Upload
tandhy-simanjuntak
View
996
Download
1
Embed Size (px)
Citation preview
A Closer look on C&C PanelsSeminar on Practical Security
Tandhy Simanjuntak
Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C) PanelsWhat Goes Around Comes Back Around !
Aditya K SoodBlackHat 2014
08/10/2015
Introduction A collection of internet-connected compromised machines
To perform objectives in the hand of Bot master Malicious
Ex. Zeus, Ice 1X, Citadel, SpyEye, and Athena
What is Botnet
Detection Methods
http://thumbs.dreamstime.com/z/vector-detective-illustration-flat-style-surveillance-control-concept-big-brother-watching-you-37752327.jpg
DetectionMethods
Google Advance search techniques
i.e. inurl, intitle, filetype , etc.Google Dorks
Network Traffic Analysis
Public C&C Trackers
DetectionMethods
Citadel or Zeus - inurl:“cp.php?m=login”
ICE IX - inurl:“adm/index.php?m=login”
SpyEye - inurl:“/frmcp/”
iStealer - inurl: “/index.php?action=logs” intitle:“login”
Beta Bot - inurl:“login.php” intext:“myNews Content
Manager”
Google Dorks
Network Traffic Analysis
Public C&C Trackers
DetectionMethods
Monitor traffics
Google Dorks
Network Traffic Analysis
Public C&C Trackers
Plasma HTTP Bot example traffic :
DetectionMethods Independent researchers
Google Dorks
Network Traffic Analysis
Public C&C Trackers
• Cyber Crime Tracker - http://cybercrime-
tracker.net/index.php
• Zeus Tracker - https://zeustracker.abuse.ch/
• SpyEye Tracker - https://spyeyetracker.abuse.ch/
• Palevo Tracker - https://palevotracker.abuse.ch/
• Feodo Tracker - https://feodotracker.abuse.ch/
• Daily Botnet Statistics - http://botnet-
tracker.blogspot.com/
Securing C&C Panels
https://pixabay.com/get/52972f3a772794c94c16/1439055210/padlock-40192_1280.png?direct
SecuringMechanisms
Act as a gateway
Verify host identity
Transmit to C&C Panel
Gate.php
Gate Component
Cryptographic Key
Login Page Key
SecuringMechanisms if(empty($list[SBCID_BOT_VERSION]) ||
empty($list[SBCID_BOT_ID]))die();
if(!connectToDb())die();
$botId = str_replace("\x01", "\x02", trim($list[SBCID_BOT_ID]));
$botIdQ = addslashes($botId);
$botnet = (empty($list[SBCID_BOTNET])) ? DEFAULT_BOTNET :
str_replace("\x01", "\x02", trim($list[SBCID_BOTNET]));
$botnetQ = addslashes($botnet);
$botVersion = toUint($list[SBCID_BOT_VERSION]);
$realIpv4 = trim((!empty($_GET[’ip’]) ? $_GET[’ip’] :
$_SERVER[’REMOTE_ADDR’]));
$country = getCountryIpv4();
$countryQ = addslashes($country);
$curTime = time();
Extracted Code from gate component:
Gate Component
Cryptographic Key
Login Page Key
SecuringMechanisms
Gate Component
Cryptographic Key
Login Page Key
Encryption and authentication
RC4 algorithm
Hard-coded in configuration file
Zeus and Citadel
$config[’mysql_host’] = ’localhost’;
$config[’mysql_user’] = ’specific_wp1’;
$config[’mysql_pass’] = ’X8psH64kYa’;
$config[’mysql_db’] = ’specific_WP’;
$config[’botnet_timeout’] = 1500;
$config[’botnet_cryptkey’] = ’pelli$10pelli’;
Extracted from configuration file:
SecuringMechanisms
Gate Component
Cryptographic Key
Login Page Key
Added authentication feature
Without login page key:
• www.cc-server.com/panel/index.php
With login page key:
• www.cc-server.com/panel/index.php?key=[value]
Compromise methods
http://thumb9.shutterstock.com/display_pic_with_logo/1947692/231475606/stock-vector-hacker-internet-security-concept-flat-design-vector-illustration-231475606.jpg
Malware RE
Backdoor access to Hosting Server
C&C Panels Weaknesses
CompromisedMethods Obtain the malware
Obtain RC4 key via memory dump
Upload remote management shells to server via upload vulnerability
• Block .php, .php3, .php4, .php5, .php, .asp, .aspx, .exe, .pl, .cgi, .cmd, .bat, .phtml, .htaccess
• Apache treats .php. as a valid .php file.php.
Find others’ vulnerabilities
Upload remote management shells
Notorious Datacenter support systems – Pwning through outer sphere: Exploitation Analysis of Help Desk Systems
Malware RE
Backdoor access to Hosting Server
C&C Panels Weaknesses
CompromisedMethods
Malware RE
Backdoor access to Hosting Server
C&C Panels Weaknesses
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Open Ports
Weak Password and Login Page Key
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Open Ports
Weak Password and Login Page Key
Third party software.
• i.e. XAMPP.”XAMPP is not meant for production use but only for
development environments. The way XAMPP is configured is to
be open as possible to allow the developer anything he/she
wants. For development environments this is great but in a
production environment it could be fatal”
Here a list of missing security in XAMPP:
1. The MySQL administrator (root) has no password.
2. The MySQL daemon is accessible via network.
3. ProFTPD uses the password "lampp" for user "daemon".
4. PhpMyAdmin is accessible via network.
5. Examples are accessible via network.
https://www.apachefriends.org/faq_linux.html
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Open Ports
Weak Password and Login Page Key
Exposed Directory Structure
• /adm
• /config
• /redirect
• /_reports
• /install
• /theme
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Open Ports
Weak Password and Login Page Key
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Open Ports
Weak Password and Login Page Key
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Ports Mapping
Weak Password and Login Page Key
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Ports Mapping
Weak Password and Login Page Key
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Ports Mapping
Weak Password and Login Page Key
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Ports Mapping
Weak Password and Login Page Key
Citadel C&C Panel:
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Ports Mapping
Weak Password and Login Page Key
Citadel C&C Panel:
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Ports Mapping
Weak Password and Login Page Key
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection
Ports Mapping
Weak Password and Login Page Key
Find other open ports to get resources
CompromisedMethods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection
Ports Mapping
Weak Password and Login Page Key
References1. Sood, A. K. (2014). Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C)
Panels: What Goes Around Comes Back Around !. BlackHat 2014, Las Vegas, USA, 2014.
2. WebSense (2014).Putting Cyber Criminals on Notice: Watch Your Flank. Web. Aug 8, 2015. http://community.websense.com/blogs/securitylabs/archive/2014/06/12/zeus-c-amp-c-vulnerability.aspx
3. Internet Security (2011). Meet Ice IX, Son Of ZeuS. Web. Agt 8 2015. http://www.internetsecuritydb.com/2011/08/meet-ice-ix-son-of-zeus.html
4. Sherstobitoff, R. (2013). Inside the World of the Citadel Trojan. Executive Summary, McAfee Labs.
5. Donohue, B. (2013). The Big Four Banking Trojans. Kaspersky Lab. Web. Aug 8, 2015. https://blog.kaspersky.com/the-big-four-banking-trojans/
6. Jones, J. (2013). Athena, a DDoS Malware Odyssey. Arbor Networks Threat Intelligence. Web. Aug 8 2015. https://asert.arbornetworks.com/athena-a-ddos-malware-odyssey/
7. Gallagher, S. (2014). Feds warn first responders of dangerous hacking tool: Google Search. ArsTechnica. Web. Aug 8 2015. http://arstechnica.com/security/2014/08/feds-warn-first-responders-of-dangerous-hacking-tool-google-search/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29
8. Apache Friend (n.d.) Linux Frequently Asked Questions. Web. Aug 8 2015. https://www.apachefriends.org/faq_linux.html