A Closer Look on C&C Panels

1. ACloser look onC&C Panels Seminar on Practical Security Tandhy Simanjuntak Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C) Panels What Goes Around Comes Back Around ! Aditya K Sood BlackHat 2014 08/10/2015

2. Agenda Introduction Detection Methods Securing C&C Panels Compromise Methods

3. Introduction

4. Introduction A collection of internet-connected compromised machines To perform objectives in the hand of Bot master  Malicious Ex. Zeus, Ice 1X, Citadel, SpyEye, and Athena What is Botnet

5. Introduction Machine to manage bot Send instructions and receive data C&C Servers

6. Introduction How ItWorks Infect the system Gather credentials-PII Upload data to C&C Server

7. Detection Methods http://thumbs.dreamstime.com/z/vector-detective-illustration-flat-style-surveillance-control-concept-big- brother-watching-you-37752327.jpg

8. Detection Methods Google Dorks NetworkTraffic Analysis Public C&CTrackers

9. Detection Methods Google Advance search techniques i.e. inurl, intitle, filetype , etc.Google Dorks NetworkTraffic Analysis Public C&C Trackers

10. Detection Methods Citadel or Zeus - inurl:“cp.php?m=login” ICE IX - inurl:“adm/index.php?m=login” SpyEye - inurl:“/frmcp/” iStealer - inurl: “/index.php?action=logs” intitle:“login” Beta Bot - inurl:“login.php” intext:“myNews Content Manager” Google Dorks NetworkTraffic Analysis Public C&C Trackers

11. Detection Methods Monitor traffics Google Dorks NetworkTraffic Analysis Public C&C Trackers Plasma HTTP Bot example traffic :

12. Detection Methods Independent researchers Google Dorks NetworkTraffic Analysis Public C&C Trackers • Cyber Crime Tracker - http://cybercrime- tracker.net/index.php • Zeus Tracker - https://zeustracker.abuse.ch/ • SpyEye Tracker - https://spyeyetracker.abuse.ch/ • Palevo Tracker - https://palevotracker.abuse.ch/ • Feodo Tracker - https://feodotracker.abuse.ch/ • Daily Botnet Statistics - http://botnet- tracker.blogspot.com/

13. Detection Methods

14. SecuringC&C Panels https://pixabay.com/get/52972f3a772794c94c16/1439055210/padlock-40192_1280.png?direct

15. Securing Mechanisms Gate Component Cryptographic Key Login Page Key

16. Securing Mechanisms Act as a gateway Verify host identity Transmit to C&C Panel Gate.php Gate Component Cryptographic Key Login Page Key

17. Securing Mechanisms if(empty($list[SBCID_BOT_VERSION]) || empty($list[SBCID_BOT_ID]))die(); if(!connectToDb())die(); $botId = str_replace("x01", "x02", trim($list[SBCID_BOT_ID])); $botIdQ = addslashes($botId); $botnet = (empty($list[SBCID_BOTNET])) ? DEFAULT_BOTNET : str_replace("x01", "x02", trim($list[SBCID_BOTNET])); $botnetQ = addslashes($botnet); $botVersion = toUint($list[SBCID_BOT_VERSION]); $realIpv4 = trim((!empty($_GET[’ip’]) ? $_GET[’ip’] : $_SERVER[’REMOTE_ADDR’])); $country = getCountryIpv4(); $countryQ = addslashes($country); $curTime = time(); Extracted Code from gate component: Gate Component Cryptographic Key Login Page Key

18. Securing Mechanisms Gate Component Cryptographic Key Login Page Key Encryption and authentication RC4 algorithm Hard-coded in configuration file Zeus and Citadel $config[’mysql_host’] = ’localhost’; $config[’mysql_user’] = ’specific_wp1’; $config[’mysql_pass’] = ’X8psH64kYa’; $config[’mysql_db’] = ’specific_WP’; $config[’botnet_timeout’] = 1500; $config[’botnet_cryptkey’] = ’pelli$10pelli’; Extracted from configuration file:

19. Securing Mechanisms Gate Component Cryptographic Key Login Page Key Added authentication feature Without login page key: • www.cc-server.com/panel/index.php With login page key: • www.cc-server.com/panel/index.php?key=[value]

20. Compromise methods http://thumb9.shutterstock.com/display_pic_with_logo/1947692/231475606/stock-vector-hacker-internet-security-concept-flat-design-vector-illustration-231475606.jpg

21. Compromised Methods Malware RE Backdoor access to Hosting Server C&C PanelsWeaknesses

22. Malware RE Backdoor access to Hosting Server C&C Panels Weaknesses Compromised Methods Obtain the malware Obtain RC4 key via memory dump Upload remote management shells to server via upload vulnerability • Block .php, .php3, .php4, .php5, .php, .asp, .aspx, .exe, .pl, .cgi, .cmd, .bat, .phtml, .htaccess • Apache treats .php. as a valid .php  file.php.

23. Malware RE Backdoor access to Hosting Server C&C Panels Weaknesses Compromised Methods

24. Find others’ vulnerabilities Upload remote management shells Notorious Datacenter support systems – Pwning through outer sphere: Exploitation Analysis of Help Desk Systems Malware RE Backdoor access to Hosting Server C&C Panels Weaknesses Compromised Methods

25. Malware RE Backdoor access to Hosting Server C&C PanelsWeaknesses Compromised Methods Insecure Deployment Exposed Directory Structure Unprotected Components SQL Injection, XSS Open Ports Weak Password and Login Page Key

26. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key Third party software. •i.e. XAMPP. ”XAMPP is not meant for production use but only for development environments. The way XAMPP is configured is to be open as possible to allow the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal” Here a list of missing security in XAMPP: 1. The MySQL administrator (root) has no password. 2. The MySQL daemon is accessible via network. 3. ProFTPD uses the password "lampp" for user "daemon". 4. PhpMyAdmin is accessible via network. 5. Examples are accessible via network. https://www.apachefriends.org/faq_linux.html

27. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key Exposed Directory Structure • /adm • /config • /redirect • /_reports • /install • /theme

28. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key

29. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key

30. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key

33. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key Citadel C&C Panel:

34. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key Citadel C&C Panel:

36. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection Ports Mapping Weak Password and Login Page Key Find other open ports to get resources

37. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection Ports Mapping Weak Password and Login Page Key

38. The End

39. References 1. Sood, A. K. (2014). Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C) Panels: What Goes Around Comes Back Around !. BlackHat 2014, LasVegas, USA, 2014. 2. WebSense (2014).Putting Cyber Criminals on Notice: WatchYour Flank. Web. Aug 8, 2015. http://community.websense.com/blogs/securitylabs/archive/2014/06/12/zeus-c-amp-c- vulnerability.aspx 3. Internet Security (2011). Meet Ice IX, Son Of ZeuS. Web. Agt 8 2015. http://www.internetsecuritydb.com/2011/08/meet-ice-ix-son-of-zeus.html 4. Sherstobitoff, R. (2013). Inside the World of the Citadel Trojan. Executive Summary, McAfee Labs. 5. Donohue, B. (2013).The Big Four Banking Trojans. Kaspersky Lab. Web. Aug 8, 2015. https://blog.kaspersky.com/the-big-four-banking-trojans/ 6. Jones, J. (2013). Athena, a DDoS Malware Odyssey. Arbor NetworksThreat Intelligence. Web. Aug 8 2015. https://asert.arbornetworks.com/athena-a-ddos-malware-odyssey/ 7. Gallagher, S. (2014). Feds warn first responders of dangerous hacking tool: Google Search. Ars Technica. Web. Aug 8 2015. http://arstechnica.com/security/2014/08/feds-warn-first-responders- of-dangerous-hacking-tool-google- search/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2 Findex+%28Ars+Technica+-+All+content%29 8. Apache Friend (n.d.) Linux Frequently Asked Questions. Web. Aug 8 2015. https://www.apachefriends.org/faq_linux.html

A Closer Look on C&C Panels

You are reading a preview.

Check these out next

A Closer Look on C&C Panels

More Related Content

Slideshows for you (20)

Viewers also liked (13)

Similar to A Closer Look on C&C Panels (20)

Recently uploaded (20)

A Closer Look on C&C Panels

Editor's Notes