A Closer Look on C&C Panels

ACloser look onC&C
Panels
Seminar on Practical Security
Tandhy Simanjuntak
Exploiting Fundamental
Weaknesses in Botnet
Command and Control
(C&C) Panels
What Goes Around Comes Back Around !
Aditya K Sood
BlackHat 2014
08/10/2015

Agenda Introduction
Detection Methods
Securing C&C Panels
Compromise Methods

Introduction A collection of internet-connected
compromised machines
To perform objectives in the hand of
Bot master  Malicious
Ex. Zeus, Ice 1X, Citadel, SpyEye, and
Athena
What is
Botnet

Introduction Machine to manage bot
Send instructions and receive data
C&C
Servers

Introduction
How ItWorks Infect the system
Gather credentials-PII
Upload data to C&C
Server

Detection Methods
http://thumbs.dreamstime.com/z/vector-detective-illustration-flat-style-surveillance-control-concept-big-
brother-watching-you-37752327.jpg

Detection
Methods Google Dorks
NetworkTraffic Analysis
Public C&CTrackers

Detection
Methods
Google Advance search techniques
i.e. inurl, intitle, filetype , etc.Google Dorks
NetworkTraffic
Analysis
Public C&C
Trackers

Detection
Methods
Citadel or Zeus - inurl:“cp.php?m=login”
ICE IX - inurl:“adm/index.php?m=login”
SpyEye - inurl:“/frmcp/”
iStealer - inurl: “/index.php?action=logs”
intitle:“login”
Beta Bot - inurl:“login.php” intext:“myNews Content
Manager”
Google Dorks
NetworkTraffic
Analysis
Public C&C
Trackers

Detection
Methods
Monitor traffics
Google Dorks
NetworkTraffic
Analysis
Public C&C
Trackers
Plasma HTTP Bot example traffic :

Detection
Methods Independent researchers
Google Dorks
NetworkTraffic
Analysis
Public C&C
Trackers
• Cyber Crime Tracker - http://cybercrime-
tracker.net/index.php
• Zeus Tracker - https://zeustracker.abuse.ch/
• SpyEye Tracker - https://spyeyetracker.abuse.ch/
• Palevo Tracker - https://palevotracker.abuse.ch/
• Feodo Tracker - https://feodotracker.abuse.ch/
• Daily Botnet Statistics - http://botnet-
tracker.blogspot.com/

SecuringC&C Panels
https://pixabay.com/get/52972f3a772794c94c16/1439055210/padlock-40192_1280.png?direct

Securing
Mechanisms Gate Component
Cryptographic Key
Login Page Key

Securing
Mechanisms
Act as a gateway
Verify host identity
Transmit to C&C Panel
Gate.php
Gate
Component
Cryptographic
Key
Login Page Key

Securing
Mechanisms if(empty($list[SBCID_BOT_VERSION]) ||
empty($list[SBCID_BOT_ID]))die();
if(!connectToDb())die();
$botId = str_replace("x01", "x02", trim($list[SBCID_BOT_ID]));
$botIdQ = addslashes($botId);
$botnet = (empty($list[SBCID_BOTNET])) ? DEFAULT_BOTNET :
str_replace("x01", "x02", trim($list[SBCID_BOTNET]));
$botnetQ = addslashes($botnet);
$botVersion = toUint($list[SBCID_BOT_VERSION]);
$realIpv4 = trim((!empty($_GET[’ip’]) ? $_GET[’ip’] :
$_SERVER[’REMOTE_ADDR’]));
$country = getCountryIpv4();
$countryQ = addslashes($country);
$curTime = time();
Extracted Code from gate component:
Gate
Component
Cryptographic
Key
Login Page Key

Securing
Mechanisms
Gate
Component
Cryptographic
Key
Login Page Key
Encryption and authentication
RC4 algorithm
Hard-coded in configuration file
Zeus and Citadel
$config[’mysql_host’] = ’localhost’;
$config[’mysql_user’] = ’specific_wp1’;
$config[’mysql_pass’] = ’X8psH64kYa’;
$config[’mysql_db’] = ’specific_WP’;
$config[’botnet_timeout’] = 1500;
$config[’botnet_cryptkey’] = ’pelli$10pelli’;
Extracted from configuration file:

Securing
Mechanisms
Gate
Component
Cryptographic
Key
Login Page Key
Added authentication feature
Without login page key:
• www.cc-server.com/panel/index.php
With login page key:
• www.cc-server.com/panel/index.php?key=[value]

Compromise methods
http://thumb9.shutterstock.com/display_pic_with_logo/1947692/231475606/stock-vector-hacker-internet-security-concept-flat-design-vector-illustration-231475606.jpg

Compromised
Methods
Malware RE
Backdoor access to Hosting Server
C&C PanelsWeaknesses

Malware RE
Backdoor access to
Hosting Server
C&C Panels
Weaknesses
Compromised
Methods Obtain the malware
Obtain RC4 key via memory dump
Upload remote management shells to server
via upload vulnerability
• Block .php, .php3, .php4, .php5, .php, .asp, .aspx, .exe,
.pl, .cgi, .cmd, .bat, .phtml, .htaccess
• Apache treats .php. as a valid .php  file.php.

Malware RE
Backdoor access to
Hosting Server
C&C Panels
Weaknesses
Compromised
Methods

Find others’ vulnerabilities
Upload remote management shells
Notorious Datacenter support systems – Pwning through
outer sphere: Exploitation Analysis of Help Desk Systems
Malware RE
Backdoor access to
Hosting Server
C&C Panels
Weaknesses
Compromised
Methods

Malware RE
Backdoor access to
Hosting Server
C&C PanelsWeaknesses
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
Unprotected Components
SQL Injection, XSS
Open Ports
Weak Password and Login Page Key

Compromised
Methods
Insecure Deployment
UnprotectedComponents
SQL Injection, XSS
Open Ports
Weak Password and Login
Page Key
Third party software.
•i.e. XAMPP.
”XAMPP is not meant for production use but only for
development environments. The way XAMPP is configured is to
be open as possible to allow the developer anything he/she
wants. For development environments this is great but in a
production environment it could be fatal”
Here a list of missing security in XAMPP:
1. The MySQL administrator (root) has no password.
2. The MySQL daemon is accessible via network.
3. ProFTPD uses the password "lampp" for user "daemon".
4. PhpMyAdmin is accessible via network.
5. Examples are accessible via network.
https://www.apachefriends.org/faq_linux.html

Compromised
Methods
Insecure Deployment
SQL Injection, XSS
Open Ports
Page Key
• /adm
• /config
• /redirect
• /_reports
• /install
• /theme

Compromised
Methods
Insecure Deployment
SQL Injection, XSS
Open Ports
Page Key

Compromised
Methods
Insecure Deployment
SQL Injection, XSS
Ports Mapping
Page Key

Compromised
Methods
Insecure Deployment
SQL Injection, XSS
Ports Mapping
Page Key
Citadel C&C Panel:

Compromised
Methods
Insecure Deployment
SQL Injection
Ports Mapping
Page Key
Find other open ports to get resources

Compromised
Methods
Insecure Deployment
SQL Injection
Ports Mapping
Page Key

References
1. Sood, A. K. (2014). Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C)
Panels: What Goes Around Comes Back Around !. BlackHat 2014, LasVegas, USA, 2014.
2. WebSense (2014).Putting Cyber Criminals on Notice: WatchYour Flank. Web. Aug 8, 2015.
http://community.websense.com/blogs/securitylabs/archive/2014/06/12/zeus-c-amp-c-
vulnerability.aspx
3. Internet Security (2011). Meet Ice IX, Son Of ZeuS. Web. Agt 8 2015.
http://www.internetsecuritydb.com/2011/08/meet-ice-ix-son-of-zeus.html
4. Sherstobitoff, R. (2013). Inside the World of the Citadel Trojan. Executive Summary, McAfee Labs.
5. Donohue, B. (2013).The Big Four Banking Trojans. Kaspersky Lab. Web. Aug 8, 2015.
https://blog.kaspersky.com/the-big-four-banking-trojans/
6. Jones, J. (2013). Athena, a DDoS Malware Odyssey. Arbor NetworksThreat Intelligence. Web. Aug
8 2015. https://asert.arbornetworks.com/athena-a-ddos-malware-odyssey/
7. Gallagher, S. (2014). Feds warn first responders of dangerous hacking tool: Google Search. Ars
Technica. Web. Aug 8 2015. http://arstechnica.com/security/2014/08/feds-warn-first-responders-
of-dangerous-hacking-tool-google-
search/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2
Findex+%28Ars+Technica+-+All+content%29
8. Apache Friend (n.d.) Linux Frequently Asked Questions. Web. Aug 8 2015.
https://www.apachefriends.org/faq_linux.html

A Closer Look on C&C Panels

More Related Content

What's hot

Viewers also liked

Similar to A Closer Look on C&C Panels

Recently uploaded

A Closer Look on C&C Panels

Editor's Notes