Successfully reported this slideshow.
We use your LinkedIn profile and activity data to personalize ads and to show you more relevant ads. You can change your ad preferences anytime.
ACloser look onC&C
Panels
Seminar on Practical Security
Tandhy Simanjuntak
Exploiting Fundamental
Weaknesses in Botnet
Com...
Agenda Introduction
Detection Methods
Securing C&C Panels
Compromise Methods
Introduction
Introduction A collection of internet-connected
compromised machines
To perform objectives in the hand of
Bot master  M...
Introduction Machine to manage bot
Send instructions and receive data
C&C
Servers
Introduction
How ItWorks Infect the system
Gather credentials-PII
Upload data to C&C
Server
Detection Methods
http://thumbs.dreamstime.com/z/vector-detective-illustration-flat-style-surveillance-control-concept-big...
Detection
Methods Google Dorks
NetworkTraffic Analysis
Public C&CTrackers
Detection
Methods
Google Advance search techniques
i.e. inurl, intitle, filetype , etc.Google Dorks
NetworkTraffic
Analysi...
Detection
Methods
Citadel or Zeus - inurl:“cp.php?m=login”
ICE IX - inurl:“adm/index.php?m=login”
SpyEye - inurl:“/frmcp/”...
Detection
Methods
Monitor traffics
Google Dorks
NetworkTraffic
Analysis
Public C&C
Trackers
Plasma HTTP Bot example traffi...
Detection
Methods Independent researchers
Google Dorks
NetworkTraffic
Analysis
Public C&C
Trackers
• Cyber Crime Tracker -...
Detection
Methods
SecuringC&C Panels
https://pixabay.com/get/52972f3a772794c94c16/1439055210/padlock-40192_1280.png?direct
Securing
Mechanisms Gate Component
Cryptographic Key
Login Page Key
Securing
Mechanisms
Act as a gateway
Verify host identity
Transmit to C&C Panel
Gate.php
Gate
Component
Cryptographic
Key
...
Securing
Mechanisms if(empty($list[SBCID_BOT_VERSION]) ||
empty($list[SBCID_BOT_ID]))die();
if(!connectToDb())die();
$botI...
Securing
Mechanisms
Gate
Component
Cryptographic
Key
Login Page Key
Encryption and authentication
RC4 algorithm
Hard-coded...
Securing
Mechanisms
Gate
Component
Cryptographic
Key
Login Page Key
Added authentication feature
Without login page key:
•...
Compromise methods
http://thumb9.shutterstock.com/display_pic_with_logo/1947692/231475606/stock-vector-hacker-internet-sec...
Compromised
Methods
Malware RE
Backdoor access to Hosting Server
C&C PanelsWeaknesses
Malware RE
Backdoor access to
Hosting Server
C&C Panels
Weaknesses
Compromised
Methods Obtain the malware
Obtain RC4 key v...
Malware RE
Backdoor access to
Hosting Server
C&C Panels
Weaknesses
Compromised
Methods
Find others’ vulnerabilities
Upload remote management shells
Notorious Datacenter support systems – Pwning through
outer s...
Malware RE
Backdoor access to
Hosting Server
C&C PanelsWeaknesses
Compromised
Methods
Insecure Deployment
Exposed Director...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection, XSS
Open Ports
We...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection, XSS
Open Ports
We...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection, XSS
Open Ports
We...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection, XSS
Open Ports
We...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection, XSS
Ports Mapping...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection, XSS
Ports Mapping...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection, XSS
Ports Mapping...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection, XSS
Ports Mapping...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection, XSS
Ports Mapping...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection, XSS
Ports Mapping...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection
Ports Mapping
Weak...
Compromised
Methods
Insecure Deployment
Exposed Directory Structure
UnprotectedComponents
SQL Injection
Ports Mapping
Weak...
The End
References
1. Sood, A. K. (2014). Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C)
Panels: What Goes ...
Upcoming SlideShare
Loading in …5
×

A Closer Look on C&C Panels

a presentation at 5th BU RISCS Seminar of Practical Security. The presentation based on a talk at BlackHat 2014 by Aditya K. Sood

  • Be the first to comment

A Closer Look on C&C Panels

  1. 1. ACloser look onC&C Panels Seminar on Practical Security Tandhy Simanjuntak Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C) Panels What Goes Around Comes Back Around ! Aditya K Sood BlackHat 2014 08/10/2015
  2. 2. Agenda Introduction Detection Methods Securing C&C Panels Compromise Methods
  3. 3. Introduction
  4. 4. Introduction A collection of internet-connected compromised machines To perform objectives in the hand of Bot master  Malicious Ex. Zeus, Ice 1X, Citadel, SpyEye, and Athena What is Botnet
  5. 5. Introduction Machine to manage bot Send instructions and receive data C&C Servers
  6. 6. Introduction How ItWorks Infect the system Gather credentials-PII Upload data to C&C Server
  7. 7. Detection Methods http://thumbs.dreamstime.com/z/vector-detective-illustration-flat-style-surveillance-control-concept-big- brother-watching-you-37752327.jpg
  8. 8. Detection Methods Google Dorks NetworkTraffic Analysis Public C&CTrackers
  9. 9. Detection Methods Google Advance search techniques i.e. inurl, intitle, filetype , etc.Google Dorks NetworkTraffic Analysis Public C&C Trackers
  10. 10. Detection Methods Citadel or Zeus - inurl:“cp.php?m=login” ICE IX - inurl:“adm/index.php?m=login” SpyEye - inurl:“/frmcp/” iStealer - inurl: “/index.php?action=logs” intitle:“login” Beta Bot - inurl:“login.php” intext:“myNews Content Manager” Google Dorks NetworkTraffic Analysis Public C&C Trackers
  11. 11. Detection Methods Monitor traffics Google Dorks NetworkTraffic Analysis Public C&C Trackers Plasma HTTP Bot example traffic :
  12. 12. Detection Methods Independent researchers Google Dorks NetworkTraffic Analysis Public C&C Trackers • Cyber Crime Tracker - http://cybercrime- tracker.net/index.php • Zeus Tracker - https://zeustracker.abuse.ch/ • SpyEye Tracker - https://spyeyetracker.abuse.ch/ • Palevo Tracker - https://palevotracker.abuse.ch/ • Feodo Tracker - https://feodotracker.abuse.ch/ • Daily Botnet Statistics - http://botnet- tracker.blogspot.com/
  13. 13. Detection Methods
  14. 14. SecuringC&C Panels https://pixabay.com/get/52972f3a772794c94c16/1439055210/padlock-40192_1280.png?direct
  15. 15. Securing Mechanisms Gate Component Cryptographic Key Login Page Key
  16. 16. Securing Mechanisms Act as a gateway Verify host identity Transmit to C&C Panel Gate.php Gate Component Cryptographic Key Login Page Key
  17. 17. Securing Mechanisms if(empty($list[SBCID_BOT_VERSION]) || empty($list[SBCID_BOT_ID]))die(); if(!connectToDb())die(); $botId = str_replace("x01", "x02", trim($list[SBCID_BOT_ID])); $botIdQ = addslashes($botId); $botnet = (empty($list[SBCID_BOTNET])) ? DEFAULT_BOTNET : str_replace("x01", "x02", trim($list[SBCID_BOTNET])); $botnetQ = addslashes($botnet); $botVersion = toUint($list[SBCID_BOT_VERSION]); $realIpv4 = trim((!empty($_GET[’ip’]) ? $_GET[’ip’] : $_SERVER[’REMOTE_ADDR’])); $country = getCountryIpv4(); $countryQ = addslashes($country); $curTime = time(); Extracted Code from gate component: Gate Component Cryptographic Key Login Page Key
  18. 18. Securing Mechanisms Gate Component Cryptographic Key Login Page Key Encryption and authentication RC4 algorithm Hard-coded in configuration file Zeus and Citadel $config[’mysql_host’] = ’localhost’; $config[’mysql_user’] = ’specific_wp1’; $config[’mysql_pass’] = ’X8psH64kYa’; $config[’mysql_db’] = ’specific_WP’; $config[’botnet_timeout’] = 1500; $config[’botnet_cryptkey’] = ’pelli$10pelli’; Extracted from configuration file:
  19. 19. Securing Mechanisms Gate Component Cryptographic Key Login Page Key Added authentication feature Without login page key: • www.cc-server.com/panel/index.php With login page key: • www.cc-server.com/panel/index.php?key=[value]
  20. 20. Compromise methods http://thumb9.shutterstock.com/display_pic_with_logo/1947692/231475606/stock-vector-hacker-internet-security-concept-flat-design-vector-illustration-231475606.jpg
  21. 21. Compromised Methods Malware RE Backdoor access to Hosting Server C&C PanelsWeaknesses
  22. 22. Malware RE Backdoor access to Hosting Server C&C Panels Weaknesses Compromised Methods Obtain the malware Obtain RC4 key via memory dump Upload remote management shells to server via upload vulnerability • Block .php, .php3, .php4, .php5, .php, .asp, .aspx, .exe, .pl, .cgi, .cmd, .bat, .phtml, .htaccess • Apache treats .php. as a valid .php  file.php.
  23. 23. Malware RE Backdoor access to Hosting Server C&C Panels Weaknesses Compromised Methods
  24. 24. Find others’ vulnerabilities Upload remote management shells Notorious Datacenter support systems – Pwning through outer sphere: Exploitation Analysis of Help Desk Systems Malware RE Backdoor access to Hosting Server C&C Panels Weaknesses Compromised Methods
  25. 25. Malware RE Backdoor access to Hosting Server C&C PanelsWeaknesses Compromised Methods Insecure Deployment Exposed Directory Structure Unprotected Components SQL Injection, XSS Open Ports Weak Password and Login Page Key
  26. 26. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key Third party software. •i.e. XAMPP. ”XAMPP is not meant for production use but only for development environments. The way XAMPP is configured is to be open as possible to allow the developer anything he/she wants. For development environments this is great but in a production environment it could be fatal” Here a list of missing security in XAMPP: 1. The MySQL administrator (root) has no password. 2. The MySQL daemon is accessible via network. 3. ProFTPD uses the password "lampp" for user "daemon". 4. PhpMyAdmin is accessible via network. 5. Examples are accessible via network. https://www.apachefriends.org/faq_linux.html
  27. 27. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key Exposed Directory Structure • /adm • /config • /redirect • /_reports • /install • /theme
  28. 28. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key
  29. 29. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Open Ports Weak Password and Login Page Key
  30. 30. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key
  31. 31. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key
  32. 32. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key
  33. 33. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key Citadel C&C Panel:
  34. 34. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key Citadel C&C Panel:
  35. 35. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection, XSS Ports Mapping Weak Password and Login Page Key
  36. 36. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection Ports Mapping Weak Password and Login Page Key Find other open ports to get resources
  37. 37. Compromised Methods Insecure Deployment Exposed Directory Structure UnprotectedComponents SQL Injection Ports Mapping Weak Password and Login Page Key
  38. 38. The End
  39. 39. References 1. Sood, A. K. (2014). Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C) Panels: What Goes Around Comes Back Around !. BlackHat 2014, LasVegas, USA, 2014. 2. WebSense (2014).Putting Cyber Criminals on Notice: WatchYour Flank. Web. Aug 8, 2015. http://community.websense.com/blogs/securitylabs/archive/2014/06/12/zeus-c-amp-c- vulnerability.aspx 3. Internet Security (2011). Meet Ice IX, Son Of ZeuS. Web. Agt 8 2015. http://www.internetsecuritydb.com/2011/08/meet-ice-ix-son-of-zeus.html 4. Sherstobitoff, R. (2013). Inside the World of the Citadel Trojan. Executive Summary, McAfee Labs. 5. Donohue, B. (2013).The Big Four Banking Trojans. Kaspersky Lab. Web. Aug 8, 2015. https://blog.kaspersky.com/the-big-four-banking-trojans/ 6. Jones, J. (2013). Athena, a DDoS Malware Odyssey. Arbor NetworksThreat Intelligence. Web. Aug 8 2015. https://asert.arbornetworks.com/athena-a-ddos-malware-odyssey/ 7. Gallagher, S. (2014). Feds warn first responders of dangerous hacking tool: Google Search. Ars Technica. Web. Aug 8 2015. http://arstechnica.com/security/2014/08/feds-warn-first-responders- of-dangerous-hacking-tool-google- search/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2 Findex+%28Ars+Technica+-+All+content%29 8. Apache Friend (n.d.) Linux Frequently Asked Questions. Web. Aug 8 2015. https://www.apachefriends.org/faq_linux.html

×