xxgchappy.html
http://www.v7n.com/forums/social-networking/161752-wts-cheap-digg-service-0-1-per-digg.html
Whois record of hnsj.org
Domain ID:D155737903-LROR
Domain Name:HNSJ.ORG
Created On:27-Mar-2009 10:10:58 UTC
Last Updated On:04-Apr-2010 05:17:20 UTC
Expiration Date:27-Mar-2011 10:10:58 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:OK
Registrant ID:f1f613654acc4737
Registrant Name:eric charles
Registrant Organization:personal
Registrant Street1:Santa Cruz 1156 High Street
Registrant Street2:
Registrant Street3:
Registrant City:california
Registrant State/Province:State
Registrant Postal Code:95064
Registrant Country:YE
Registrant Phone:+1.831459019
Registrant Phone Ext.:
Registrant FAX:+1.831459019
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com
Search on hnsj.org revealed some interesting information. The domain is related to mobile phone sales and the name of the company is Henan Mobile Network.
Archive
http://web.archive.org/web/20100109050932/http://www.hnsj.org/article.php?id=4
QQ number 55356626 is posted as contact on HNSJ.ORG
xxgchappy promoted hnsj.org on his baidu blog
http://hi.baidu.com/%BA%D3%C4%CF%CA%D6%BB%FA%CD%F8/home
His baidu profile mentions further details
http://passport.baidu.com/?business&aid=6&un=xxgchappy#0
Further search reveals other QQ and Phone contacts
http://bbs.shangdu.com/t/20080831/01004001126/126-1.htm
2008 post
慧慧数码旗舰店
http://shop36037986.taobao.com ( Shop doesn't exist now)
各种智能手机专卖
淘宝名店 钻石信誉 全国热卖
保原装 非原装赔偿精神损失50.全额退款。
百脑汇2楼2b16
QQ:55356626
旺旺:慧慧数码旗舰店
13949001667
我们的专业,值得信赖。
Phone number 13949001667 (mobile GSM card) is part of Zhengzhou City, Henan Province and name mentioned here is Zhang
http://www.hahait.com/h41328
QQ 878972156
QQ 390363752
QQ 55356626
The QQ number is linked to a post on a car forum dated 2005
http://www.xcar.com.cn/bbs/viewthread.php?tid=6300657
http://www.xcar.com.cn/bbs/viewthread.php?tid=1576356
爱 卡 I D:Jeno
小狮子 1。6 xmt
车牌 豫ADB922
手机号 13513899779
Created On:09-Jun-2006 06:16:29 UTC
Last Updated On:29-May-2007 01:13:12 UTC
Expiration Date:09-Jun-2009 06:16:29 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
Registrant ID:49A2353365A0954B
Registrant Name:tawnya grilth
Registrant Organization:i-tobuy.com
Registrant Street1:po box 211
Registrant Street2:
Registrant Street3:
Registrant City:sin digoo
Registrant State/Province:ca
Registrant Postal Code:92101
Registrant Country:US
Registrant Phone:+1.818926523
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com
Tawyna Grilth aka Eric Charles aka xxgchappy aka Jeno aka undercurrent
Personal Details
QQ number 55356626 Profile
转自:http://www.xfocus.net
创建时间:2003-08-31
文章属性:原创
文章提交:jeno (xxgchappy_at_vip.sina.com)
作者:jeno
Email: jeno@vip.371.net
Time: 2003-8-31
Xfocus Profile
https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=35525
xxgchappy@vip.sina.com is the registrant email of chinese social network Kaixin001.
http://www.kaixin001.com/home/17206761.html
Personal details mentioned on Kaixin profile.
Name - 张长河 Zhang Chang-he
Living in Zhengzhou, Henan Province, China.
QQ number 55356626 leads to a personal blog revealing his pic
http://55356626.qzone.qq.com
Conclusion
Jeno registered all the domains associated with espionage and considering his xfocus and rootkit.com profile we can zero on Jeno or he is some way associated with the group.
Update 16 Feb 2013
http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked
Journals published by Zhang Chang-he (2005-2011)
http://www.cnki.net/KCMS/detail/search.aspx?dbcode=CJFQ&sfield=au&skey=%E5%BC%A0%E9%95%BF%E6%B2%B3&code=22840348;20139954;21141875;
Windows Rootkit
http://www.cnki.net/KCMS/detail/detail.aspx?QueryID=5&CurRec=2&recid=&filename=XXGC200702023&dbname=cjfd2007&dbcode=CJFQ&pr=&urlid=&yx=
http://www.docin.com/p-49869286.html
Analysis of Windows Startup
http://www.cnki.net/kcms/detail/detail.aspx?filename=XXGC200903027&dbcode=CJFQ&dbname=CJFD2009
http://www.docin.com/p-253321277.html
Security Analysis of PCI device
http://www.docin.com/p-279253540.html
Capturing File Transferred or Printed Based on SMB in LAN
http://www.cnki.net/kcms/detail/detail.aspx?filename=WJSJ200606039&dbcode=CJFQ&dbname=cjfd2006
Another email mentioned in Joe's blog was jeno_1980@hotmail.com which is linked to xxgchappy@vip.sina.com
Espionage Domains
Malware reported on umu1.echosky.biz
Malware reported on www.dellpc.us - December 2007
BlackHat Domains
http://web.archive.org/web/20100106025256/http://www.socialup.net/contacts.php
ICQ 567950703
The ICQ search leads to a blackhatworld profile with handle "xxgchappy" and a domain makewithmoney.com
Domain name: makewithmoney.com
Creation date: 18 Nov 2009 02:17:06
Expiration date: 18 Nov 2010 02:17:06
Registrant Contact:
personal
eric charles ()
Fax:
Santa Cruz 1156 High Street
california, california 95064
US
Administrative Contact:
personal
eric charles (jeno_1980@hotmail.com)
+1.831459019
Fax: +1.831459019
Santa Cruz 1156 High Street
california, california 95064
US
https://twitter.com/leedoctor
http://www.blackhatworld.com/blackhat-seo/members/73099-xxgchappy.html
http://www.v7n.com/forums/social-networking/161752-wts-cheap-digg-service-0-1-per-digg.html
Jeno promoted his socialup.net in chinese forums
The profile mentions www.hnsj.org as his website
Whois record of hnsj.org
Domain ID:D155737903-LROR
Domain Name:HNSJ.ORG
Created On:27-Mar-2009 10:10:58 UTC
Last Updated On:04-Apr-2010 05:17:20 UTC
Expiration Date:27-Mar-2011 10:10:58 UTC
Sponsoring Registrar:eNom, Inc. (R39-LROR)
Status:OK
Registrant ID:f1f613654acc4737
Registrant Name:eric charles
Registrant Organization:personal
Registrant Street1:Santa Cruz 1156 High Street
Registrant Street2:
Registrant Street3:
Registrant City:california
Registrant State/Province:State
Registrant Postal Code:95064
Registrant Country:YE
Registrant Phone:+1.831459019
Registrant Phone Ext.:
Registrant FAX:+1.831459019
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com
Personal Domains
Archive
http://web.archive.org/web/20100109050932/http://www.hnsj.org/article.php?id=4
QQ number 55356626 is posted as contact on HNSJ.ORG
xxgchappy promoted hnsj.org on his baidu blog
http://hi.baidu.com/%BA%D3%C4%CF%CA%D6%BB%FA%CD%F8/home
His baidu profile mentions further details
http://passport.baidu.com/?business&aid=6&un=xxgchappy#0
Further search reveals other QQ and Phone contacts
http://bbs.shangdu.com/t/20080831/01004001126/126-1.htm
2008 post
慧慧数码旗舰店
http://shop36037986.taobao.com ( Shop doesn't exist now)
各种智能手机专卖
淘宝名店 钻石信誉 全国热卖
保原装 非原装赔偿精神损失50.全额退款。
百脑汇2楼2b16
QQ:55356626
旺旺:慧慧数码旗舰店
13949001667
我们的专业,值得信赖。
Phone number 13949001667 (mobile GSM card) is part of Zhengzhou City, Henan Province and name mentioned here is Zhang
http://www.hahait.com/h41328
| Company Name: | Henan phone network |
| Tel: | 0371-66900779 |
| Company Address: | Longhai Road, No. 188 Central Plains Communications Digital City A420 |
| Contact: | Mr. Zhang |
| Fax: | |
| E-mail: | |
| Company QQ: |  878,972,156 390,363,752 55,356,626 |
| Website: | http://www.hahait.com/41328 |
| Scope of business: | Phone Samsung LG Nokia |
QQ 878972156
QQ 390363752
QQ 55356626
http://www.xcar.com.cn/bbs/viewthread.php?tid=6300657
http://www.xcar.com.cn/bbs/viewthread.php?tid=1576356
爱 卡 I D:Jeno
小狮子 1。6 xmt
车牌 豫ADB922
手机号 13513899779
Whois Record- XIUXING.INFO
Domain ID:D13719670-LRMS
Domain Name:XIUXING.INFOCreated On:09-Jun-2006 06:16:29 UTC
Last Updated On:29-May-2007 01:13:12 UTC
Expiration Date:09-Jun-2009 06:16:29 UTC
Sponsoring Registrar:eNom, Inc. (R126-LRMS)
Status:OK
Registrant ID:49A2353365A0954B
Registrant Name:tawnya grilth
Registrant Organization:i-tobuy.com
Registrant Street1:po box 211
Registrant Street2:
Registrant Street3:
Registrant City:sin digoo
Registrant State/Province:ca
Registrant Postal Code:92101
Registrant Country:US
Registrant Phone:+1.818926523
Registrant Phone Ext.:
Registrant FAX:
Registrant FAX Ext.:
Registrant Email:jeno_1980@hotmail.com
xiuxing.info is a forum related to Buddhism.
Jeno mentions his buddhism website on his profile along the same QQ number used in HNSJ.org
Tawyna Grilth aka Eric Charles aka xxgchappy aka Jeno aka undercurrent
Personal Details
The personal email "xxgchappy@vip.sina.com" is also mentioned on a Shellcode article written by Jeno at Xfocus, a famous chinese hacking forum dated 2003.
创建时间:2003-08-31
文章属性:原创
文章提交:jeno (xxgchappy_at_vip.sina.com)
作者:jeno
Email: jeno@vip.371.net
Time: 2003-8-31
Xfocus Profile
https://www.xfocus.net/bbs/index.php?lang=cn&act=Profile&do=03&MID=35525
DOB 1980-10-1
The name Jeno and DOB 1980 makes the email Jeno_1980@hotmail.com which is used as registrant email.
Kaixin001 Chinese Social Network
http://www.kaixin001.com/home/17206761.html
Name - 张长河 Zhang Chang-he
Living in Zhengzhou, Henan Province, China.
QQ number 55356626 leads to a personal blog revealing his pic
http://55356626.qzone.qq.com
Conclusion
Jeno registered all the domains associated with espionage and considering his xfocus and rootkit.com profile we can zero on Jeno or he is some way associated with the group.
Update 16 Feb 2013
http://www.businessweek.com/articles/2013-02-14/a-chinese-hackers-identity-unmasked
Journals published by Zhang Chang-he (2005-2011)
http://www.cnki.net/KCMS/detail/search.aspx?dbcode=CJFQ&sfield=au&skey=%E5%BC%A0%E9%95%BF%E6%B2%B3&code=22840348;20139954;21141875;
Windows Rootkit
http://www.cnki.net/KCMS/detail/detail.aspx?QueryID=5&CurRec=2&recid=&filename=XXGC200702023&dbname=cjfd2007&dbcode=CJFQ&pr=&urlid=&yx=
http://www.docin.com/p-49869286.html
Analysis of Windows Startup
http://www.cnki.net/kcms/detail/detail.aspx?filename=XXGC200903027&dbcode=CJFQ&dbname=CJFD2009
http://www.docin.com/p-253321277.html
Security Analysis of PCI device
http://www.docin.com/p-279253540.html
Capturing File Transferred or Printed Based on SMB in LAN
http://www.cnki.net/kcms/detail/detail.aspx?filename=WJSJ200606039&dbcode=CJFQ&dbname=cjfd2006
Subscribe to:
Posts (Atom)