Project Report: Zeus Botnet

Abstract
Now a day, computer networks and communications systems have become the backbone
of all the businesses as well as play crucial role in fulfilling necessities of our daily life. Since we
are sharing cyberspace for our daily life, everyone needs a flexible and easily accessible but
reliable and secure cyber environment from business to personal life. Banking and e-commerce,
online shopping and entertainment are some of the requirement of our daily life that rely on
shared cyber space. Therefore, our personal data is scattered and placed on different location
within the cyber environment and there is always risk that someone can steal our confidential
data by gaining unauthorized access to system where our information is located. To prevent
unauthorized access to our confidential data and ensure its integrity, we need secure cyberspace.
Cybersecurity is not limited to advanced understanding of computer systems, data and
networking; it rather involves understanding the mathematics of cryptography, social philosophy
to understand business processes and organization theory as well. According to experts, security
issues and threats we face today for our cyber environment will drastically be different from
those we will face five years from now. Therefore, effective learning approach and adaptability
to new realities and quick understanding of their impacts makes a security expert more efficient.
Attackers/hackers use different methods to gain unauthorized access to data and exploit systems.
This report is based on a project to set up a botnet environment using Zeus botnet in
virtual network to learn the procedures and methods used to gain unauthorized access to
someone's confidential data or exploit their systems using someone else's computers while
concealing actual attacker's identity. By understanding these processes, we can develop effective
methods and approach to ensure security of our systems. This report explains all the concepts
and practical worked involved to accomplish the desired. To explain concepts and further details,
information has been gathered from some books, internet resources and class lectures and
wherever it draws on the work of others, such sources are clearly acknowledged

Project Report: Zeus Botnet

Table of Contents
Abstract.......................................................................................................................................- 2 1.0. Introduction:.........................................................................................................................- 5 2.0. Cybersecurity:......................................................................................................................- 6 2.1. Complexities in Defense against Attacks:........................................................................- 6 3.0. Classes of Malicious Software:............................................................................................- 7 3.1. Virus:................................................................................................................................- 7 3.2. Worms:.............................................................................................................................- 7 3.3. Trojans:.............................................................................................................................- 7 3.4. Bots:.................................................................................................................................- 8 4.0. Botnet:..................................................................................................................................- 9 4.1. Uses of Botnets:...............................................................................................................- 9 4.2. Types of Bots:................................................................................................................- 10 4.3. Types of Botnets:............................................................................................................- 10 5.0. Zeus Botnet:.......................................................................................................................- 11 5.1. Overview of Zeus CNC control panel:...........................................................................- 11 5.2. Zeus bots activities:........................................................................................................- 12 5.2.1 Intercepting HTTP/HTTPS requests:.......................................................................- 13 5.2.2. Webpage injections:................................................................................................- 13 5.2.3 Gathering information from users programs:.........................................................- 14 5.2.4. Control panel scripts command:.............................................................................- 14 6.0. Requirements to create Zeus botnet:..................................................................................- 15 6.1 Zeus botnet files:.............................................................................................................- 15 7.0. Zeus botnet implementation:..............................................................................................- 16 7.1. Database configuration:.................................................................................................- 16 7.2. Configuration of Zeus builder:.......................................................................................- 17 7.3. Creating Trojan horse:....................................................................................................- 18 7.4. Gathering information from zombie machine:...............................................................- 18 7.4.1. Grabbing information from forms:.........................................................................- 19 7.4.2. Executing scripts:....................................................................................................- 22 2

Project Report: Zeus Botnet

8.0. Detecting and deleting Zeus bot:.......................................................................................- 23 8.1. Windows default programs behavior:............................................................................- 23 8.2. Malware detection software:..........................................................................................- 25 9.0. Summary:...........................................................................................................................- 26 References.................................................................................................................................- 27 -

Project Report: Zeus Botnet

1.0. Introduction:
Internet has become the essential requirement of human life and shared cyberspace is
used to interact with rest of the world. Therefore, incidents like stealing confidential data,
outages, virus/malware infection, hacking, etc. can gravely influence our lives. Opportunities to
exploit systems increase with the advent of newer technologies. Moreover, processing and
storage of confidential data on various different locations and transmitting it across multiple
networks needs more security measures and safeguard policies to prevent any potential cyber
attacks.
There are different cybersecurity threats, which need our attention on daily basis. Some
important threats include initiate attack with botnet on other networks using your PC while you
are unaware of it, viruses and malwares that crash complete systems, illicit access to your
resources and data modification, stealing your bank account and credit card information and
identity theft.
To secure cyberspace, we need to ensure that security properties of assets of both
organizations and users are accomplished/continued in an appropriate fashion in order to
minimize cybersecurity threats. No matter how effective security measures you take, it is not
viable to attain 100% security. However, several safeguard policies can be implemented to
minimize the risk.
This report discusses some cybersecurity terms and key threats. In addition, the technical
bits of Zeus botnet and its functionality based on implementation of Zeus network in a lab
environment have also been discussed in this report while explaining the systematic
configuration process of implementing Zeus botnet in virtual lab environment. At the end, this
report illustrates some methods to avoid devastations of Zeus and a summary of complete report.

Project Report: Zeus Botnet

2.0. Cybersecurity:
Security, in general context, is the quality of being free from danger or degree of
resistance to threats. Whereas, cybersecurity is a combination of processes and policies, risk
management strategies, safeguard principles and best practices to design and implement modern
tools and technologies to secure our cyberspace and assets. Integrity and protection of
information/data can be achieved by detection of attacks as well as applying suitable prevention
mechanisms to eliminate threats and minimize risk.
However, it is impossible to acquire perfection in security because it is not the absolute
rather a process. There should be considerable balance between protection and availability which
can be achieved by allowing reasonable access to resources with a defined level of security while
minimizing risk from potential threats.
Cyberspace is comprise of user and organizational assets including, but not limited to,
telecommunications infrastructure, applications and services, connected systems and devices,
and stored/transmitted data in cyberspace.
2.1. Complexities in Defense against Attacks:
One of the major causes behind increase in cybersecurity breaches is the growth in
computer power and vulnerabilities in software systems. Further, simplicity and ease of access to
exploitation tools permit hackers to initiate attacks on cyberspace assets in order to exploit
systems without even having enough knowledge and skills. In contrast, security professionals
should be skilled enough and aware of all kind of potential hacks and attacks in order to prevent
any malicious activities on their network/systems. However, there are some complexities in
defense against attacks, which are enumerated below.

While not being much skillful, hackers can still create enough trouble because of the
simplicity and ease of access to exploitation tools.
Suppleness of exploitation tools permit same attack to be simulated differently making
attacks more sophisticated.
Since devices are connected universally, attack can be kicked off by anyone from
anywhere in the worldwide.
Enhanced attack speed i.e. targeting many computers at same time.
Distributed attacks i.e. one network or system is attacked by multiple infected machines
at once.
Quicker detection of security holes and vulnerabilities in both hardware and software
systems
Impediment and incompetent release of product's security patches makes security weaker
Users need to take crucial steps with minimal instructions that often create confusion.

Project Report: Zeus Botnet

3.0. Classes of Malicious Software:

Trojans, worms, viruses and bots are part of software class knows as Malware or
malicious code (malcode), which is short form of malicious software. Malware is designed to
disrupt, harm, steal, or perform illegal action on data, nodes, or networks. There are many classes
of malware, which infect systems diversely and propagate themselves. Majority of malware
involve users' action in installation such as downloading files from internet or by clicking email
attachment. There are different methods by which a malware can infect a system including:

Attached as micros to files

Bundled with other programs
Installed by exploiting different hardware and software vulnerabilities

Damage caused by malware can vary from minor irritation to destroying data/disabling
systems and stealing confidential information. However, malware can only damage the software
and data residing on the systems/equipment and not the physical hardware.
Some common types of malware include viruses, Trojans, worms, back doors, spyware,
bots, and adware. Some major classes of malware are described as under.
3.1. Virus:
Virus is a type of malicious software that propagates by becoming a part of another
program when inserted its copy into the system. Usually viruses are attached with executable
files and will not be active until user installs that program. It spreads computer to computer,
while leaving infection, when infected program is transferred via any communication channel.
Severity of virus can range from causing meek annoy to data loss or creating denial-of-service
conditions.
3.2. Worms:
Similar to viruses, worms replicate their copies and cause same kind of harm as viruses
do. However, worms are standalone and do not entail human interaction or host program for
propagation. Worms are spread by either social engineering to trick users or vulnerability
exploitation on target system and then travel using some file/information transport features.
3.3. Trojans:
Trojan is a malware that looks legitimate but is very harmful. Users' are tricked to load
and execute it on their systems. It then starts attacking infected host and damage data, steal
information, and/or activate/spread other viruses. However, Trojans are usually used to create
back doors in system to give malicious users access. Instead of reproducing while infecting other
files or by self-replication, Trojans spread involving some user interaction i.e. opening email
attachment or downloading programs form internet.

Project Report: Zeus Botnet

3.4. Bots:
Bot refers to automated process adopted to interact with other network services.
Information gathering, dynamic website interaction and automatic interaction with Internet Relay
Chat (IRC) or Instant Messaging (IM) are some common uses of bots. Bot is self-propagating
malicious software that infects and connects a host back to command and control (C&C) center
server creating network of compromised devices, commonly known as 'Botnet'.
Attackers can launch remotely controlled broad-based flood-type attacks against their
target systems. Bots have ability to capture and analyze packets, gather credentials and log
keystrokes, collect financial information, relay spam, open back doors on infected systems and
launch denial-of-service attacks.

Project Report: Zeus Botnet

4.0. Botnet:
Botnet is a network of malicious/infected computers (also known as zombies) under the
control of botmaster (human operator). Malicious software (malwares) distributed by criminals
turn your computer into a bot, which then performs automated tasks over internet without being
in your knowledge. Botnets are used to spread viruses, attack networked devices, send spam
emails, theft identity and commit other crimes.
Because of their huge size, botnets cause severe threats even if we only consider DoS
attack. Due to combined bandwidth effect, a small botnet of 1000 bots can even create big mess.
Below calculations show the combined average bandwidth of 1000 bots is approximately
128Mbps, which is more than internet connection of most organizations' systems.
Average upstream of 1 home PC = 128kbps
Average upstream of 1000 PCs = 1000 x 128kbps = 128Mbps
Furthermore, it is difficult to construct, deploy, and maintain filters because of bots' IP
based distribution.
Bots cause background noise on the internet, particularly on TCP ports 445 and 135,
because of their dispersion/propagation method. TCP port 445 is used for resource sharing
(Microsoft-DS Service) whereas Microsoft Remote Procedure Call Service uses port 135.
4.1. Uses of Botnets:
Botnet is used as tool with different motives behind it. Most common use of botnet is
either monetary or destruction. Some of the common uses of botnets are enumerated below.

Spread Malware
Distributed Denial-of-Service Attacks
Sniff Traffic
Mass Identity Theft
Spamming
Keylogging
Google AdSense Abuse
Install Advertisement Addons and Browser Helper Objects
Attacking IRC Chat Network
Manipulate Online Polls/Games

Above enumeration shows that botnets can be employed to cause large destruction and
criminal acts while making it difficult to prevent threats on target systems.

Project Report: Zeus Botnet

4.2. Types of Bots:

There are different types of bots based on functionality and concept. Some well-known
and widespread bots are listed below.

Forbot/Agobot/XtremBot/Phatbot (best known bot, written in C++ with cross-platform

capabilities)
RBot/UrXBot/SDBot/UrBot (written in C but not designed/written well - very often
used most active family of malware)
GT-Bots (mIRC-based Bot)
Perl-based bots (very small and most often used for DDoS attacks)
Kaiten (written for Unix/Linux systems)
DSNX Bots (Dataspy Network X - written in C++ with plug-in interface)
Q8 Bots (very small bot written for Unix/Linux systems)

4.3. Types of Botnets:

Enumerated below are some well-known types of botnets.

Mytob (first piece of malware to combine the features of a bot and mass-mailer)
Storm Botnet (first peer-to-peer architecture based botnet with decentralized command)
Zeus Botnet (king of botnet kits)
Ikee (harmless iPhone threat caused by jailbreaking)
Operation Aurora (Early Advance Persistent Threat)
Stuxnet (executes form infected USB)
Flashback (designed to target Mac OS X and Java)

Project Report: Zeus Botnet

5.0. Zeus Botnet:

Zeus, known as "King of botnet kits," is a malware platform used to create Trojan horse
in order to steal secret banking information with man-in-the-browser keystroke logging and form
grabbing. It is also known as Zbot and is not a single botnet or trojan. Zeus is a family of
trojans/botnets. There are many variants of Zeus because it constantly updates itself.
To remain hidden on infected systems, Zeus installs a rootkit component. It also has the
ability to disable antivirus and other security programs to avoid any detection. It injects itself in
the address space of other processes to remain active.
Zeus does not target Mac OS X or Linux and only can infect machines running windows
OS. Some malicious applications have also been discovered that are used by Zeus to infect
mobile devices. Type of crimes using Zeus involves data larceny, stealing bank information,
identity theft, corporate and governments' intellectual property theft, phishing attacks on
individuals etc.
Because of stealthy nature, it is difficult to detect Zeus even with updated antivirus and
therefore, is considered largest botnet on internet.
5.1. Overview of Zeus CNC control panel:
Picture below shows Zeus CNC control panel main page

10

Project Report: Zeus Botnet

Control panel side menu is divided into 4 major categories:

Statistics (summary, OS)

Botnet (bot, scripts)
Reports (searching database, searching files, jabber notifier)
System (information, options, user, users)

Statistic page is divided on summary and OS pages. Summary section contains the
information about total reports, bots and bot versions information. Also it shows current botnets,
new bots and online bots. OS section shows which operation systems are used by bots.
Bots section on botnet page shows all information about bots that can be filtered by
different parameters. We can also access bots action from this page, for example we can get the
full information and screenshot from the infected machine. Scripts section allows to run scripts
on chosen bots.
Reports page is mainly used for searching database. Database search can be
implemented by bots, botnets, IP addresses or countries. As a result of the search we can read the
information that bot gathered from the zombie machine. Also CNC server can send notifications
to Jabber client of a hacker, for example when user on infected machine goes to online bank.
On the systems page the general information and options of Zeus botnet CNC is located.
Also we can create and modify users to operate with botnet and control panel.
5.2. Zeus bots activities:
Zeus bot is written to be used on Vista/7 Windows OS even if UAC enabled. Moreover
bot can be run even with minimum privileges (guest). However bot can infect all users on
zombie machine. When bot is installed it copies itself to home directory. Session with bot and
server uses white list applications that allow bypassing some firewalls. Bot sends the
information over HTTP-protocol, all data is encrypted by a specific encryption key.
When the bot successfully executes on the victims machine it goes to the website stored
in its configuration and downloads a new encrypted configuration file. Also it opens a backdoor
that allows exchanging the information with CNC server. This information contains updates of
the configuration file, uploads the stolen information. The bot also starts grabbing the financial
information when user types the credit card number. Finally Zeus bot takes the real time
screenshots, reads cookies and digital certificates.
There are several steps in a communication between zombie machine and command
server:

The bot sends HTTP GET request for configuration file

11

Project Report: Zeus Botnet

The server replies with encrypted configuration file

The bot provides to the server public IP address
Connection between victims machine and CNC server is established
Uploading/downloading the information to/from victims machine

5.2.1 Intercepting HTTP/HTTPS requests:

Mozilla Firefox uses nspr4.dll library for HTTP/HTTPS requests and Internet Explorer
and other browsers use wininet.dll library. Bot can intercept the following requests from
wininet.dll and nspr4.dll(Spider security, 2011):

modification of web pages forms

web pages redirection
grabbing useful web page content
temporary denying access to selected web pages
denying log on to selected web pages
force log off from selected web pages
creating snapshot
getting web pages cookies

5.2.2. Webpage injections:

As it is mentioned above dynamical configuration allows dynamical injections into the
web pages forms on a zombie machine. Web injections can be written manually. The file contains
table of web sites, which could be injected or modified.
List of web injection parameters (Spider security, 2011):

set_url - target web page that will be hacked

unit list can be written in random order:
data_before - information before injection
data_inject - information that will be injected
data_end - stop sign

Screenshot below shows part of webinject.txt file

12

Project Report: Zeus Botnet

5.2.3 Gathering information from users programs:

Bot is specified to collect information from different software and it can track which keys
on keyboard are pressed. The following programs and software can be tracked:

log on information from FTP programs

flash player cookies
windows certificate store

5.2.4. Control panel scripts command:

In script web page of CNC control panel hacker can write different commands, which
will activate the bot to perform defined actions on the zombie machine. List of some commands
is shown below (Spider security, 2011):

os_shutdown/os_reboot - this commands executes shutdown/reboot of zombie machine

bot_uninstall - full removal of bot from user
bot_update - update bot configuration
bot_bc_add/remove - adding and removing constant backconnect session
user_cookies_get/remove - get or delete all cookies from all supported browsers
user_certs_get/remove - get or delete all certificates saved in users folder
user_url_block/unblock - block or unblock URL for the user
user_ftpclients_get - grab FTP logon information
user_flashplayer_get/remove - grab or remove cookies of flash player to/from the current
user

13

Project Report: Zeus Botnet

6.0. Requirements to create Zeus botnet:

To create botnet, hacker should have web server where C&C are located. In real world
this servers are located on black hosting providers. These black hosting providers are immune
to reports and somehow covers botnets.
In this research, we create our own website hosting based on Windows Server 2008 R2 in
virtual environment. To manage up web server we install these roles and softwares on server:

IIS 7
DNS and DHCP
MySQL community-5.6.14.0
PHP-5.3.27-Win32-VC9-x86
phpMyAdmin-4.0.8-rc1
Firefox browser to configure bot server.

It is preferred to use computer with Windows 2008 Server with following minimal
configuration:

2 Gb of RAM
2x CPU
HDD 7200 RPM

For HTTP server we used IIS on port 80 or 443. It is recommended not to use PHP with
HTTP-CGI. On PHP configuration file we put following parameters:

save_mod = off
magic_quotes_gpc = off
magic_quotes_runtime = off

6.1 Zeus botnet files:

It is hard to find and download newest version of Zeus botnet 3.0 because of it is very
dangerous. In our project we installed Zeus 2.1.0.1. Zeus botnet archive mainly contains
following files and folders:

install folder - installer of botnet

system folder - system files location
config.php file - main configuration file
theme folder - design of the Zeus control panel
cp.php - logon page of control panel
gate.php - gates for bots
index.php - empty file that hides files to be listed

14

Project Report: Zeus Botnet

7.0. Zeus botnet implementation:

Below is the systematic process of how we configured and implemented Zeus botnet in
lab environment.
7.1. Database configuration:
Zeus uses MySQL database where all information about bots and victims are stored. By
using phpMyAdmin we create SQL database and assign new user to have accesses to it. Than we
move Zeus installation folder to our webserver and access installation web page (see screenshot
below). On the installation web page we provided this parameters:

Username/password for administrator logon to botnet C&C.

MySQL server details previously created database.
Reports folder for reports
Online bot timeout this timeout shows how long bots will be remaining online in
minutes.
Encryption key to encrypt bots and configuration.

After installation is completed we will have new database tables prepared.

15

Project Report: Zeus Botnet

7.2. Configuration of Zeus builder:

All Zeus CNC server settings are located in the settings.txt file. There are two types of
Zeus bot configuration: static and dynamic. Static configuration is a configuration created by
builder program, it contains instructions for bot. These instructions include commands such as to
steal passwords, bank accounts logins, website logs and cookies. Static configuration also
contains botnet name, time options and websites to operate with. Dynamic configuration is for
target operations. This configuration provides automatic malicious actions to bot such as
webinjections. The list of websites which are to be attacked by webinjections locates in
webinjects file. Dynamic configuration also has a list of websites from where to collect
transaction authentication numbers used by banks for online authentication.
Configuration file of Zeus bot contains following commands:

url_server and url_location - contains information about Zeus server

webfilters - website URLs with signature pattern, information from this URLs
AdvancedConfigs - website that provides configuration files
DNSMap blocks selected websites and give hosts fake websites instead of blocked

To configure builder we should run Zeus builder program (see screenshot below). In this
program we locate source configuration file and encryption key. As a result of executing builder
we get bot configuration and bot executable files. The configuration file should be uploaded to
webserver. Bot executable file is to infect victims machines to manipulate them.

16

Project Report: Zeus Botnet

7.3. Creating Trojan horse:

Best practice to spread bots is hacking webpages by cross-site scripting or phishing
messages via email or facebook.
One of the ways to create zombie machine is to send the bot executable file as a Trojan
horse. In our project we combine a simple game and a bot. By launching this game, users
machine automatically executes the script file and becomes a part of a botnet. For creation of a
Trojan horse we used Chilcat ZIP 2 Secure program (see screenshot below) that allows making
an executable archive. In this archive we add a script that runs both the game and the bot. The
bot executes in a stealth mod and does not appear in processes neither in Windows.

7.4. Gathering information from zombie machine:

Once we spread bot on victim machine, it can be seen on control panel and we can grab
different details about that infected machine including OS version information, IP Address etc.
Below screenshot shows one zombie machine listed on control panel under active bots. This is a
windows XP machine in virtual environment which we infected using our Trojan horse.

17

Project Report: Zeus Botnet

We can also get more information about zombie machine, which includes getting realtime screenshots, cookies information, and login details to different web pages etc. (see
screenshots below).

7.4.1. Grabbing information from forms:

When users on zombie machine log in to web site that we created on our windows 2008
server, bot steals his/her logon details. Bot can steal logon details when user try to log in to any
website over the internet but in this case, since we are using virtual environment, we will be able
to see the credential details gathered while user logging in to web page hosted on server in same
network. See the screenshots below.

18

Project Report: Zeus Botnet

In the CNC webpage we can obtain in reports information from zombie machine.

As shown on screenshot below, Zeus bot successfully grabbed login information and
even password.

19

Project Report: Zeus Botnet

However, we used extra NIC to go to internet from zombie and steal login details for
Gmail account as well. See the screenshots below.

20

Project Report: Zeus Botnet

7.4.2. Executing scripts:

Script section on Zeus control panel web page allows running scripts such as rebooting zombie
machine. If script executes successfully it shown in column Message as a Ok status.

21

Project Report: Zeus Botnet

8.0. Detecting and deleting Zeus bot:

There are several foundations in the world that fights against botnets. One of them is
Anti-Botnet Advisory Centre which is a service of Association of the German Internet Industry
with support from Federal Office for Information security (BSI) (Eco, 2010). That web resource
contains up-to-date useful information about botnets and 3 main steps in protection from bots:

Inform inform service providers and send reports if malware founds.

Clean Eco advise to check and clean your system with EU-Cleaner powered by Avira or
ED-Cleaner powered by Kaspersky.
Prevent To prevent infection from botnets, your system must be up-to-date and
antivirus and firewalls installed.

8.1. Windows default programs behavior:

Even with windows firewall enabled Zeus bot can infect victim's machine. On screenshot
below, we choose Keep Blocking option when default windows xp firewall alerts on launched
Trojan game. However, turning on firewall did not prevent bot activities; it can fully operate with
infected machine for example in stealing passwords and other secret information. Only one
exception we noticed with firewall we cannot obtain real-time screenshots from zombie machine.

Windows 7 with UAC and Firewall enabled poped-up with Security alert displayed
following message when bot executes. However, even clicking cancel button windows 7
machine get infected, see screenshots below.
22

Project Report: Zeus Botnet

Windows 8 Defender automatically detected malware when we copy game from server
and deleted it. Even disabling Windows Defender and firewall bot cannot be spread on
Windows 8 machine and Windows 8 machine did not displayed in Zeus CNC panel.

23

Project Report: Zeus Botnet

8.2. Malware detection software:

Almost every antivirus program prevents to copy or execute bot with the game. In our
project we used Avast Free Antivirus. This antivirus successfully deleted bot.exe executable file
when we launch game.

In our project, we used EU-Cleaner powered by Avira recommended by Anti-Botnet

Advisory Centre. EU-Cleaner detected and completely deleted bot performing full scan.
However, performing quick scan it could not see bot footprints. Screenshot below shows report
from full scan.

24

Project Report: Zeus Botnet

9.0. Summary:
In brief, there is a vital need of implementing and ensuring strict security in order to
secure our cyberspace and prevent any crimes. Since, everyday new viruses, threats and
vulnerabilities are introduces, we need to have a continual process of security policies
implementation and risk management.
Although, threats are always there and we cannot achieve perfect security but we can
minimize the risk to the maximum. Specially, if we need to secure our systems form Zeus and
other botnet, we need to understand the functionality, command and control, and communication
process of Zombie machines. Effective security can only be implemented to counter botnet
attacks if we are able to understand the logic and working of botnets.

25

Project Report: Zeus Botnet

References
1. (n.d.). What is the difference: viruses, worms, trojans, and bots? Retrieved Sep 23, 2013
From
http://www.cisco.com/web/about/security/intelligence/virus-worm-diffs.html
2. Waston D. (2009). The Honeynet Project. Retrieved Sep 27, 2013 From
http://www.honeynet.org/node/51
http://www.honeynet.org/node/52
http://www.honeynet.org/node/53
3. Landesman M. (n.d.). Zeus botnet. Retrieved Oct 01, 2013 From
http://antivirus.about.com/od/virusdescriptions/p/zeusbotnet.htm
4. Eco. (2010). Anti-Botnet advisory centre. Retrieved Oct 01, 2013 From
https://www.botfrei.de/en/index.html
5. Spider Security. (2011). Zeus user guide. Retrieved Oct 03, 2013 From
http://www.spidersecurity.org/zeusguide.html
6. Macdonald D., Manky D. (n.d.). Zeus: God of DIY Botnets. Retrieved Oct 12, 2013 From
http://www.fortiguard.com/legacy/analysis/zeusanalysis.html

26