June 12, 2014

Putting Cyber Criminals on Notice: Watch Your Flank

Abel Toro Security Researcher

In their rush to exploit users, hackers have littered their own creations with easily exploitable vulnerabilities. They're learning that it's not so easy to write secure code. In fact, most of us in the business of securing our applications and systems know that bulletproofing software is an extremely expensive and exhaustive undertaking. Most attackers lack the necessary resources and community peer review to harden their malware, and that provides an opportunity for the security community to advance a conversation about what we should do about it.

Some food for thought:

  • Hackers hide in the shadows and thrive in anonymity; probing their attack networks would shine a light on their own techniques and tactics
  • Law enforcement and the security community could use the information to track down suspects and shut down attack infrastructure
  • Malware creators who have to look to their own defenses would have to slow down the production of new attacks

Is it legal? Is it ethical? Let's look at a vulnerability in the C&C of a Zeus Trojan in circulation and envision the possibilities together.

The Vulnerability

As we have explained in previous blogs, Zeus is a banking Trojan, which is designed to steal login credentials and other Personally Identifiable Information (PII). In this analysis, we will demonstrate that malware authors make numerous mistakes as regular software engineers and show how a particular publicly known vulnerability present in the Zeus C&C server can lead to full access to the botnet’s Command Panel or possibly full system compromise of the server. We have set up our own Zeus C&C and bot in our internal research network where we can simulate this attack and show its implications.

In order to understand why the vulnerability exists in the first place, we must understand the basic workings of Zeus. Zeus bots operate in the following pattern: 1) Infect a system 2) Gather credentials and PII, and 3) Upload the stolen data in the form of reports to the C&C Server. The crucial point here is that the bot uploads some file to the remote server. What if we could leverage this mechanism to impersonate a bot and upload our own file to the server? Let’s say an executable, with which we could execute commands on the server.  

Unfortunately, we can’t just simply upload a file. Zeus uses RC4 algorithm to encrypt all communications between the bot and the server, so it will only accept files if they are encrypted with the same key that the server uses. Luckily for us, RC4 is a symmetric cipher, which means that both parties (in this case the bot and the C&C) use the same pre-shared key. This further implies that the key is embedded somewhere in the bot. So we need to capture a Zeus binary and find the keys in order to be able to communicate with the C&C. We can achieve this by using the Volatility memory analysis tool to dump the RC4 keystream from an infected machine’s memory.


Now that we have the key, we can use this key to encrypt the file we want to upload, thus impersonating a bot trying to upload a report. However, the C&C tries to make sure that only valid report files are ever uploaded, and what we want to upload is not going to be a valid report file. We would like to execute something on the server, so we need to upload an executable file, which the server knows how to execute. We know that the C&C is using .php files, therefore, we will try to upload a php file too, which will be executed on the server side by the PHP interpreter. But, the server won't let us upload .php files, however, there is a vulnerability in the C&C’s code and a well-known technique to bypass the checks they are performing on uploaded files. Below is the code for checking which file extensions are allowed.


As you can see, it doesn’t allow us to upload any PHP file or .htaccess file in addition to a lot of other possibly executable files. The problem lies in the fact that this sort of very simple check can be easily bypassed. One of the most widely used bypass methods is to use a trailing dot with the file extension, that is, instead of just filename.php we can use filename.php. (note the additional dot after the php). The PHP interpreter is quite liberal, and it will interpret it as a valid php file. With PHP we could execute a number of commands on the server, but in our case, we would like to get access to the control panel, so we will use a PHP web-shell (we have talked about web-shells in a previous blog) , which will allow us to browse the filesystem, interact with the backend database, and (possibly, depending on the server configuration) execute system commands.

Now, we have everything we need to compromise the C&C server: the RC4 key, the file we want to upload (web-shell), and a way to bypass the checks. By default, Zeus C&C’s use gate.php to receive the reports, and they will store these reports in C&C’s IP/_reports/files/BOTNET_ID/BOTID/ directory.

Since we are impersonating a bot, we control both the BOTNET_ID and BOTID values, so we can predict where our uploaded file will end up. All we have to do after uploading our file is to browse to this location and our code will be executed.

After we browse to the uploaded file, we are presented with a web-shell.

Now, this shell will enable us to browse to files containing important information about the particular Zeus C&C and also to interact with the backend SQL database.

Please note that while we have set up Zeus on a Windows XP machine in our own testing environment, usually Zeus C&C’s in the wild run on Linux servers. Furthermore, our server shown here was set up with very liberal file permissions, which is rarely the case with Zeus C&C’s in the wild. However, this is irrelevant in this case, since we are trying to gain access to the Control Panel. It would only matter if we tried to fully compromise the server by gaining a remote shell  and escalating our privileges to root or NTAUTHORITY\SYSTEM (depending on the operating system).

In order to gain access to the Control Panel, we need to get hold of the password for it, which is stored in the MYSQL database. However, the database is password- protected, too. Fortunately for us, since the bot needs to interact with the database, the credentials are stored in one of the configuration files of the bot, namely in config.php under /system/ directory.


While it contains other interesting information (such as a bot encryption key), only the relevant part of the config file is shown here. Normally, mysql_user is changed to something different from root, and mysql_pass is usually something more complex, but we intentionally left it as "password." With these credentials, we can gain access to the backend database.

The database stores information about the bots in the botnet, reports the bots uploaded, and finally, one table is used for storing information about the Control Panel user, such as username, hashed password, and so on.


Zeus stores these passwords using a simple MD5 hash without any salting, thus they are relatively easy to crack. Another option would be – since we have full read/write access to the database – to create our own password, hash it with MD5, and insert that into the database instead of the current password. Now, we will try to crack the password, hoping that it is not a very strong one. If it is, we can still fall back on the second method of gaining access.


As you can see, it was indeed a very weak password ("123456") making it easy to crack. At this point, we have all the information we need to finally enter the Zeus C&C’s Control Panel.

We can simply browse to ./cp.php and log in with our newly acquired credentials.


We now have full access to the Zeus C&C’s Control Panel, just as the original botnet owner would.



As we have demonstrated, while Zeus is regarded as an ‘advanced’ banking Trojan it is also susceptible to bugs that may allow, in an ironic twist, an attacker with the technical skillset to take over a botnet’s C&C server. While our previous blog posts went into details regarding the internal details of the Zeus bot, in this blog post, we tried to provide a different perspective and an insider look into how the C&C server operates.

Now, what should we do about it?


Abel Toro

Security Researcher

Abel Toro is a Security Research with Forcepoint Security Labs’ Special Investigations team, focusing on reverse engineering, malware analysis, and threat intelligence. He tracks existing threat groups and identifies new ones – focusing in particular on APTs – through analysing infrastructure,...

Read more articles by Abel Toro

About Forcepoint

Forcepoint is the leading user and data protection cybersecurity company, entrusted to safeguard organizations while driving digital transformation and growth. Our solutions adapt in real-time to how people interact with data, providing secure access while enabling employees to create value.