SlideShare a Scribd company logo

BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Panels !

Aditya K Sood
Aditya K Sood

Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers. DOWNLOAD from this link : http://secniche.org/blackhat-2014/

Technology
1 of 37
1 ExploitingFundamental Weaknesses inCommandandControl (C&C)Panels What Goes Around Comes Back Around ! Aditya K Sood Senior Security Researcher and Engineer
2 About the Speaker!  Dr. Aditya K Sood ─ Senior Threat Researcher and Engineer  Others ● Worked previously for IOActive, Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content – IEEE Magazine/Virus Bulletin/ ISSA/ISACA/CrossTalk/HITB Ezine /Elsevier NESE|CFS ● Personal Website: – LinkedIn : http://www.linkedin.com/in/adityaks – Website: http://www.secniche.org – Blog: http://secniche.blogspot.com – Company Website : http://www.niara.com ● Authored “ Targeted Cyber Attacks” Book ! ● Email : contact {at} secniche {dot} org
3 Disclaimer ! The opinions and views expressed in this research presentation is completely based on my independent research and do not relate to any of my previous or present employers. I am not responsible for the links (URLs) presented in Figures and Listings as part of testing analysis and do not assume any responsibility for the accuracy or functioning of these at the time of release of this paper.These links (URLs) were live and active during testing. The research presented in this presentation should only be used for educational purposes. Please also check the updated version of this presentation after the conference. The released version of the research paper isVersion 1.1 ! Fetch it from BlackHat Archives or http://www.secniche.org
4 What This Talk is All About ?!  Learning about the different insights gathered from real-time testing of C&C panels  Understanding the facts and C&C design of botnet families ─ Zeus / ICE 1X/ Citadel / BetaBot etc.  Busting several myths about C&C architecture and deployments  Learning what methods to follow when direct exploitation is not possible  Utilizing multiple vulnerabilities to attack C&C panels  Gathering information using weak C&C configurations  Building C&C intelligence for Incident Response and automated solutions
5 Rationale !! Why to Break when we can Bypass !
6 C&C Panels Overview!  Web-based software components for managing bots around the Internet  Centralized place for communicating with bots and sending updates  Majority of the C&C panels are authored in PHP and MySQL ─ Hosted on Apache / Nginx and LAMPP (XAMPP) servers  C&C panel is architected using modular components that are interdependent on each other ─ Failing one component can impact the working of other component
7 C&C Components Protection  Design Protections ─ Gates ─ Cryptographic Key ─ Login Web Page Key  Generic C&C Components ● Note: naming convention and components changes with design Component Overview gate.php preventing direct access to main control panel cp.php managing bots and exfiltrated data (control panel) index.php restricting directory listing through default code config.php configuring settings for bots and C&C panel itself install/ installation component (tables, databases, reports and others) fsarch.php archiving files
8 C&C Gates!  What are Gates ? ─ Intermediate web components that perform verification on the incoming requests sent by the bots ● Verification of bots identity ● Authorization and allocation of access rights ─ Different from login or administrative panels ─ Gates can be treated as proxies ● C&C prefers to communicate with bots through gates
9 Protecting C&C Resources!  ICE 1X shows following message in one of its directory:  ZEND Framework Authentication ─ Zend_Session  Built-in session management functionality using namespace objects ─ Zend_Acl  Lightweight access control privileges  ionCube ─ PHP encoder to encode the PHP source code and file paths ─ ionCube loader manages the runtime execution of PHP code
10 C&C Attack Models!  Reversing malware to extract cryptographic keys and file ─ Key provides read/write operation capabilities on the C&C panel (including components)  Obtaining backdoor access to hosting servers  Finding design and deployment flaws including vulnerabilities ─ Performing source code analysis on the downloaded C&C panel  Note: Read Whitepaper for complete details !
11 Google Dorks – Botnet C&Cs  Potential Dorks ─ Dorks are based on the default design of the botnet family ● Design such as naming convention can be changed by the bot herder ─ A number of C&C panels have been exposed using these dorks ● Worth giving a TRY ! Test more and build more dorks ! Botnet Family Potential Google Dorks Zeus inurl: “cp.php?m=login” | inurl: “cp.php?letter=login” ICE 1X inurl: “adm/index.php?m=login” Citadel inurl: “cp.php?m=login” BetaBot inurl: “login.php" intext: “myNews Content Manager” iStealer inurl: “index.php?action=logs” intitle:”login” SpyEye inurl: “frmcp/”
12 Google Dorks – Botnet C&Cs  Example : Citadel and Zeus
13 Google Dorks – Botnet C&Cs  Example : Finding C&C Gates
14 Network Traffic Analysis (1)  Detecting network traffic to gates ─ Analyzing communication channels used for data exfiltration Data exfiltration to Gates – Plasma Bot !
15 Network Traffic Analysis (2)  Remember : Gates and C&C administration interface are hosted on the same server majority of the time Gate component shows blank page and C&C panel administration interface is present on the same server
16 Multiple C&C Panels – Same Server!  Possibility of only one C&C panel present on the same host on the destination server  Not True !  Operations ─ Analyze URL structure and associated parameters ─ Detect directory patterns in the C&C URL ─ Guess or Fuzz the parameters in the C&C URL  Example ─ URL structure : http://[C&C_domain]/[directory]/index.php?m=login ● http://www.example.com/storage/1/control.php?m=login ─ Try: ● http://www.example.com/storage/2/control.php?m=login ● http://www.example.com/storage/3/control.php?m=login ● http://www.example.com/storage/4/control.php?m=login
17 Multiple C&C Panels – Server!  Detected multiple Zeus C&C panels on same host
18 Multiple C&C Panels – Server!  Detected multiple Winlocker C&C Panels
19 Demo – Detecting Multiple Panels !
20 Confirming Base C&C Components!  Relying on the renamed C&C component and does not ensure the present of the default one  Operations ● Bot herders rename the C&C component to other to avoid signatures – Example: renaming “cp.php”  “check.php” ● Ensure that the default components are present on the server ● Testing indicates that both renamed and original files are present on the C&C server Exposed Components !
21  Installation component is exposed on several botnets ─ Vulnerable C&C Panels – Zeus / ICE 1X / Citadel Installation Component Check Extracting report directory name and accessing it to access reports directory !
22 Demo – Access Via Default Components!
23 Port Mapping for Similar Resources!  Relying completely on the specific port detected in the network for C&C communication ─ Verification of only TCP port 80 or 443 on the C&C for web services ─ Assuming that TCP port 443 is used only for HTTPS  Issuing the HTTP requests to same resources on different ports ─ Fuzzing the same web resources on the target web server on different ports ─ This technique has resulted in fruitful scenarios
24 Port Mapping for Similar Resources! Checking same resources on different ports. A “cmd” file is downloaded by targeting different paths and ports !
25 Port Mapping for Similar Resources!
26 C&C Deployment on XAMPP!  Seriously ?  XAMPP is never meant to be used for production purposes ─ Using it for C&C is serious mistake. But, its happening ! ─ Easy configuration  Serious security issues in configuration ● The MySQL administrator (root) has no password ● The MySQL daemon is accessible via network ● ProFTPD uses the password "lampp" for user "daemon" ● PhpMyAdmin is accessible via network ● Examples are accessible via network ● Refer: https://www.apachefriends.org/faq_linux.html  There are number of loopholes that can be exploited to hack back into servers using XAMPP
27 C&C Deployment on XAMPP!  Seriously ?
28 C&C Deployment on XAMPP!
29 Demo – C&C Access via XAMPP !
30 Root Directory Verification!  Root directory of the hosting server should be analyzed  Majority of time directory index is obtained
31 Vulnerability Hunting !!  Detecting vulnerabilities in C&C panels ─ Like hunting flaws in web applications  Example:- An earlier SQL Injection in SpyEye C&C panel !
32 Weak and Default Passwords !  Several C&Cs are configured with weak or default passwords  iStealer panel accessed using weak password
33 Remote Management Shells !  Search for PHP files with arbitrary names ─ Possibility of finding remote management shells ─ If you know the authentication key, you can upload of your own too. Inactive Shell. But active ones have been found too !
34 Demo – Detecting Remote Shells !
35 Conclusion!  To fight with malware, it is important to harness the power of penetration testing and malware analysis including reverse engineering  There are no shortcuts to fight against cybercrime  Note: Do read the whitepaper released with this talk for extensive details. Materials are available on BlackHat Archives and http://www.secniche.org
36 Future Work!  To build more interesting attack models as this research is ongoing  To analyze complete evolution of botnet C&C panels  To detect new C&C panels for upcoming botnets  To perform data analysis to understand security guidelines used by the end-users and organizations
37 Questions and Queries !! http://www.niara.com

Recommended

Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
Aditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
Aditya K Sood
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
nullowaspmumbai
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
SecuRing
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarang
Ninad Sarang
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
Neoito
 

Recommended

Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
Aditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
Aditya K Sood
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
Aditya K Sood
 
Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool Drozer - An Android Application Security Tool
Drozer - An Android Application Security Tool
nullowaspmumbai
 
Big problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces securityBig problems with big data – Hadoop interfaces security
Big problems with big data – Hadoop interfaces security
SecuRing
 
Null 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarangNull 14 may_lesser_known_attacks_by_ninadsarang
Null 14 may_lesser_known_attacks_by_ninadsarang
Ninad Sarang
 
Neoito — Secure coding practices
Neoito — Secure coding practicesNeoito — Secure coding practices
Neoito — Secure coding practices
Neoito
 
The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
CODE BLUE
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
OWASP
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
PROIDEA
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
OWASP
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
Prathan Phongthiproek
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
h4oxer
 
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
PROIDEA
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
Equal Experts
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
Mykhailo Antonishyn
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
Justin Bui
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
Siddharth Bezalwar
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
nullowaspmumbai
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
nullowaspmumbai
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
Nutan Kumar Panda
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
Casey Ellis
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
OWASP
 
Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
Roberto Suggi Liverani
 

More Related Content

What's hot

The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
Kaspersky
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
CODE BLUE
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
PROIDEA
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
CODE BLUE
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
amiable_indian
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
CODE BLUE
 

What's hot (20)

The Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secureThe Log4Shell Vulnerability – explained: how to stay secure
The Log4Shell Vulnerability – explained: how to stay secure
 
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
[CB21] ProxyLogon is Just the Tip of the Iceberg, A New Attack Surface on Mic...
 
[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101[Wroclaw #2] iOS Security - 101
[Wroclaw #2] iOS Security - 101
 
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
[CONFidence 2016] Leszek Miś - Honey(pot) flavored hunt for cyber enemy
 
[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software[Wroclaw #9] The purge - dealing with secrets in Opera Software
[Wroclaw #9] The purge - dealing with secrets in Opera Software
 
Hack and Slash: Secure Coding
Hack and Slash: Secure CodingHack and Slash: Secure Coding
Hack and Slash: Secure Coding
 
Android Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android ApplicationsAndroid Security Overview and Safe Practices for Web-Based Android Applications
Android Security Overview and Safe Practices for Web-Based Android Applications
 
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs [CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
[CONFidence 2016] Andrey Plastunov - Simple bugs to pwn the devs
 
Platform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building BetterPlatform Security IRL: Busting Buzzwords & Building Better
Platform Security IRL: Busting Buzzwords & Building Better
 
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
[CB20] Operation I am Tom: How APT actors move laterally in corporate network...
 
Android application security testing
Android application security testingAndroid application security testing
Android application security testing
 
Hacking Client Side Insecurities
Hacking Client Side InsecuritiesHacking Client Side Insecurities
Hacking Client Side Insecurities
 
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
Defeating firefox by Muneaki Nishimunea - CODE BLUE 2015
 
Understanding Windows Access Token Manipulation
Understanding Windows Access Token ManipulationUnderstanding Windows Access Token Manipulation
Understanding Windows Access Token Manipulation
 
Secure coding in C#
Secure coding in C#Secure coding in C#
Secure coding in C#
 
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat DasNull Mumbai Meet_Android Reverse Engineering by Samrat Das
Null Mumbai Meet_Android Reverse Engineering by Samrat Das
 
Fuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 JuneFuzzing | Null OWASP Mumbai | 2016 June
Fuzzing | Null OWASP Mumbai | 2016 June
 
Rapid Android Application Security Testing
Rapid Android Application Security TestingRapid Android Application Security Testing
Rapid Android Application Security Testing
 
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowdCVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
CVE-2021-44228 Log4j (and Log4Shell) Executive Explainer by cje@bugcrowd
 
[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101[Wroclaw #4] WebRTC & security: 101
[Wroclaw #4] WebRTC & security: 101
 

Similar to BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Panels !

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
NetSPI
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
Volodymyr Shynkar
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
Priyanka Aash
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
webhostingguy
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
Black Duck by Synopsys
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
Alon Fliess
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reese
buildacloud
 

Similar to BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Panels ! (20)

Thick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash CourseThick Application Penetration Testing - A Crash Course
Thick Application Penetration Testing - A Crash Course
 
I got 99 trends and a # is all of them
I got 99 trends and a # is all of themI got 99 trends and a # is all of them
I got 99 trends and a # is all of them
 
Build Time Hacking
Build Time HackingBuild Time Hacking
Build Time Hacking
 
Thick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash CourseThick Application Penetration Testing: Crash Course
Thick Application Penetration Testing: Crash Course
 
Pursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideMPursuing evasive custom command & control - GuideM
Pursuing evasive custom command & control - GuideM
 
Kubernetes and container security
Kubernetes and container securityKubernetes and container security
Kubernetes and container security
 
Abusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec gloryAbusing bleeding edge web standards for appsec glory
Abusing bleeding edge web standards for appsec glory
 
Aleksandr Kutsan "Managing Dependencies in C++"
Aleksandr Kutsan "Managing Dependencies in C++"Aleksandr Kutsan "Managing Dependencies in C++"
Aleksandr Kutsan "Managing Dependencies in C++"
 
.Net Debugging Techniques
.Net Debugging Techniques.Net Debugging Techniques
.Net Debugging Techniques
 
.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques.NET Debugging Tips and Techniques
.NET Debugging Tips and Techniques
 
Using Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure SecurityUsing Chef InSpec for Infrastructure Security
Using Chef InSpec for Infrastructure Security
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
 
Securing Apache Web Servers
Securing Apache Web ServersSecuring Apache Web Servers
Securing Apache Web Servers
 
Contain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidenceContain your risk: Deploy secure containers with trust and confidence
Contain your risk: Deploy secure containers with trust and confidence
 
Aci dp
Aci dpAci dp
Aci dp
 
AIR - Framework ( Cairngorm and Parsley )
AIR - Framework ( Cairngorm and Parsley )AIR - Framework ( Cairngorm and Parsley )
AIR - Framework ( Cairngorm and Parsley )
 
Codeigniter
CodeigniterCodeigniter
Codeigniter
 
K8s best practices from the field!
K8s best practices from the field!K8s best practices from the field!
K8s best practices from the field!
 
C# Production Debugging Made Easy
C# Production Debugging Made Easy C# Production Debugging Made Easy
C# Production Debugging Made Easy
 
Rest api design by george reese
Rest api design by george reeseRest api design by george reese
Rest api design by george reese
 

More from Aditya K Sood

DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
Aditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Aditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
Aditya K Sood
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Aditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
Aditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
Aditya K Sood
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
Aditya K Sood
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
Aditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
Aditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
Aditya K Sood
 

More from Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile Hacking
 
Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
 

Recently uploaded

TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
Joaquim Jorge
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
Safe Software
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
sammart93
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
Principled Technologies
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Miguel Araújo
 

Recently uploaded (20)

Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Artificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and MythsArtificial Intelligence: Facts and Myths
Artificial Intelligence: Facts and Myths
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
Real Time Object Detection Using Open CV
Real Time Object Detection Using Open CVReal Time Object Detection Using Open CV
Real Time Object Detection Using Open CV
 
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time AutomationFrom Event to Action: Accelerate Your Decision Making with Real-Time Automation
From Event to Action: Accelerate Your Decision Making with Real-Time Automation
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 

BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Panels !

  • 1. 1 ExploitingFundamental Weaknesses inCommandandControl (C&C)Panels What Goes Around Comes Back Around ! Aditya K Sood Senior Security Researcher and Engineer
  • 2. 2 About the Speaker!  Dr. Aditya K Sood ─ Senior Threat Researcher and Engineer  Others ● Worked previously for IOActive, Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content – IEEE Magazine/Virus Bulletin/ ISSA/ISACA/CrossTalk/HITB Ezine /Elsevier NESE|CFS ● Personal Website: – LinkedIn : http://www.linkedin.com/in/adityaks – Website: http://www.secniche.org – Blog: http://secniche.blogspot.com – Company Website : http://www.niara.com ● Authored “ Targeted Cyber Attacks” Book ! ● Email : contact {at} secniche {dot} org
  • 3. 3 Disclaimer ! The opinions and views expressed in this research presentation is completely based on my independent research and do not relate to any of my previous or present employers. I am not responsible for the links (URLs) presented in Figures and Listings as part of testing analysis and do not assume any responsibility for the accuracy or functioning of these at the time of release of this paper.These links (URLs) were live and active during testing. The research presented in this presentation should only be used for educational purposes. Please also check the updated version of this presentation after the conference. The released version of the research paper isVersion 1.1 ! Fetch it from BlackHat Archives or http://www.secniche.org
  • 4. 4 What This Talk is All About ?!  Learning about the different insights gathered from real-time testing of C&C panels  Understanding the facts and C&C design of botnet families ─ Zeus / ICE 1X/ Citadel / BetaBot etc.  Busting several myths about C&C architecture and deployments  Learning what methods to follow when direct exploitation is not possible  Utilizing multiple vulnerabilities to attack C&C panels  Gathering information using weak C&C configurations  Building C&C intelligence for Incident Response and automated solutions
  • 5. 5 Rationale !! Why to Break when we can Bypass !
  • 6. 6 C&C Panels Overview!  Web-based software components for managing bots around the Internet  Centralized place for communicating with bots and sending updates  Majority of the C&C panels are authored in PHP and MySQL ─ Hosted on Apache / Nginx and LAMPP (XAMPP) servers  C&C panel is architected using modular components that are interdependent on each other ─ Failing one component can impact the working of other component
  • 7. 7 C&C Components Protection  Design Protections ─ Gates ─ Cryptographic Key ─ Login Web Page Key  Generic C&C Components ● Note: naming convention and components changes with design Component Overview gate.php preventing direct access to main control panel cp.php managing bots and exfiltrated data (control panel) index.php restricting directory listing through default code config.php configuring settings for bots and C&C panel itself install/ installation component (tables, databases, reports and others) fsarch.php archiving files
  • 8. 8 C&C Gates!  What are Gates ? ─ Intermediate web components that perform verification on the incoming requests sent by the bots ● Verification of bots identity ● Authorization and allocation of access rights ─ Different from login or administrative panels ─ Gates can be treated as proxies ● C&C prefers to communicate with bots through gates
  • 9. 9 Protecting C&C Resources!  ICE 1X shows following message in one of its directory:  ZEND Framework Authentication ─ Zend_Session  Built-in session management functionality using namespace objects ─ Zend_Acl  Lightweight access control privileges  ionCube ─ PHP encoder to encode the PHP source code and file paths ─ ionCube loader manages the runtime execution of PHP code
  • 10. 10 C&C Attack Models!  Reversing malware to extract cryptographic keys and file ─ Key provides read/write operation capabilities on the C&C panel (including components)  Obtaining backdoor access to hosting servers  Finding design and deployment flaws including vulnerabilities ─ Performing source code analysis on the downloaded C&C panel  Note: Read Whitepaper for complete details !
  • 11. 11 Google Dorks – Botnet C&Cs  Potential Dorks ─ Dorks are based on the default design of the botnet family ● Design such as naming convention can be changed by the bot herder ─ A number of C&C panels have been exposed using these dorks ● Worth giving a TRY ! Test more and build more dorks ! Botnet Family Potential Google Dorks Zeus inurl: “cp.php?m=login” | inurl: “cp.php?letter=login” ICE 1X inurl: “adm/index.php?m=login” Citadel inurl: “cp.php?m=login” BetaBot inurl: “login.php" intext: “myNews Content Manager” iStealer inurl: “index.php?action=logs” intitle:”login” SpyEye inurl: “frmcp/”
  • 12. 12 Google Dorks – Botnet C&Cs  Example : Citadel and Zeus
  • 13. 13 Google Dorks – Botnet C&Cs  Example : Finding C&C Gates
  • 14. 14 Network Traffic Analysis (1)  Detecting network traffic to gates ─ Analyzing communication channels used for data exfiltration Data exfiltration to Gates – Plasma Bot !
  • 15. 15 Network Traffic Analysis (2)  Remember : Gates and C&C administration interface are hosted on the same server majority of the time Gate component shows blank page and C&C panel administration interface is present on the same server
  • 16. 16 Multiple C&C Panels – Same Server!  Possibility of only one C&C panel present on the same host on the destination server  Not True !  Operations ─ Analyze URL structure and associated parameters ─ Detect directory patterns in the C&C URL ─ Guess or Fuzz the parameters in the C&C URL  Example ─ URL structure : http://[C&C_domain]/[directory]/index.php?m=login ● http://www.example.com/storage/1/control.php?m=login ─ Try: ● http://www.example.com/storage/2/control.php?m=login ● http://www.example.com/storage/3/control.php?m=login ● http://www.example.com/storage/4/control.php?m=login
  • 17. 17 Multiple C&C Panels – Server!  Detected multiple Zeus C&C panels on same host
  • 18. 18 Multiple C&C Panels – Server!  Detected multiple Winlocker C&C Panels
  • 19. 19 Demo – Detecting Multiple Panels !
  • 20. 20 Confirming Base C&C Components!  Relying on the renamed C&C component and does not ensure the present of the default one  Operations ● Bot herders rename the C&C component to other to avoid signatures – Example: renaming “cp.php”  “check.php” ● Ensure that the default components are present on the server ● Testing indicates that both renamed and original files are present on the C&C server Exposed Components !
  • 21. 21  Installation component is exposed on several botnets ─ Vulnerable C&C Panels – Zeus / ICE 1X / Citadel Installation Component Check Extracting report directory name and accessing it to access reports directory !
  • 22. 22 Demo – Access Via Default Components!
  • 23. 23 Port Mapping for Similar Resources!  Relying completely on the specific port detected in the network for C&C communication ─ Verification of only TCP port 80 or 443 on the C&C for web services ─ Assuming that TCP port 443 is used only for HTTPS  Issuing the HTTP requests to same resources on different ports ─ Fuzzing the same web resources on the target web server on different ports ─ This technique has resulted in fruitful scenarios
  • 24. 24 Port Mapping for Similar Resources! Checking same resources on different ports. A “cmd” file is downloaded by targeting different paths and ports !
  • 25. 25 Port Mapping for Similar Resources!
  • 26. 26 C&C Deployment on XAMPP!  Seriously ?  XAMPP is never meant to be used for production purposes ─ Using it for C&C is serious mistake. But, its happening ! ─ Easy configuration  Serious security issues in configuration ● The MySQL administrator (root) has no password ● The MySQL daemon is accessible via network ● ProFTPD uses the password "lampp" for user "daemon" ● PhpMyAdmin is accessible via network ● Examples are accessible via network ● Refer: https://www.apachefriends.org/faq_linux.html  There are number of loopholes that can be exploited to hack back into servers using XAMPP
  • 27. 27 C&C Deployment on XAMPP!  Seriously ?
  • 29. 29 Demo – C&C Access via XAMPP !
  • 30. 30 Root Directory Verification!  Root directory of the hosting server should be analyzed  Majority of time directory index is obtained
  • 31. 31 Vulnerability Hunting !!  Detecting vulnerabilities in C&C panels ─ Like hunting flaws in web applications  Example:- An earlier SQL Injection in SpyEye C&C panel !
  • 32. 32 Weak and Default Passwords !  Several C&Cs are configured with weak or default passwords  iStealer panel accessed using weak password
  • 33. 33 Remote Management Shells !  Search for PHP files with arbitrary names ─ Possibility of finding remote management shells ─ If you know the authentication key, you can upload of your own too. Inactive Shell. But active ones have been found too !
  • 34. 34 Demo – Detecting Remote Shells !
  • 35. 35 Conclusion!  To fight with malware, it is important to harness the power of penetration testing and malware analysis including reverse engineering  There are no shortcuts to fight against cybercrime  Note: Do read the whitepaper released with this talk for extensive details. Materials are available on BlackHat Archives and http://www.secniche.org
  • 36. 36 Future Work!  To build more interesting attack models as this research is ongoing  To analyze complete evolution of botnet C&C panels  To detect new C&C panels for upcoming botnets  To perform data analysis to understand security guidelines used by the end-users and organizations
  • 37. 37 Questions and Queries !! http://www.niara.com