Zeus toolkit with “ghost” panel for better evasion
The last version of the Zeus builder before author Monstr/Slavik gave up its source code to the author of the SpyEye toolkit is 18.104.22.168, and it’s still being offered on the online black market by resellers.
This last version has some improved and some new features when compared with the previous one, such as support for almost all Windows versions, an injection module for Firefox, multi-user session session infection, etc.
According to Trend Micro researchers, the control panel has remained practically the same. Although, there is a curious version of the toolkit that is being sold underground and which has a completely different one.
Named “Ghost” panel by the authors, it supposedly has two features that allow it to remain hidden from analysis with automated tools and researchers that search for it in the usual places by using unusual file and folder names, and to block IP addresses of malware-monitoring sites such as ZeuS Tracker when they try to access the Web panel by using a configurable script located in the .htaccess file.
Apart from that, the panel presents other advantages such as optimizing PHP scripts for smaller file sizes (to make their upload to hosting sites easier), “No-Sh*t” filtering that only allows the storage of financial information (perfect for carders), and an easy and automatic update of the configuration file.