Book a Demo!
CoCalc Logo Icon
StoreFeaturesDocsShareSupportNewsAboutPoliciesSign UpSign In
rapid7
GitHub Repository: rapid7/metasploit-framework
 Path: blob/master/modules/auxiliary/vsploit/malware/dns/dns_zeus.rb
19567 views
1
##

2
# This module requires Metasploit: https://metasploit.com/download

3
# Current source: https://github.com/rapid7/metasploit-framework

4
##

5


6
class MetasploitModule < Msf::Auxiliary

7


8
  def initialize

9
    super(

10
      'Name' => 'VSploit Zeus DNS Query Module',

11
      'Description' => 'This module queries known Zeus Botnet DNS records.',

12
      'Author' => 'MJC',

13
      'License' => MSF_LICENSE,

14
      'References' => [

15
        [ 'URL', 'https://zeustracker.abuse.ch/blocklist.php?download=domainblocklist']

16
      ],

17
      'Notes' => {

18
        'Stability' => [CRASH_SAFE],

19
        'SideEffects' => [IOC_IN_LOGS],

20
        'Reliability' => []

21
      }

22
    )

23
    register_options(

24
      [

25
        OptString.new('DNS_SERVER', [false, 'Specifies a DNS server']),

26
        OptInt.new('COUNT', [false, 'Number of intervals to loop', 1]),

27
        OptInt.new('DELAY', [false, 'Delay in seconds between intervals', 3])

28
      ]

29
    )

30
  end

31


32
  def run

33
    @res = Net::DNS::Resolver.new

34


35
    domain = [

36
      'allspring.net', 'antifoher.biz', 'asdfasdgqghgsw.cx.cc',

37
      'ashnmjjpoljfnl.info', 'atlaz.net', 'b3l.org', 'back.boroborogold.ru',

38
      'bandwithcheckstart.com', 'batmanrobinho.com', 'bellicbridge.ru',

39
      'bestfihteerdr.com', 'bestprice2you.net', 'billyd.com.au',

40
      'bitschoonerop.com', 'blackskullbg.sytes.net', 'botikov.eu.tf',

41
      'botnetdown.gicp.net', 'boutique.vcm-mode.it', 'brandc.name',

42
      'bxkkuskgdjskdn.com', 'c0re.su', 'cdvqvnjqqtkqhsoo.info',

43
      'christmassuper.com', 'ciritas.ru', 'citi-spb.ru', 'clavn.ru',

44
      'client.trackups.org', 'client.upsclients.net', 'cnewsus.ru',

45
      'cnnus.ru', 'concapow.in', 'consoleencydd.com', 'cqoqgzqmkpkrmlo.com',

46
      'ctllutheran.org', 'currencytradechat.com', 'cyytmmlxsthywst.com',

47
      'damaka.com', 'datacricketuf.ru', 'deimingames.com',

48
      'dfhhdkdddqjda.start.tl', 'djerk.info', 'djpeterblue.com.br',

49
      'dlmsonisfzksioqq.org', 'domio.pwomega.ru', 'favdstgssdqdsfg.start.tl',

50
      'favoritopilodjd.com', 'favqnornkwvkwfxv.biz', 'fdhjkfhskas.com',

51
      'federalreserve-report.com', 'federetoktyt.net'

52
    ]

53


54
    if datastore['DNS_SERVER']

55
      @res.nameservers = datastore['DNS_SERVER']

56
    end

57


58
    count = 0

59


60
    while count < datastore['COUNT']

61


62
      domain.each do |name|

63
        query = @res.query(name, 'A')

64
        time = Time.new

65
        time = time.strftime('%Y-%m-%d %H:%M:%S')

66
        print_status("#{time} - DNS Query sent for => #{name}")

67
        if query.answer.empty?

68
          print_error("#{time} - #{name} => No Record Found")

69
        else

70
          a = query.answer[0].to_s.split(/[\s,]+/)

71
          print_good("#{time} - #{name} => #{a[-1]}")

72
        end

73
      end

74
      unless count == (datastore['COUNT'] - 1)

75
        time = Time.new

76
        time = time.strftime('%Y-%m-%d %H:%M:%S')

77
        print_status("#{time} - Waiting #{datastore['DELAY']} seconds to query")

78
        select(nil, nil, nil, datastore['DELAY'])

79
      end

80
      count += 1

81
    end

82
  end

83
end

84


85