Feeds

Zeus botnets' Achilles' Heel makes infiltration easy

C&C hijacking comes to the unwashed masses

SANS - Survey on application security programs

A security researcher has discovered a potentially crippling vulnerability in one of the most widely used botnet toolkits, a finding that makes it easy for blackhats and whitehats alike to take control of huge networks of infected PCs.

The flaw in the Zeus crimeware kit makes it trivial to hijack the C&C, or command and control, channels used to send instructions and software updates to compromised computers that often number in the hundreds of thousands. There are in turn thousands or tens of thousands of botnets that are spawned from Zeus, and the vast majority are susceptible to the technique.

That means the bug could make takedowns by law enforcement and rival crime gangs significantly easier, said Billy Rios, the researcher who discovered the defect and has written a simple program to exploit it.

“Once you run the C&C take-over script, you can read and write anything you want to the C&C,” he told The Register. “You could plant a backdoor in the C&C, steal all the data, destroy the C&C, or take it over. Because you have access to the C&C, you'll also have access to the botmaster's C&C username and password hashes. You'll also have access to the cleartext database username and password supporting the C&C.”

Rios's script allows a user to upload and execute code of his choosing directly on the server running the Zeus C&C. Although the Zeus architects designed their software to block executable scripts from being downloaded, they did so using poorly written PHP code that can easily be defeated. What's more, a separate directory traversal flaw makes it easy to place the malicious payload directly in the server's root directory, ensuring the attacker can easily find his malicious script.

To run the script, an attacker first must extract the cryptographic key an infected PC uses to communicate with the C&C. Although the designers took pains to keep the RC4 key secret, it can easily be deduced by reading it after it's loaded into computer memory or, alternatively, by decrypting the bot's configuration file.

Rios said he's tested his exploit on Zeus version 1.3.2.1, which was released in January. But he said he believes it will work on most earlier and later iterations of the toolkit as well, and he predicted Zeus developers' lack of experience in pushing out emergency updates will hamper their ability to fix the bug quickly.

“Since this bug is part of the core functionality of the Zeus kit, it's been present in every C&C implementation I've looked at,” said Rios, who as a former researcher for Microsoft, couldn't help noting the irony of the Zeus developers being hamstrung by a devastating vulnerability.  “This 'forking' of C&C code is going to make it more difficult to get patches out to all the various Zeus C&C kits (ahhh, the irony).”

The revelation that vast numbers of Zeus C&Cs are wide open to attack has profound consequences for internet security. While it makes it possible for law enforcement and whitehat hackers to infiltrate the central nervous system of a huge number of botnets, it just as easily hands the same capability to people with more nefarious motives. Taking over master control channels poses a variety of ethical and logistical challenges because the servers often house vast amounts of highly sensitive data stolen from PCs throughout the world.

Because it's possible to spot the bug by analyzing the PHP code used by Zeus C&Cs, Rios said it's possible other researchers have already discovered the vulnerability. He also speculates it may be an intentional backdoor that was designed by the developers. So far, he says, he's been unable to find any research publicly laying out his findings, which is why he published his here. ®

Combat fraud and increase customer satisfaction

More from The Register

next story
Parent gabfest Mumsnet hit by SSL bug: My heart bleeds, grins hacker
Natter-board tells middle-class Britain to purée its passwords
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Web data BLEEDOUT: Users to feel the pain as Heartbleed bug revealed
Vendors and ISPs have work to do updating firmware - if it's possible to fix this
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
prev story

Whitepapers

Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.