Scribd
Upload
247 views39 pages

A Closer Look On C&C Panels: Seminar On Practical Security Tandhy Simanjuntak

Botnet command and control (C&C) panels can be detected through Google dorks, network traffic analysis, and public C&C trackers. C&C panels can be secured through gate components, cryptographic keys, and login page keys. C&C panels are compromised through malware reverse engineering, backdoor access to hosting servers, and exploiting weaknesses like insecure deployment, exposed directory structures, unprotected components, SQL injection, open ports, and weak passwords.

Uploaded by

sadsada12e12312
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
247 views39 pages

A Closer Look On C&C Panels: Seminar On Practical Security Tandhy Simanjuntak

Botnet command and control (C&C) panels can be detected through Google dorks, network traffic analysis, and public C&C trackers. C&C panels can be secured through gate components, cryptographic keys, and login page keys. C&C panels are compromised through malware reverse engineering, backdoor access to hosting servers, and exploiting weaknesses like insecure deployment, exposed directory structures, unprotected components, SQL injection, open ports, and weak passwords.

Uploaded by

sadsada12e12312
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 39

A Closer look on C&C

Panels Exploiting Fundamental


Weaknesses in Botnet
Command and Control
Seminar on Practical Security (C&C) Panels
What Goes Around Comes Back Around !
Tandhy Simanjuntak Aditya K Sood
BlackHat 2014
08/10/2015
Agenda Introduction

Detection Methods

Securing C&C Panels

Compromise Methods
Introduction
Introduction A collection of internet-connected
compromised machines
What is To perform objectives in the hand of
Botnet Bot master  Malicious

Ex. Zeus, Ice 1X, Citadel, SpyEye, and


Athena
Introduction Machine to manage bot
Send instructions and receive data
C&C
Servers
Introduction
How It Works Infect the system

Gather credentials-PII

Upload data to C&C


Server
Detection Methods

http://thumbs.dreamstime.com/z/vector-detective-illustration-flat-style-surveillance-control-concept-big-
brother-watching-you-37752327.jpg
Detection
Methods Google Dorks

Network Traffic Analysis

Public C&C Trackers


Detection Google Advance search techniques
Methods
Google Dorks i.e. inurl, intitle, filetype , etc.
Network Traffic
Analysis

Public C&C
Trackers
Detection Citadel or Zeus - inurl:“cp.php?m=login”
Methods
Google Dorks ICE IX - inurl:“adm/index.php?m=login”

Network Traffic
SpyEye - inurl:“/frmcp/”
Analysis

Public C&C iStealer - inurl: “/index.php?action=logs”


Trackers intitle:“login”

Beta Bot - inurl:“login.php” intext:“myNews Content


Manager”
Detection
Methods
Monitor traffics
Google Dorks Plasma HTTP Bot example traffic :

Network Traffic
Analysis

Public C&C
Trackers
Detection
Methods
Independent researchers
Google Dorks • Cyber Crime Tracker - http://cybercrime-
tracker.net/index.php
• Zeus Tracker - https://zeustracker.abuse.ch/
• SpyEye Tracker - https://spyeyetracker.abuse.ch/
Network Traffic
• Palevo Tracker - https://palevotracker.abuse.ch/
Analysis • Feodo Tracker - https://feodotracker.abuse.ch/
• Daily Botnet Statistics - http://botnet-
Public C&C tracker.blogspot.com/
Trackers
Detection
Methods
Securing C&C Panels

https://pixabay.com/get/52972f3a772794c94c16/1439055210/padlock-40192_1280.png?direct
Securing
Mechanisms Gate Component

Cryptographic Key

Login Page Key


Securing
Mechanisms
Gate
Component
Act as a gateway
Cryptographic
Key
Verify host identity
Login Page Key
Transmit to C&C Panel

Gate.php
Extracted Code from gate component:
Securing
Mechanisms if(empty($list[SBCID_BOT_VERSION]) ||
empty($list[SBCID_BOT_ID]))die();
if(!connectToDb())die();

Gate $botId = str_replace("\x01", "\x02", trim($list[SBCID_BOT_ID]));


$botIdQ = addslashes($botId);
Component $botnet = (empty($list[SBCID_BOTNET])) ? DEFAULT_BOTNET :
str_replace("\x01", "\x02", trim($list[SBCID_BOTNET]));
$botnetQ = addslashes($botnet);
Cryptographic $botVersion = toUint($list[SBCID_BOT_VERSION]);
Key $realIpv4 = trim((!empty($_GET[’ip’]) ? $_GET[’ip’] :
$_SERVER[’REMOTE_ADDR’]));
$country = getCountryIpv4();
$countryQ = addslashes($country);
Login Page Key $curTime = time();
Securing Encryption and authentication
Mechanisms
RC4 algorithm
Gate
Component
Hard-coded in configuration file
Cryptographic
Key Zeus and Citadel
Extracted from configuration file:
Login Page Key $config[’mysql_host’] = ’localhost’;
$config[’mysql_user’] = ’specific_wp1’;
$config[’mysql_pass’] = ’X8psH64kYa’;
$config[’mysql_db’] = ’specific_WP’;
$config[’botnet_timeout’] = 1500;
$config[’botnet_cryptkey’] = ’pelli$10pelli’;
Securing Added authentication feature
Mechanisms
Gate
Component Without login page key:
• www.cc-server.com/panel/index.php
Cryptographic
Key

Login Page Key With login page key:


• www.cc-server.com/panel/index.php?key=[value]
Compromise methods

http://thumb9.shutterstock.com/display_pic_with_logo/1947692/231475606/stock-vector-hacker-internet-security-concept-flat-design-vector-illustration-231475606.jpg
Compromised
Malware RE
Methods
Backdoor access to Hosting Server

C&C Panels Weaknesses


Compromised
Methods Obtain the malware

Malware RE
Obtain RC4 key via memory dump
Backdoor access to
Hosting Server

C&C Panels
Upload remote management shells to server
Weaknesses via upload vulnerability
• Block .php, .php3, .php4, .php5, .php, .asp, .aspx, .exe,
.pl, .cgi, .cmd, .bat, .phtml, .htaccess
• Apache treats .php. as a valid .php  file.php.
Compromised
Methods
Malware RE

Backdoor access to
Hosting Server

C&C Panels
Weaknesses
Compromised
Methods Find others’ vulnerabilities

Malware RE Upload remote management shells


Backdoor access to
Hosting Server Notorious Datacenter support systems – Pwning through
outer sphere: Exploitation Analysis of Help Desk Systems
C&C Panels
Weaknesses
Compromised Insecure Deployment
Methods
Exposed Directory Structure
Malware RE

Backdoor access to Unprotected Components


Hosting Server

C&C Panels Weaknesses SQL Injection, XSS

Open Ports

Weak Password and Login Page Key


Compromised
Methods Third party software.
Insecure Deployment • i.e. XAMPP.
”XAMPP is not meant for production use but only for
Exposed Directory Structure development environments. The way XAMPP is configured is to
be open as possible to allow the developer anything he/she
Unprotected Components wants. For development environments this is great but in a
production environment it could be fatal”

SQL Injection, XSS Here a list of missing security in XAMPP:


1. The MySQL administrator (root) has no password.
2. The MySQL daemon is accessible via network.
Open Ports 3. ProFTPD uses the password "lampp" for user "daemon".
4. PhpMyAdmin is accessible via network.
Weak Password and Login 5. Examples are accessible via network.
Page Key
https://www.apachefriends.org/faq_linux.html
Compromised Exposed Directory Structure
Methods
• /adm
Insecure Deployment • /config
Exposed Directory Structure • /redirect
• /_reports
Unprotected Components
• /install
SQL Injection, XSS • /theme
Open Ports

Weak Password and Login


Page Key
Compromised
Methods
Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Open Ports

Weak Password and Login


Page Key
Compromised
Methods
Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Open Ports

Weak Password and Login


Page Key
Compromised
Methods
Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login


Page Key
Compromised
Methods
Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login


Page Key
Compromised
Methods
Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login


Page Key
Compromised Citadel C&C Panel:
Methods
Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login


Page Key
Compromised Citadel C&C Panel:
Methods
Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login


Page Key
Compromised
Methods
Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection, XSS

Ports Mapping

Weak Password and Login


Page Key
Compromised Find other open ports to get resources
Methods
Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection

Ports Mapping

Weak Password and Login


Page Key
Compromised
Methods
Insecure Deployment

Exposed Directory Structure

Unprotected Components

SQL Injection

Ports Mapping

Weak Password and Login


Page Key
The End
1. Sood, A. K. (2014). Exploiting Fundamental Weaknesses in Botnet Command and Control (C&C)
References Panels: What Goes Around Comes Back Around !. BlackHat 2014, Las Vegas, USA, 2014.
2. WebSense (2014).Putting Cyber Criminals on Notice: Watch Your Flank. Web. Aug 8, 2015.
http://community.websense.com/blogs/securitylabs/archive/2014/06/12/zeus-c-amp-c-
vulnerability.aspx
3. Internet Security (2011). Meet Ice IX, Son Of ZeuS. Web. Agt 8 2015.
http://www.internetsecuritydb.com/2011/08/meet-ice-ix-son-of-zeus.html
4. Sherstobitoff, R. (2013). Inside the World of the Citadel Trojan. Executive Summary, McAfee Labs.
5. Donohue, B. (2013). The Big Four Banking Trojans. Kaspersky Lab. Web. Aug 8, 2015.
https://blog.kaspersky.com/the-big-four-banking-trojans/
6. Jones, J. (2013). Athena, a DDoS Malware Odyssey. Arbor Networks Threat Intelligence. Web. Aug
8 2015. https://asert.arbornetworks.com/athena-a-ddos-malware-odyssey/
7. Gallagher, S. (2014). Feds warn first responders of dangerous hacking tool: Google Search. Ars
Technica. Web. Aug 8 2015. http://arstechnica.com/security/2014/08/feds-warn-first-responders-
of-dangerous-hacking-tool-google-
search/?utm_source=feedburner&utm_medium=feed&utm_campaign=Feed%3A+arstechnica%2
Findex+%28Ars+Technica+-+All+content%29
8. Apache Friend (n.d.) Linux Frequently Asked Questions. Web. Aug 8 2015.
https://www.apachefriends.org/faq_linux.html

You might also like