In their rush to exploit users, hackers have littered their own creations with easily exploitable vulnerabilities. They're learning that it's not so easy to write secure code. In fact, most of us in the business of securing our applications and systems know that bulletproofing software is an extremely expensive and exhaustive undertaking. Most attackers lack the necessary resources and community peer review to harden their malware, and that provides an opportunity for the security community to advance a conversation about what we should do about it.
Some food for thought:
- Hackers hide in the shadows and thrive in anonymity; probing their attack networks would shine a light on their own techniques and tactics
- Law enforcement and the security community could use the information to track down suspects and shut down attack infrastructure
- Malware creators who have to look to their own defenses would have to slow down the production of new attacks
Is it legal? Is it ethical? Let's look at a vulnerability in the C&C of a Zeus Trojan in circulation and envision the possibilities together.
As we have explained in previous blogs, Zeus is a banking Trojan, which is designed to steal login credentials and other Personally Identifiable Information (PII). In this analysis, we will demonstrate that malware authors make numerous mistakes as regular software engineers and show how a particular publicly known vulnerability present in the Zeus C&C server can lead to full access to the botnet's Command Panel or possibly full system compromise of the server. We have set up our own Zeus C&C and bot in our internal research network where we can simulate this attack and show its implications.
In order to understand why the vulnerability exists in the first place, we must understand the basic workings of Zeus. Zeus bots operate in the following pattern: 1) Infect a system 2) Gather credentials and PII, and 3) Upload the stolen data in the form of reports to the C&C Server. The crucial point here is that the bot uploads some file to the remote server. What if we could leverage this mechanism to impersonate a bot and upload our own file to the server? Let's say an executable, with which we could execute commands on the server.
Unfortunately, we can't just simply upload a file. Zeus uses RC4 algorithm to encrypt all communications between the bot and the server, so it will only accept files if they are encrypted with the same key that the server uses. Luckily for us, RC4 is a symmetric cipher, which means that both parties (in this case the bot and the C&C) use the same pre-shared key. This further implies that the key is embedded somewhere in the bot. So we need to capture a Zeus binary and find the keys in order to be able to communicate with the C&C. We can achieve this by using the Volatility memory analysis tool to dump the RC4 keystream from an infected machine's memory.
Sign up for CIO Asia eNewsletters.