Researchers at Websense revealed details of how to turn the tables on the purveyors of a Zeus Trojan circulating cyberspace by compromising the control panel of the malware’s command and control server (C&C).
As part of their proof-of-concept, Websense set up a command and control server in an internal research network that replicated deployments used by cybercriminals in the wild. According to Websense, Zeus 184.108.40.206 was used in the experiment, but researchers believe the same issue is present in other versions as well.
Zeus bots, explained Websense researcher Abel Toro, operate in the following way: first, they infect a system; second, they gather credential and personally-identifiable information; and thirdly, they upload the stolen data to the command and control server in the form of reports.
“The crucial point here is that the bot uploads some file to the remote server,” he blogged. “What if we could leverage this mechanism to impersonate a bot and upload our own file to the server? Let’s say an executable, with which we could execute commands on the server.”
“Unfortunately,” he continued, “we can’t just simply upload a file. Zeus uses an RC4 algorithm to encrypt all communications between the bot and the server, so it will only accept files if they are encrypted with the same key that the server uses. Luckily for us, RC4 is a symmetric cipher, which means that both parties (in this case the bot and the C&C) use the same pre-shared key. This further implies that the key is embedded somewhere in the bot. So we need to capture a Zeus binary and find the keys in order to be able to communicate with the C&C. We can achieve this by using the Volatility memory analysis tool to dump the RC4 keystream from an infected machine’s memory.”
After obtaining the key, the researchers turned their focus to using it for encrypting the file they wanted to upload in order to impersonate a bot trying to upload a report. However, the command and control server would want to make sure only valid reports are uploaded.
“We know that the C&C is using .php files, therefore, we will try to upload a php file too, which will be executed on the server side by the PHP interpreter,” he blogged. “But, the server won’t let us upload .php files. However, there is a vulnerability in the C&C’s code and a well-known technique to bypass the checks they are performing on uploaded files.
One of the most widely used bypass methods, he noted, is to add a period after filename.php (filename.php.).
“The PHP interpreter is quite liberal, and it will interpret it as a valid php file,” he blogged. “With PHP we could execute a number of commands on the server, but in our case, we would like to get access to the control panel, so we will use a PHP web-shell, which will allow us to browse the filesystem, interact with the backend database, and (possibly, depending on the server configuration) execute system commands.”
“Now, we have everything we need to compromise the C&C server: the RC4 key, the file we want to upload (web-shell), and a way to bypass the checks,” he added. “By default, Zeus C&C’s use gate.php to receive the reports, and they will store these reports in C&C’s IP/_reports/files/BOTNET_ID/BOTID/ directory. Since we are impersonating a bot, we control both the BOTNET_ID and BOTID values, so we can predict where our uploaded file will end up. All we have to do after uploading our file is to browse to this location and our code will be executed.”
The shell enabled the researchers to browser files with important information about the particular Zeus command and control server and to interact with the backend database, Toro blogged.
In order to gain access to the control panel, the password for it had to be stolen from the database, which in Websense’s test was password-protected as well. Because the bot needs to interact with the database however, the credentials are stored in one of the configuration files of the bot (config.php under /system/directory). Once inside the database, the researchers accessed a table used for storing information about the control panel user, such as their username and hashed password.
“Zeus stores these passwords using a simple MD5 hash without any salting, thus they are relatively easy to crack,” Toro blogged. “Another option would be – since we have full read/write access to the database – to create our own password, hash it with MD5, and insert that into the database instead of the current password. Now, we will try to crack the password, hoping that it is not a very strong one.”
Once the password was cracked, the researchers had full access to the control panel.
The experiment shows that while Zeus may be regarded as an advanced banking Trojan by some, it is far perfect, Toro added.