Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.

A Closer Look on C&C Panels

1,142 views

Published on

a presentation at 5th BU RISCS Seminar of Practical Security. The presentation based on a talk at BlackHat 2014 by Aditya K. Sood

Published in: Technology
  • Be the first to comment

A Closer Look on C&C Panels

  1. 1. ACloser look onC&C Panels Seminar on Practical Security Tandhy Simanjuntak Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C) Panels What Goes Around Comes Back Around ! Aditya K Sood BlackHat 2014 08/10/2015
  2. 2. Agenda Introduction Detection Methods Securing C&C Panels Compromise Methods
  3. 3. Introduction
  4. 4. Introduction A collection of internet-connected compromised machines To perform objectives in the hand of Bot master  Malicious Ex. Zeus, Ice 1X, Citadel, SpyEye, and Athena What is Botnet
  5. 5. Introduction Machine to manage bot Send instructions and receive data C&C Servers
  6. 6. Introduction How ItWorks Infect the system Gather credentials-PII Upload data to C&C Server
  7. 7. Detection Methods http://thumbs.dreamstime.com/z/vector-detective-illustration-flat-style-surveillance-control-concept-big- brother-watching-you-37752327.jpg
  8. 8. Detection Methods Google Dorks NetworkTraffic Analysis Public C&CTrackers
  9. 9. Detection Methods Google Advance search techniques i.e. inurl, intitle, filetype , etc.Google Dorks NetworkTraffic Analysis Public C&C Trackers
  10. 10. Detection Methods Citadel or Zeus - inurl:“cp.php?m=login” ICE IX - inurl:“adm/index.php?m=login” SpyEye - inurl:“/frmcp/” iStealer - inurl: “/index.php?action=logs” intitle:“login” Beta Bot - inurl:“login.php” intext:“myNews Content Manager” Google Dorks NetworkTraffic Analysis Public C&C Trackers
  11. 11. Detection Methods Monitor traffics Google Dorks NetworkTraffic Analysis Public C&C Trackers Plasma HTTP Bot example traffic :
  12. 12. Detection Methods Independent researchers Google Dorks NetworkTraffic Analysis Public C&C Trackers • Cyber Crime Tracker - http://cybercrime- tracker.net/index.php • Zeus Tracker - https://zeustracker.abuse.ch/ • SpyEye Tracker - https://spyeyetracker.abuse.ch/ • Palevo Tracker - https://palevotracker.abuse.ch/ • Feodo Tracker - https://feodotracker.abuse.ch/ • Daily Botnet Statistics - http://botnet- tracker.blogspot.com/
  13. 13. Detection Methods
  14. 14. SecuringC&C Panels https://pixabay.com/get/52972f3a772794c94c16/1439055210/padlock-40192_1280.png?direct
  15. 15. Securing Mechanisms Gate Component Cryptographic Key Login Page Key
  16. 16. Securing Mechanisms Act as a gateway Verify host identity Transmit to C&C Panel Gate.php Gate Component Cryptographic Key Login Page Key
  17. 17. Securing Mechanisms if(empty($list[SBCID_BOT_VERSION]) || empty($list[SBCID_BOT_ID]))die(); if(!connectToDb())die(); $botId = str_replace("x01", "x02", trim($list[SBCID_BOT_ID])); $botIdQ = addslashes($botId); $botnet = (empty($list[SBCID_BOTNET])) ? DEFAULT_BOTNET : str_replace("x01", "x02", trim($list[SBCID_BOTNET])); $botnetQ = addslashes($botnet); $botVersion = toUint($list[SBCID_BOT_VERSION]); $realIpv4 = trim((!empty($_GET[’ip’]) ? $_GET[’ip’] : $_SERVER[’REMOTE_ADDR’])); $country = getCountryIpv4(); $countryQ = addslashes($country); $curTime = time(); Extracted Code from gate component: Gate Component Cryptographic Key Login Page Key
  18. 18. Securing Mechanisms Gate Component Cryptographic Key Login Page Key Encryption and authentication RC4 algorithm Hard-coded in configuration file Zeus and Citadel $config[’mysql_host’] = ’localhost’; $config[’mysql_user’] = ’specific_wp1’; $config[’mysql_pass’] = ’X8psH64kYa’; $config[’mysql_db’] = ’specific_WP’; $config[’botnet_timeout’] = 1500; $config[’botnet_cryptkey’] = ’pelli$10pelli’; Extracted from configuration file:
  19. 19. Securing Mechanisms Gate Component Cryptographic Key Login Page Key Added authentication feature Without login page key: • www.cc-server.com/panel/index.php With login page key: • www.cc-server.com/panel/index.php?key=[value]
  20. 20. Compromise methods http://thumb9.shutterstock.com/display_pic_with_logo/1947692/231475606/stock-vector-hacker-internet-security-concept-flat-design-vector-illustration-231475606.jpg
  21. 21. Compromised Methods Malware RE Backdoor access to Hosting Server C&C PanelsWeaknesses
  22. 22. Malware RE Backdoor access to Hosting Server C&C Panels Weaknesses Compromised Methods Obtain the malware Obtain RC4 key via memory dump Upload remote management shells to server via upload vulnerability • Block .php, .php3, .php4, .php5, .php, .asp, .aspx, .exe, .pl, .cgi, .cmd, .bat, .phtml, .htaccess • Apache treats .php. as a valid .php  file.php.
  23. 23. Malware RE Backdoor access to Hosting Server C&C Panels Weaknesses Compromised Methods
  24. 24. Find others’ vulnerabilities Upload remote management shells Notorious Datacenter support systems – Pwning through outer sphere: Exploitation Analysis of Help Desk Systems Malware RE Backdoor access to Hosting Server C&C Panels Weaknesses Compromised Methods
  25. 25. Malware RE Backdoor access to Hosting Server C&C PanelsWeaknesses Compromised Methods Insecure Deployment Exposed Directory Structure Unprotected Components SQL Injection, XSS Open Ports Weak Password and Login Page Key
  26. 26. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key Third party software. •i.e. XAMPP. ”XAMPP is not meant for production use but only for development environments. The way XAMPP is configured is to be open as possible to allow the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal” Here a list of missing security in XAMPP: 1. The MySQL administrator (root) has no password. 2. The MySQL daemon is accessible via network. 3. ProFTPD uses the password "lampp" for user "daemon". 4. PhpMyAdmin is accessible via network. 5. Examples are accessible via network. https://www.apachefriends.org/faq_linux.html
  27. 27. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key Exposed Directory Structure • /adm • /config • /redirect • /_reports • /install • /theme
  28. 28. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key
  29. 29. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key
  30. 30. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key
  31. 31. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key
  32. 32. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key
  33. 33. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key Citadel C&C Panel:
  34. 34. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key Citadel C&C Panel:
  35. 35. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key
  36. 36. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection Ports Mapping Weak Password and Login Page Key Find other open ports to get resources
  37. 37. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection Ports Mapping Weak Password and Login Page Key
  38. 38. The End
  39. 39. References 1. Sood, A. K. (2014). Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C) Panels: What Goes Around Comes Back Around !. BlackHat 2014, LasVegas, USA, 2014. 2. WebSense (2014).Putting Cyber Criminals on Notice: WatchYour Flank. Web. Aug 8, 2015. http://community.websense.com/blogs/securitylabs/archive/2014/06/12/zeus-c-amp-c- vulnerability.aspx 3. Internet Security (2011). Meet Ice IX, Son Of ZeuS. Web. Agt 8 2015. http://www.internetsecuritydb.com/2011/08/meet-ice-ix-son-of-zeus.html 4. Sherstobitoff, R. (2013). Inside the World of the Citadel Trojan. Executive Summary, McAfee Labs. 5. Donohue, B. (2013).The Big Four Banking Trojans. Kaspersky Lab. Web. Aug 8, 2015. https://blog.kaspersky.com/the-big-four-banking-trojans/ 6. Jones, J. (2013). Athena, a DDoS Malware Odyssey. Arbor NetworksThreat Intelligence. Web. Aug 8 2015. https://asert.arbornetworks.com/athena-a-ddos-malware-odyssey/ 7. Gallagher, S. (2014). Feds warn first responders of dangerous hacking tool: Google Search. Ars Technica. Web. Aug 8 2015. http://arstechnica.com/security/2014/08/feds-warn-first-responders- of-dangerous-hacking-tool-google- search/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2 Findex+%28Ars+Technica+-+All+content%29 8. Apache Friend (n.d.) Linux Frequently Asked Questions. Web. Aug 8 2015. https://www.apachefriends.org/faq_linux.html

×