Security Experts:

Connect with us

Hi, what are you looking for?


Malware & Threats

Zeus Malware Control Panel Vulnerable: Websense

Researchers at Websense revealed details of how to turn the tables on the purveyors of a Zeus Trojan circulating cyberspace by compromising the control panel of the malware’s command and control server (C&C).

Researchers at Websense revealed details of how to turn the tables on the purveyors of a Zeus Trojan circulating cyberspace by compromising the control panel of the malware’s command and control server (C&C).

As part of their proof-of-concept, Websense set up a command and control server in an internal research network that replicated deployments used by cybercriminals in the wild. According to Websense, Zeus was used in the experiment, but researchers believe the same issue is present in other versions as well. 

Zeus bots, explained Websense researcher Abel Toro, operate in the following way: first, they infect a system; second, they gather credential and personally-identifiable information; and thirdly, they upload the stolen data to the command and control server in the form of reports.

ZeuS Control Panel

“The crucial point here is that the bot uploads some file to the remote server,” he blogged. “What if we could leverage this mechanism to impersonate a bot and upload our own file to the server? Let’s say an executable, with which we could execute commands on the server.”

“Unfortunately,” he continued, “we can’t just simply upload a file. Zeus uses an RC4 algorithm to encrypt all communications between the bot and the server, so it will only accept files if they are encrypted with the same key that the server uses. Luckily for us, RC4 is a symmetric cipher, which means that both parties (in this case the bot and the C&C) use the same pre-shared key. This further implies that the key is embedded somewhere in the bot. So we need to capture a Zeus binary and find the keys in order to be able to communicate with the C&C. We can achieve this by using the Volatility memory analysis tool to dump the RC4 keystream from an infected machine’s memory.”

After obtaining the key, the researchers turned their focus to using it for encrypting the file they wanted to upload in order to impersonate a bot trying to upload a report. However, the command and control server would want to make sure only valid reports are uploaded.

“We know that the C&C is using .php files, therefore, we will try to upload a php file too, which will be executed on the server side by the PHP interpreter,” he blogged. “But, the server won’t let us upload .php files. However, there is a vulnerability in the C&C’s code and a well-known technique to bypass the checks they are performing on uploaded files.

One of the most widely used bypass methods, he noted, is to add a period after filename.php (filename.php.).

“The PHP interpreter is quite liberal, and it will interpret it as a valid php file,” he blogged. “With PHP we could execute a number of commands on the server, but in our case, we would like to get access to the control panel, so we will use a PHP web-shell, which will allow us to browse the filesystem, interact with the backend database, and (possibly, depending on the server configuration) execute system commands.”

“Now, we have everything we need to compromise the C&C server: the RC4 key, the file we want to upload (web-shell), and a way to bypass the checks,” he added. “By default, Zeus C&C’s use gate.php to receive the reports, and they will store these reports in C&C’s IP/_reports/files/BOTNET_ID/BOTID/ directory. Since we are impersonating a bot, we control both the BOTNET_ID and BOTID values, so we can predict where our uploaded file will end up. All we have to do after uploading our file is to browse to this location and our code will be executed.”

The shell enabled the researchers to browser files with important information about the particular Zeus command and control server and to interact with the backend database, Toro blogged.

In order to gain access to the control panel, the password for it had to be stolen from the database, which in Websense’s test was password-protected as well. Because the bot needs to interact with the database however, the credentials are stored in one of the configuration files of the bot (config.php under /system/directory). Once inside the database, the researchers accessed a table used for storing information about the control panel user, such as their username and hashed password.

“Zeus stores these passwords using a simple MD5 hash without any salting, thus they are relatively easy to crack,” Toro blogged. “Another option would be – since we have full read/write access to the database – to create our own password, hash it with MD5, and insert that into the database instead of the current password. Now, we will try to crack the password, hoping that it is not a very strong one.”

Once the password was cracked, the researchers had full access to the control panel.

The experiment shows that while Zeus may be regarded as an advanced banking Trojan by some, it is far perfect, Toro added.

Written By

Click to comment

Expert Insights

Related Content

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


Russia-linked cyberespionage group APT29 has been observed using embassy-themed lures and the GraphicalNeutrino malware in recent attacks.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...

Malware & Threats

Cybercrime in 2017 was a tumultuous year "full of twists and turns", with new (but old) infection methods, a major return to social engineering,...

Malware & Threats

Norway‎-based DNV said a ransomware attack on its ship management software impacted 1,000 vessels.