Feeds

Zeus botnets' Achilles' Heel makes infiltration easy

C&C hijacking comes to the unwashed masses

Secure remote control for conventional and virtual desktops

A security researcher has discovered a potentially crippling vulnerability in one of the most widely used botnet toolkits, a finding that makes it easy for blackhats and whitehats alike to take control of huge networks of infected PCs.

The flaw in the Zeus crimeware kit makes it trivial to hijack the C&C, or command and control, channels used to send instructions and software updates to compromised computers that often number in the hundreds of thousands. There are in turn thousands or tens of thousands of botnets that are spawned from Zeus, and the vast majority are susceptible to the technique.

That means the bug could make takedowns by law enforcement and rival crime gangs significantly easier, said Billy Rios, the researcher who discovered the defect and has written a simple program to exploit it.

“Once you run the C&C take-over script, you can read and write anything you want to the C&C,” he told The Register. “You could plant a backdoor in the C&C, steal all the data, destroy the C&C, or take it over. Because you have access to the C&C, you'll also have access to the botmaster's C&C username and password hashes. You'll also have access to the cleartext database username and password supporting the C&C.”

Rios's script allows a user to upload and execute code of his choosing directly on the server running the Zeus C&C. Although the Zeus architects designed their software to block executable scripts from being downloaded, they did so using poorly written PHP code that can easily be defeated. What's more, a separate directory traversal flaw makes it easy to place the malicious payload directly in the server's root directory, ensuring the attacker can easily find his malicious script.

To run the script, an attacker first must extract the cryptographic key an infected PC uses to communicate with the C&C. Although the designers took pains to keep the RC4 key secret, it can easily be deduced by reading it after it's loaded into computer memory or, alternatively, by decrypting the bot's configuration file.

Rios said he's tested his exploit on Zeus version 1.3.2.1, which was released in January. But he said he believes it will work on most earlier and later iterations of the toolkit as well, and he predicted Zeus developers' lack of experience in pushing out emergency updates will hamper their ability to fix the bug quickly.

“Since this bug is part of the core functionality of the Zeus kit, it's been present in every C&C implementation I've looked at,” said Rios, who as a former researcher for Microsoft, couldn't help noting the irony of the Zeus developers being hamstrung by a devastating vulnerability.  “This 'forking' of C&C code is going to make it more difficult to get patches out to all the various Zeus C&C kits (ahhh, the irony).”

The revelation that vast numbers of Zeus C&Cs are wide open to attack has profound consequences for internet security. While it makes it possible for law enforcement and whitehat hackers to infiltrate the central nervous system of a huge number of botnets, it just as easily hands the same capability to people with more nefarious motives. Taking over master control channels poses a variety of ethical and logistical challenges because the servers often house vast amounts of highly sensitive data stolen from PCs throughout the world.

Because it's possible to spot the bug by analyzing the PHP code used by Zeus C&Cs, Rios said it's possible other researchers have already discovered the vulnerability. He also speculates it may be an intentional backdoor that was designed by the developers. So far, he says, he's been unable to find any research publicly laying out his findings, which is why he published his here. ®

New hybrid storage solutions

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.