Now, this shell will enable us to browse to files containing important information about the particular Zeus C&C and also to interact with the backend SQL database.
Please note that while we have set up Zeus on a Windows XP machine in our own testing environment, usually Zeus C&C's in the wild run on Linux servers. Furthermore, our server shown here was set up with very liberal file permissions, which is rarely the case with Zeus C&C's in the wild. However, this is irrelevant in this case, since we are trying to gain access to the Control Panel. It would only matter if we tried to fully compromise the server by gaining a remote shell and escalating our privileges to root or NTAUTHORITY\SYSTEM (depending on the operating system).
In order to gain access to the Control Panel, we need to get hold of the password for it, which is stored in the MYSQL database. However, the database is password- protected, too. Fortunately for us, since the bot needs to interact with the database, the credentials are stored in one of the configuration files of the bot, namely in config.php under /system/ directory.
While it contains other interesting information (such as a bot encryption key), only the relevant part of the config file is shown here. Normally, mysql_user is changed to something different from root, and mysql_pass is usually something more complex, but we intentionally left it as "password." With these credentials, we can gain access to the backend database.
The database stores information about the bots in the botnet, reports the bots uploaded, and finally, one table is used for storing information about the Control Panel user, such as username, hashed password, and so on.
Zeus stores these passwords using a simple MD5 hash without any salting, thus they are relatively easy to crack. Another option would be - since we have full read/write access to the database - to create our own password, hash it with MD5, and insert that into the database instead of the current password. Now, we will try to crack the password, hoping that it is not a very strong one. If it is, we can still fall back on the second method of gaining access.
As you can see, it was indeed a very weak password ("123456") making it easy to crack. At this point, we have all the information we need to finally enter the Zeus C&C's Control Panel.
We can simply browse to ./cp.php and log in with our newly acquired credentials.
We now have full access to the Zeus C&C's Control Panel, just as the original botnet owner would.
Sign up for CIO Asia eNewsletters.