A Closer Look On C&C Panels Exploiting Fundamental Weaknesses In Botnet PDF Free Download

1y ago

28 Views

1 Downloads

1.21 MB

39 Pages

Report/dmca

Download PDF

Transcription

A Closer look on C&CPanelsExploiting FundamentalWeaknesses in BotnetCommand and Control(C&C) PanelsSeminar on Practical SecurityWhat Goes Around Comes Back Around !Tandhy Simanjuntak08/10/2015Aditya K SoodBlackHat 2014

AgendaIntroductionDetection MethodsSecuring C&C PanelsCompromise Methods

Introduction

IntroductionWhat isBotnet A collection of internet-connectedcompromised machines To perform objectives in the hand ofBot master Malicious Ex. Zeus, Ice 1X, Citadel, SpyEye, andAthena

IntroductionC&CServers Machine to manage bot Send instructions and receive data

IntroductionHow It WorksInfect the systemGather credentials-PIIUpload data to C&CServer

Detection concept-bigbrother-watching-you-37752327.jpg

DetectionMethodsGoogle DorksNetwork Traffic AnalysisPublic C&C Trackers

DetectionMethodsGoogle Advance search techniquesGoogle Dorksi.e. inurl, intitle, filetype , etc.Network TrafficAnalysisPublic C&CTrackers

DetectionMethodsCitadel or Zeus - inurl:“cp.php?m login”Google DorksICE IX - inurl:“adm/index.php?m login”Network TrafficAnalysisSpyEye - inurl:“/frmcp/”Public C&CTrackersiStealer - inurl:“/index.php?action logs”intitle:“login”Beta Bot - inurl:“login.php”Manager”intext:“myNews Content

DetectionMethodsGoogle DorksNetwork TrafficAnalysisPublic C&CTrackersMonitor trafficsPlasma HTTP Bot example traffic :

DetectionMethodsGoogle DorksNetwork TrafficAnalysisPublic C&CTrackersIndependent researchers Cyber Crime Tracker - http://cybercrimetracker.net/index.php Zeus Tracker - https://zeustracker.abuse.ch/ SpyEye Tracker - https://spyeyetracker.abuse.ch/ Palevo Tracker - https://palevotracker.abuse.ch/ Feodo Tracker - https://feodotracker.abuse.ch/ Daily Botnet Statistics - http://botnettracker.blogspot.com/

DetectionMethods

Securing C&C /1439055210/padlock-40192 1280.png?direct

SecuringMechanismsGate ComponentCryptographic KeyLogin Page Key

in Page KeyAct as a gatewayVerify host identityTransmit to C&C PanelGate.php

in Page KeyExtracted Code from gate component:if(empty( list[SBCID BOT VERSION]) empty( list[SBCID BOT ID]))die();if(!connectToDb())die(); botId str replace("\x01", "\x02", trim( list[SBCID BOT ID])); botIdQ addslashes( botId); botnet (empty( list[SBCID BOTNET])) ? DEFAULT BOTNET :str replace("\x01", "\x02", trim( list[SBCID BOTNET])); botnetQ addslashes( botnet); botVersion toUint( list[SBCID BOT VERSION]); realIpv4 trim((!empty( GET[’ip’]) ? GET[’ip’] : SERVER[’REMOTE ADDR’])); country getCountryIpv4(); countryQ addslashes( country); curTime time();

in Page KeyEncryption and authenticationRC4 algorithmHard-coded in configuration fileZeus and CitadelExtracted from configuration file: config[’mysql host’] ’localhost’; config[’mysql user’] ’specific wp1’; config[’mysql pass’] ’X8psH64kYa’; config[’mysql db’] ’specific WP’; config[’botnet timeout’] 1500; config[’botnet cryptkey’] ’pelli 10pelli’;

in Page KeyAdded authentication featureWithout login page key: www.cc-server.com/panel/index.phpWith login page key: www.cc-server.com/panel/index.php?key [value]

Compromise methodshttp://thumb9.shutterstock.com/display pic with -231475606.jpg

CompromisedMalware REMethodsBackdoor access to Hosting ServerC&C Panels Weaknesses

CompromisedObtain the malwareMethodsMalware REObtain RC4 key via memory dumpBackdoor access toHosting ServerC&C PanelsWeaknessesUpload remote management shells to servervia upload vulnerability Block .php, .php3, .php4, .php5, .php, .asp, .aspx, .exe,.pl, .cgi, .cmd, .bat, .phtml, .htaccess Apache treats .php. as a valid .php file.php.

CompromisedMethodsMalware REBackdoor access toHosting ServerC&C PanelsWeaknesses

CompromisedFind others’ vulnerabilitiesMethodsMalware REBackdoor access toHosting ServerC&C PanelsWeaknessesUpload remote management shellsNotorious Datacenter support systems – Pwning throughouter sphere: Exploitation Analysis of Help Desk Systems

Compromised Insecure DeploymentMethodsMalware REBackdoor access toHosting ServerC&C Panels WeaknessesExposed Directory StructureUnprotected ComponentsSQL Injection, XSSOpen PortsWeak Password and Login Page Key

CompromisedMethodsInsecure DeploymentExposed Directory StructureUnprotected ComponentsSQL Injection, XSSOpen PortsWeak Password and LoginPage KeyThird party software. i.e. XAMPP.”XAMPP is not meant for production use but only fordevelopment environments. The way XAMPP is configured is tobe open as possible to allow the developer anything he/shewants. For development environments this is great but in aproduction environment it could be fatal”Here a list of missing security in XAMPP:1. The MySQL administrator (root) has no password.2. The MySQL daemon is accessible via network.3. ProFTPD uses the password "lampp" for user "daemon".4. PhpMyAdmin is accessible via network.5. Examples are accessible via network.https://www.apachefriends.org/faq linux.html

Compromised Exposed Directory StructureMethodsInsecure DeploymentExposed Directory StructureUnprotected ComponentsSQL Injection, XSSOpen PortsWeak Password and LoginPage Key /adm/config/redirect/ reports/install/theme

CompromisedMethodsInsecure DeploymentExposed Directory StructureUnprotected ComponentsSQL Injection, XSSOpen PortsWeak Password and LoginPage Key

CompromisedMethodsInsecure DeploymentExposed Directory StructureUnprotected ComponentsSQL Injection, XSSPorts MappingWeak Password and LoginPage Key

Compromised Citadel C&C Panel:MethodsInsecure DeploymentExposed Directory StructureUnprotected ComponentsSQL Injection, XSSPorts MappingWeak Password and LoginPage Key

CompromisedMethodsInsecure DeploymentExposed Directory StructureUnprotected ComponentsSQL Injection, XSSPorts MappingWeak Password and LoginPage Key

CompromisedMethodsInsecure DeploymentExposed Directory StructureUnprotected ComponentsSQL InjectionPorts MappingWeak Password and LoginPage KeyFind other open ports to get resources

CompromisedMethodsInsecure DeploymentExposed Directory StructureUnprotected ComponentsSQL InjectionPorts MappingWeak Password and LoginPage Key

The End

References1.Sood, A. K. (2014). Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C)Panels: What Goes Around Comes Back Around !. BlackHat 2014, Las Vegas, USA, 2014.2.WebSense (2014).Putting Cyber Criminals on Notice: Watch Your Flank. Web. Aug 8, spx3.Internet Security (2011). Meet Ice IX, Son Of ZeuS. Web. Agt 8 t-ice-ix-son-of-zeus.html4.Sherstobitoff, R. (2013). Inside the World of the Citadel Trojan. Executive Summary, McAfee Labs.5.Donohue, B. (2013). The Big Four Banking Trojans. Kaspersky Lab. Web. Aug 8, ng-trojans/6.Jones, J. (2013). Athena, a DDoS Malware Odyssey. Arbor Networks Threat Intelligence. Web. Aug8 2015. are-odyssey/7.Gallagher, S. (2014). Feds warn first responders of dangerous hacking tool: Google Search. ArsTechnica. Web. Aug 8 2015. arch/?utm source feedburner&utm medium feed&utm campaign Feed%3A arstechnica%2Findex %28Ars Technica - All content%298.Apache Friend (n.d.) Linux Frequently Asked Questions. Web. Aug 8 2015.https://www.apachefriends.org/faq linux.html

Zeus, Ice 1X, Citadel, SpyEye, and Athena What is Botnet. . Network Traffic Analysis Public C&C . intitle:"login" Beta Bot -inurl:"login.php" intext:"myNews Content Manager" Google Dorks Network Traffic Analysis Public C&C Trackers. Detection Methods Monitor traffics Google Dorks Network Traffic Analysis Public C&C