Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Zeus Malware Control Panel Vulnerable: Websense

Researchers at Websense revealed details of how to turn the tables on the purveyors of a Zeus Trojan circulating cyberspace by compromising the control panel of the malware’s command and control server (C&C).

Researchers at Websense revealed details of how to turn the tables on the purveyors of a Zeus Trojan circulating cyberspace by compromising the control panel of the malware’s command and control server (C&C).

As part of their proof-of-concept, Websense set up a command and control server in an internal research network that replicated deployments used by cybercriminals in the wild. According to Websense, Zeus was used in the experiment, but researchers believe the same issue is present in other versions as well. 

Zeus bots, explained Websense researcher Abel Toro, operate in the following way: first, they infect a system; second, they gather credential and personally-identifiable information; and thirdly, they upload the stolen data to the command and control server in the form of reports.

ZeuS Control Panel

“The crucial point here is that the bot uploads some file to the remote server,” he blogged. “What if we could leverage this mechanism to impersonate a bot and upload our own file to the server? Let’s say an executable, with which we could execute commands on the server.”

“Unfortunately,” he continued, “we can’t just simply upload a file. Zeus uses an RC4 algorithm to encrypt all communications between the bot and the server, so it will only accept files if they are encrypted with the same key that the server uses. Luckily for us, RC4 is a symmetric cipher, which means that both parties (in this case the bot and the C&C) use the same pre-shared key. This further implies that the key is embedded somewhere in the bot. So we need to capture a Zeus binary and find the keys in order to be able to communicate with the C&C. We can achieve this by using the Volatility memory analysis tool to dump the RC4 keystream from an infected machine’s memory.”

After obtaining the key, the researchers turned their focus to using it for encrypting the file they wanted to upload in order to impersonate a bot trying to upload a report. However, the command and control server would want to make sure only valid reports are uploaded.

“We know that the C&C is using .php files, therefore, we will try to upload a php file too, which will be executed on the server side by the PHP interpreter,” he blogged. “But, the server won’t let us upload .php files. However, there is a vulnerability in the C&C’s code and a well-known technique to bypass the checks they are performing on uploaded files.

One of the most widely used bypass methods, he noted, is to add a period after filename.php (filename.php.).

“The PHP interpreter is quite liberal, and it will interpret it as a valid php file,” he blogged. “With PHP we could execute a number of commands on the server, but in our case, we would like to get access to the control panel, so we will use a PHP web-shell, which will allow us to browse the filesystem, interact with the backend database, and (possibly, depending on the server configuration) execute system commands.”

“Now, we have everything we need to compromise the C&C server: the RC4 key, the file we want to upload (web-shell), and a way to bypass the checks,” he added. “By default, Zeus C&C’s use gate.php to receive the reports, and they will store these reports in C&C’s IP/_reports/files/BOTNET_ID/BOTID/ directory. Since we are impersonating a bot, we control both the BOTNET_ID and BOTID values, so we can predict where our uploaded file will end up. All we have to do after uploading our file is to browse to this location and our code will be executed.”

The shell enabled the researchers to browser files with important information about the particular Zeus command and control server and to interact with the backend database, Toro blogged.

In order to gain access to the control panel, the password for it had to be stolen from the database, which in Websense’s test was password-protected as well. Because the bot needs to interact with the database however, the credentials are stored in one of the configuration files of the bot (config.php under /system/directory). Once inside the database, the researchers accessed a table used for storing information about the control panel user, such as their username and hashed password.

“Zeus stores these passwords using a simple MD5 hash without any salting, thus they are relatively easy to crack,” Toro blogged. “Another option would be – since we have full read/write access to the database – to create our own password, hash it with MD5, and insert that into the database instead of the current password. Now, we will try to crack the password, hoping that it is not a very strong one.”

Once the password was cracked, the researchers had full access to the control panel.

The experiment shows that while Zeus may be regarded as an advanced banking Trojan by some, it is far perfect, Toro added.

Written By

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Join this webinar to learn best practices that organizations can use to improve both their resilience to new threats and their response times to incidents.


Join this live webinar as we explore the potential security threats that can arise when third parties are granted access to a sensitive data or systems.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


More than 3,800 servers around the world have been compromised in recent ESXiArgs ransomware attacks, which also include an improved process.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.