Feeds

Zeus botnets' Achilles' Heel makes infiltration easy

C&C hijacking comes to the unwashed masses

Remote control for virtualized desktops

A security researcher has discovered a potentially crippling vulnerability in one of the most widely used botnet toolkits, a finding that makes it easy for blackhats and whitehats alike to take control of huge networks of infected PCs.

The flaw in the Zeus crimeware kit makes it trivial to hijack the C&C, or command and control, channels used to send instructions and software updates to compromised computers that often number in the hundreds of thousands. There are in turn thousands or tens of thousands of botnets that are spawned from Zeus, and the vast majority are susceptible to the technique.

That means the bug could make takedowns by law enforcement and rival crime gangs significantly easier, said Billy Rios, the researcher who discovered the defect and has written a simple program to exploit it.

“Once you run the C&C take-over script, you can read and write anything you want to the C&C,” he told The Register. “You could plant a backdoor in the C&C, steal all the data, destroy the C&C, or take it over. Because you have access to the C&C, you'll also have access to the botmaster's C&C username and password hashes. You'll also have access to the cleartext database username and password supporting the C&C.”

Rios's script allows a user to upload and execute code of his choosing directly on the server running the Zeus C&C. Although the Zeus architects designed their software to block executable scripts from being downloaded, they did so using poorly written PHP code that can easily be defeated. What's more, a separate directory traversal flaw makes it easy to place the malicious payload directly in the server's root directory, ensuring the attacker can easily find his malicious script.

To run the script, an attacker first must extract the cryptographic key an infected PC uses to communicate with the C&C. Although the designers took pains to keep the RC4 key secret, it can easily be deduced by reading it after it's loaded into computer memory or, alternatively, by decrypting the bot's configuration file.

Rios said he's tested his exploit on Zeus version 1.3.2.1, which was released in January. But he said he believes it will work on most earlier and later iterations of the toolkit as well, and he predicted Zeus developers' lack of experience in pushing out emergency updates will hamper their ability to fix the bug quickly.

“Since this bug is part of the core functionality of the Zeus kit, it's been present in every C&C implementation I've looked at,” said Rios, who as a former researcher for Microsoft, couldn't help noting the irony of the Zeus developers being hamstrung by a devastating vulnerability.  “This 'forking' of C&C code is going to make it more difficult to get patches out to all the various Zeus C&C kits (ahhh, the irony).”

The revelation that vast numbers of Zeus C&Cs are wide open to attack has profound consequences for internet security. While it makes it possible for law enforcement and whitehat hackers to infiltrate the central nervous system of a huge number of botnets, it just as easily hands the same capability to people with more nefarious motives. Taking over master control channels poses a variety of ethical and logistical challenges because the servers often house vast amounts of highly sensitive data stolen from PCs throughout the world.

Because it's possible to spot the bug by analyzing the PHP code used by Zeus C&Cs, Rios said it's possible other researchers have already discovered the vulnerability. He also speculates it may be an intentional backdoor that was designed by the developers. So far, he says, he's been unable to find any research publicly laying out his findings, which is why he published his here. ®

Internet Security Threat Report 2014

More from The Register

next story
Webcam hacker pervs in MASS HOME INVASION
You thought you were all alone? Nope – change your password, says ICO
You really need to do some tech support for Aunty Agnes
Free anti-virus software, expires, stops updating and p0wns the world
Meet OneRNG: a fully-open entropy generator for a paranoid age
Kiwis to seek random investors for crowd-funded randomiser
USB coding anarchy: Consider all sticks licked
Thumb drive design ruled by almighty buck
Attack reveals 81 percent of Tor users but admins call for calm
Cisco Netflow a handy tool for cheapskate attackers
Privacy bods offer GOV SPY VICTIMS a FREE SPYWARE SNIFFER
Looks for gov malware that evades most antivirus
Patch NOW! Microsoft slings emergency bug fix at Windows admins
Vulnerability promotes lusers to domain overlords ... oops
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Reducing the cost and complexity of web vulnerability management
How using vulnerability assessments to identify exploitable weaknesses and take corrective action can reduce the risk of hackers finding your site and attacking it.
Top 5 reasons to deploy VMware with Tegile
Data demand and the rise of virtualization is challenging IT teams to deliver storage performance, scalability and capacity that can keep up, while maximizing efficiency.