Curious. What to do with this (ZeuS)

Phractal

Lately an associate emailed a .rar file to me, claiming it was a full copy of the ZeuS* bot-net program. Now I have been wondering, seeing as I have a copy of, what I assume to be the client and server, is there a way i can, um, disassemble its code (or something) and figure out HOW it infects, WHERE it infects and so on, and perhaps end up developing a 'cleanup kit' (Zeusf*cker) for it.

I have not yet opened the .rar for fear it could be something nasty - like a decompression bomb - but if it proves to be legit what is the best thing I can do with it?

And I do not want suggestions like 'r00t every machine everywhere!' or 'make a bot-net'. Those would be illegal. I was also considering seeing if I can lay my hands on 'Crimepack' and disassemble it, but like ZeuS it is closed source. Perhaps a run through IDA pro can do something to it?

wolfric

Run in a vm with networking disabled. To be honest, unless you have any skills in disassembling code, you're probably not going to get a lot out of it. You could indeed play around by just running it on a closed network and see if the server and client at least work. Also it's very likely to have additional backdoors installed.

JimmyCrackCorn

Download freeZeus. (because its already hacked for you and its a start)

Kit out your VM with the tools you'll need. Isolate it.

Ollydebug, Wireshark, IDA PRO, Windbg, Unpackers, Sysinternal tools, Debug symbols for windows. (List goes on)

Image the VM.

An A4 Pad a couple of Biros, Music, munches, cheat sheets for the debugger commands you never remember

Copy zeus to the box.

Begin



LIGHT READING:
http://www.google.ie/search?hl=en&safe=active&client=firefox-a&hs=qMn&rls=org.mozilla%3Aen-GB%3Aofficial&q=reverse+engineering+zeus&aq=f&aqi=&aql=&oq=&gs_rfai=