Feeds

Zeus botnets' Achilles' Heel makes infiltration easy

C&C hijacking comes to the unwashed masses

Choosing a cloud hosting partner with confidence

A security researcher has discovered a potentially crippling vulnerability in one of the most widely used botnet toolkits, a finding that makes it easy for blackhats and whitehats alike to take control of huge networks of infected PCs.

The flaw in the Zeus crimeware kit makes it trivial to hijack the C&C, or command and control, channels used to send instructions and software updates to compromised computers that often number in the hundreds of thousands. There are in turn thousands or tens of thousands of botnets that are spawned from Zeus, and the vast majority are susceptible to the technique.

That means the bug could make takedowns by law enforcement and rival crime gangs significantly easier, said Billy Rios, the researcher who discovered the defect and has written a simple program to exploit it.

“Once you run the C&C take-over script, you can read and write anything you want to the C&C,” he told The Register. “You could plant a backdoor in the C&C, steal all the data, destroy the C&C, or take it over. Because you have access to the C&C, you'll also have access to the botmaster's C&C username and password hashes. You'll also have access to the cleartext database username and password supporting the C&C.”

Rios's script allows a user to upload and execute code of his choosing directly on the server running the Zeus C&C. Although the Zeus architects designed their software to block executable scripts from being downloaded, they did so using poorly written PHP code that can easily be defeated. What's more, a separate directory traversal flaw makes it easy to place the malicious payload directly in the server's root directory, ensuring the attacker can easily find his malicious script.

To run the script, an attacker first must extract the cryptographic key an infected PC uses to communicate with the C&C. Although the designers took pains to keep the RC4 key secret, it can easily be deduced by reading it after it's loaded into computer memory or, alternatively, by decrypting the bot's configuration file.

Rios said he's tested his exploit on Zeus version 1.3.2.1, which was released in January. But he said he believes it will work on most earlier and later iterations of the toolkit as well, and he predicted Zeus developers' lack of experience in pushing out emergency updates will hamper their ability to fix the bug quickly.

“Since this bug is part of the core functionality of the Zeus kit, it's been present in every C&C implementation I've looked at,” said Rios, who as a former researcher for Microsoft, couldn't help noting the irony of the Zeus developers being hamstrung by a devastating vulnerability.  “This 'forking' of C&C code is going to make it more difficult to get patches out to all the various Zeus C&C kits (ahhh, the irony).”

The revelation that vast numbers of Zeus C&Cs are wide open to attack has profound consequences for internet security. While it makes it possible for law enforcement and whitehat hackers to infiltrate the central nervous system of a huge number of botnets, it just as easily hands the same capability to people with more nefarious motives. Taking over master control channels poses a variety of ethical and logistical challenges because the servers often house vast amounts of highly sensitive data stolen from PCs throughout the world.

Because it's possible to spot the bug by analyzing the PHP code used by Zeus C&Cs, Rios said it's possible other researchers have already discovered the vulnerability. He also speculates it may be an intentional backdoor that was designed by the developers. So far, he says, he's been unable to find any research publicly laying out his findings, which is why he published his here. ®

Top 5 reasons to deploy VMware with Tegile

More from The Register

next story
Regin: The super-spyware the security industry has been silent about
NSA fingered as likely source of complex malware family
Why did it take antivirus giants YEARS to drill into super-scary Regin? Symantec responds...
FYI this isn't just going to target Windows, Linux and OS X fans
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
HACKERS can DELETE SURVEILLANCE DVRS remotely – report
Hikvision devices wide open to hacking, claim securobods
'Regin': The 'New Stuxnet' spook-grade SOFTWARE WEAPON described
'A degree of technical competence rarely seen'
Astro-boffins start opening universe simulation data
Got a supercomputer? Want to simulate a universe? Here you go
prev story

Whitepapers

Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.