Feeds

Zeus botnets' Achilles' Heel makes infiltration easy

C&C hijacking comes to the unwashed masses

Security for virtualized datacentres

A security researcher has discovered a potentially crippling vulnerability in one of the most widely used botnet toolkits, a finding that makes it easy for blackhats and whitehats alike to take control of huge networks of infected PCs.

The flaw in the Zeus crimeware kit makes it trivial to hijack the C&C, or command and control, channels used to send instructions and software updates to compromised computers that often number in the hundreds of thousands. There are in turn thousands or tens of thousands of botnets that are spawned from Zeus, and the vast majority are susceptible to the technique.

That means the bug could make takedowns by law enforcement and rival crime gangs significantly easier, said Billy Rios, the researcher who discovered the defect and has written a simple program to exploit it.

“Once you run the C&C take-over script, you can read and write anything you want to the C&C,” he told The Register. “You could plant a backdoor in the C&C, steal all the data, destroy the C&C, or take it over. Because you have access to the C&C, you'll also have access to the botmaster's C&C username and password hashes. You'll also have access to the cleartext database username and password supporting the C&C.”

Rios's script allows a user to upload and execute code of his choosing directly on the server running the Zeus C&C. Although the Zeus architects designed their software to block executable scripts from being downloaded, they did so using poorly written PHP code that can easily be defeated. What's more, a separate directory traversal flaw makes it easy to place the malicious payload directly in the server's root directory, ensuring the attacker can easily find his malicious script.

To run the script, an attacker first must extract the cryptographic key an infected PC uses to communicate with the C&C. Although the designers took pains to keep the RC4 key secret, it can easily be deduced by reading it after it's loaded into computer memory or, alternatively, by decrypting the bot's configuration file.

Rios said he's tested his exploit on Zeus version 1.3.2.1, which was released in January. But he said he believes it will work on most earlier and later iterations of the toolkit as well, and he predicted Zeus developers' lack of experience in pushing out emergency updates will hamper their ability to fix the bug quickly.

“Since this bug is part of the core functionality of the Zeus kit, it's been present in every C&C implementation I've looked at,” said Rios, who as a former researcher for Microsoft, couldn't help noting the irony of the Zeus developers being hamstrung by a devastating vulnerability.  “This 'forking' of C&C code is going to make it more difficult to get patches out to all the various Zeus C&C kits (ahhh, the irony).”

The revelation that vast numbers of Zeus C&Cs are wide open to attack has profound consequences for internet security. While it makes it possible for law enforcement and whitehat hackers to infiltrate the central nervous system of a huge number of botnets, it just as easily hands the same capability to people with more nefarious motives. Taking over master control channels poses a variety of ethical and logistical challenges because the servers often house vast amounts of highly sensitive data stolen from PCs throughout the world.

Because it's possible to spot the bug by analyzing the PHP code used by Zeus C&Cs, Rios said it's possible other researchers have already discovered the vulnerability. He also speculates it may be an intentional backdoor that was designed by the developers. So far, he says, he's been unable to find any research publicly laying out his findings, which is why he published his here. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story

Whitepapers

Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.