you're reading...
Hacking / Counter Intelligence

Taking Down Zemra – Introduction

The Zemra DDoS Bot is currently sold in various forums for ~$125USD. It is detected by up to date Symantec definitions as Backdoor.Zemra. Zemra first appeared on underground forums in May 2012. It comes on to the scene behind a laundry list of other tools such as Zeus and SpyEye.

The package itself is not very sophisticated compared to other bots. The dashboard is basic PHP with multiple vulnerabilities. The bot is reliant on the .NET Framework and obfuscates through a classic file manipulation vector.

Zemra Layout

Zemra uses a simple panel with an overview of all statistics is needed. With the help of two graphs can be seen operating machinery and the region location.In addition, statistics on online and for more information. You have a chance to see everything online Socks5 and export them to the list. Traffic is encrypted and protected using the algorithm AES, each client communicates with a unique generated key.

Below is a snip of source code from gate.php, the file that the bots post data to, for communication.

	/* Copyright © 2012 by Chrystal */
	if($_SERVER['REQUEST_METHOD'] !== 'POST') { die(); }
	require_once ('system/global.php');
	$Data = file_get_contents('php://input');	
	if (empty($_SESSION['KEY']))
		$_SESSION['KEY'] = $Base->VisualDecrypt(rtrim(substr($Data, 46, 110)));
		if (isset($_SESSION['KEY']))
			SendReply(MESSAGE_INFO_SUCCESS, null);

Zemra Package Features

  • Intuitive control panel
  • DDos (HTTP / SYN Flood / UDP)
  • Loader (Load and run)
  • Cheat visits (visits to the page views)
  • USB Spread (spread through flash drives)
  • Socks5 (picks up socks proxy on the infected machine)
  • Update (Updates the bot)
  • [color = red] The process can not be completed because the He is critical.
  • 256 Bit AES encryption of traffic from the bot to the server
  • Anti-Debugger
  • There is a choice of a particular country bots perform the job
  • Zemra Usage

    Zemra DDoS capabilities

    After inspecting the source code, symantec identifies that two types of DDoS attacks that have been implemented into this bot:

    • HTTP flood
    • SYN flood

About Pythorian

Exploration and Production oriented security consultant for securing IT infrastructures relating to natural resources.


No comments yet.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: