A Closer look on C&C PanelsSeminar on Practical Security

Tandhy Simanjuntak

Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C) PanelsWhat Goes Around Comes Back Around !

Aditya K SoodBlackHat 2014

08/10/2015

Agenda Introduction

Detection Methods

Securing C&C Panels

Compromise Methods

Introduction

Introduction A collection of internet-connected compromised machines

To perform objectives in the hand of Bot master Malicious

Ex. Zeus, Ice 1X, Citadel, SpyEye, and Athena

What is Botnet

Introduction Machine to manage bot

Send instructions and receive dataC&C

Servers

IntroductionHow It Works Infect the system

Gather credentials-PII

Upload data to C&C Server

Detection Methods

http://thumbs.dreamstime.com/z/vector-detective-illustration-flat-style-surveillance-control-concept-big-brother-watching-you-37752327.jpg

DetectionMethods Google Dorks

Network Traffic Analysis

Public C&C Trackers

DetectionMethods

Google Advance search techniques

i.e. inurl, intitle, filetype , etc.Google Dorks

Network Traffic Analysis

Public C&C Trackers

DetectionMethods

Citadel or Zeus - inurl:“cp.php?m=login”

ICE IX - inurl:“adm/index.php?m=login”

SpyEye - inurl:“/frmcp/”

iStealer - inurl: “/index.php?action=logs” intitle:“login”

Beta Bot - inurl:“login.php” intext:“myNews Content

Manager”

Google Dorks

Network Traffic Analysis

Public C&C Trackers

DetectionMethods

Monitor traffics

Google Dorks

Network Traffic Analysis

Public C&C Trackers

Plasma HTTP Bot example traffic :

DetectionMethods Independent researchers

Google Dorks

Network Traffic Analysis

Public C&C Trackers

• Cyber Crime Tracker - http://cybercrime-

tracker.net/index.php

• Zeus Tracker - https://zeustracker.abuse.ch/

• SpyEye Tracker - https://spyeyetracker.abuse.ch/

• Palevo Tracker - https://palevotracker.abuse.ch/

• Feodo Tracker - https://feodotracker.abuse.ch/

• Daily Botnet Statistics - http://botnet-

tracker.blogspot.com/

DetectionMethods

Securing C&C Panels

https://pixabay.com/get/52972f3a772794c94c16/1439055210/padlock-40192_1280.png?direct

SecuringMechanisms Gate Component

Cryptographic Key

Login Page Key

SecuringMechanisms

Act as a gateway

Verify host identity

Transmit to C&C Panel

Gate.php

Gate Component

Cryptographic Key

Login Page Key

SecuringMechanisms if(empty($list[SBCID_BOT_VERSION]) ||

empty($list[SBCID_BOT_ID]))die();

if(!connectToDb())die();

$botId = str_replace("\x01", "\x02", trim($list[SBCID_BOT_ID]));

$botIdQ = addslashes($botId);

$botnet = (empty($list[SBCID_BOTNET])) ? DEFAULT_BOTNET :

str_replace("\x01", "\x02", trim($list[SBCID_BOTNET]));

$botnetQ = addslashes($botnet);

$botVersion = toUint($list[SBCID_BOT_VERSION]);

$realIpv4 = trim((!empty($_GET[’ip’]) ? $_GET[’ip’] :

$_SERVER[’REMOTE_ADDR’]));

$country = getCountryIpv4();

$countryQ = addslashes($country);

$curTime = time();

Extracted Code from gate component:

Gate Component

Cryptographic Key

Login Page Key

SecuringMechanisms

Gate Component

Cryptographic Key

Login Page Key

Encryption and authentication

RC4 algorithm

Hard-coded in configuration file

Zeus and Citadel

$config[’mysql_host’] = ’localhost’;

$config[’mysql_user’] = ’specific_wp1’;

$config[’mysql_pass’] = ’X8psH64kYa’;

$config[’mysql_db’] = ’specific_WP’;

$config[’botnet_timeout’] = 1500;

$config[’botnet_cryptkey’] = ’pelli$10pelli’;

Extracted from configuration file:

SecuringMechanisms

Gate Component

Cryptographic Key

Login Page Key

Added authentication feature

Without login page key:

• www.cc-server.com/panel/index.php

With login page key:

• www.cc-server.com/panel/index.php?key=[value]

Compromise methods

http://thumb9.shutterstock.com/display_pic_with_logo/1947692/231475606/stock-vector-hacker-internet-security-concept-flat-design-vector-illustration-231475606.jpg

CompromisedMethods

Malware RE

Backdoor access to Hosting Server

C&C Panels Weaknesses

Malware RE

Backdoor access to Hosting Server

C&C Panels Weaknesses

CompromisedMethods Obtain the malware

Obtain RC4 key via memory dump

Upload remote management shells to server via upload vulnerability

• Block .php, .php3, .php4, .php5, .php, .asp, .aspx, .exe, .pl, .cgi, .cmd, .bat, .phtml, .htaccess

• Apache treats .php. as a valid .php file.php.

Malware RE

Backdoor access to Hosting Server

C&C Panels Weaknesses

CompromisedMethods

Find others’ vulnerabilities

Upload remote management shells

Notorious Datacenter support systems – Pwning through outer sphere: Exploitation Analysis of Help Desk Systems

Malware RE

Backdoor access to Hosting Server

C&C Panels Weaknesses

CompromisedMethods

Malware RE

Backdoor access to Hosting Server

C&C Panels Weaknesses

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Open Ports

Weak Password and Login Page Key

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Open Ports

Weak Password and Login Page Key

Third party software.

• i.e. XAMPP.”XAMPP is not meant for production use but only for

development environments. The way XAMPP is configured is to

be open as possible to allow the developer anything he/she

wants. For development environments this is great but in a

production environment it could be fatal”

Here a list of missing security in XAMPP:

1. The MySQL administrator (root) has no password.

2. The MySQL daemon is accessible via network.

3. ProFTPD uses the password "lampp" for user "daemon".

4. PhpMyAdmin is accessible via network.

5. Examples are accessible via network.

https://www.apachefriends.org/faq_linux.html

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Open Ports

Weak Password and Login Page Key

Exposed Directory Structure

• /adm

• /config

• /redirect

• /_reports

• /install

• /theme

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Open Ports

Weak Password and Login Page Key

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Open Ports

Weak Password and Login Page Key

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login Page Key

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login Page Key

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login Page Key

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login Page Key

Citadel C&C Panel:

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login Page Key

Citadel C&C Panel:

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login Page Key

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection

Ports Mapping

Weak Password and Login Page Key

Find other open ports to get resources

CompromisedMethods

Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection

Ports Mapping

Weak Password and Login Page Key

The End

References1. Sood, A. K. (2014). Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C)

Panels: What Goes Around Comes Back Around !. BlackHat 2014, Las Vegas, USA, 2014.

2. WebSense (2014).Putting Cyber Criminals on Notice: Watch Your Flank. Web. Aug 8, 2015. http://community.websense.com/blogs/securitylabs/archive/2014/06/12/zeus-c-amp-c-vulnerability.aspx

3. Internet Security (2011). Meet Ice IX, Son Of ZeuS. Web. Agt 8 2015. http://www.internetsecuritydb.com/2011/08/meet-ice-ix-son-of-zeus.html

4. Sherstobitoff, R. (2013). Inside the World of the Citadel Trojan. Executive Summary, McAfee Labs.

5. Donohue, B. (2013). The Big Four Banking Trojans. Kaspersky Lab. Web. Aug 8, 2015. https://blog.kaspersky.com/the-big-four-banking-trojans/

6. Jones, J. (2013). Athena, a DDoS Malware Odyssey. Arbor Networks Threat Intelligence. Web. Aug 8 2015. https://asert.arbornetworks.com/athena-a-ddos-malware-odyssey/

7. Gallagher, S. (2014). Feds warn first responders of dangerous hacking tool: Google Search. ArsTechnica. Web. Aug 8 2015. http://arstechnica.com/security/2014/08/feds-warn-first-responders-of-dangerous-hacking-tool-google-search/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2Findex+%28Ars+Technica+-+All+content%29

8. Apache Friend (n.d.) Linux Frequently Asked Questions. Web. Aug 8 2015. https://www.apachefriends.org/faq_linux.html