A flaw in the Zeus Trojan's admin panel leaves the C&C (command and control) server vulnerable to remote compromise. The flaw, which is located in an array function used by the malware's core code, fails to prevent malicious files from being uploaded.
Ironic isn't it?
It isn't shocking to see criminals making the same mistakes as commercial developers. That such a thing happens only confirms the fact that humans will always be the weakest link in the security chain.
Websense has published a brief report on vulnerable admin panel. The problem, which is an upload function that uses a limited blacklist in an array, has been known publicly since 2011, shortly after the Zeus source code was stolen and leaked to the Web.
The code looks like this (line wrapping due to CMS functionality):
//Расширения, которые представляют возможность удаленного запуска.
$bad_exts = array('.php3', '.php4', '.php5', '.php', '.asp', '.aspx', '.exe', '.pl', '.cgi', '.cmd', '.bat', '.phtml', '.htaccess');
$fd_hash = 0;
$fd_size = strlen($list[SBCID_BOTLOG]);
Over the years, this array has been altered some, but the essential nature has remained; it's a blacklist. The file extensions listed in the bad extensions array ($bad_exts) will be denied by the upload script (or saved elsewhere with a .DAT extension). However, any other files would likely be treated as valid, and therein lies the flaw.
When developing an upload system in PHP, which is what this is, best practice has always recommended whitelisting as a way to control what's added to the server. However, countless tutorials and code snippets online dealing with PHP uploads often suggest the exact opposite – leading to vulnerable code.
In their blog post, Websense outlines how to exploit this vulnerability, including a section on how they were able to obtain the key needed to encrypt their files with Zeus' RC4 algorithm.
"Unfortunately, we can’t just simply upload a file. Zeus uses an RC4 algorithm to encrypt all communications between the bot and the server, so it will only accept files if they are encrypted with the same key that the server uses. Luckily for us, RC4 is a symmetric cipher, which means that both parties (in this case the bot and the C&C) use the same pre-shared key," the post explains.
Since the shared key is on the bot, and Websense has an infected system, they were able to dump the RC4 keystream from memory using the Volatility memory analysis tool. This allowed them to encrypt any file of their choosing and upload it to the server.
By spoofing a bot, Websense is able to upload a shell script (written in PHP) to the C&C server and execute it. Zeus stores harvested data in an organized set of directories sorted by BOTNET_ID and BOTID. Since Websense controls both variables, they can predict where their shell will be uploaded to the server.
At this stage, all they needed to do was bypass the protections in the upload script, which as seen from the code above, relies on a blacklist of common file extensions. The bypass required only a single character added to the filename, a period.
"The problem lies in the fact that this sort of very simple check can be easily bypassed," Websense said, referencing the broken array.
By adding a trailing dot to the end of the filename, the upload script that would have originally rejected "something.php" is completely accepting of "something.php." – but the server will still process it as a valid PHP script.
"The PHP interpreter is quite liberal, and it will interpret it as a valid PHP file. With PHP we could execute a number of commands on the server, but in our case, we would like to get access to the control panel, so we will use a PHP web-shell, which will allow us to browse the file system, interact with the backend database, and (possibly, depending on the server configuration) execute system commands. Now, this shell will enable us to browse to files containing important information about the particular Zeus C&C and also to interact with the back-end SQL database."
At this point the C&C is completely compromised.
The downside to this type of attack is that the C&C must have some openings when it comes to file and directory permissions. For example, if the server is locked down, then exploring outside of the directory where the shell is uploaded isn't possible.
Websense was using their own internal servers for their posted attack, and those were Windows-based. Most Zeus C&C servers are Linux-based, and that could mean a separate set of permissions, depending on how the server is configured and hosted.
However, most Zeus operators don't take time to monitor their directories. Instead, when write problems occur (such as permissions issues that prevent the server from receiving harvested victim data) the operator resorts to configuring files and directories with 0755 or 0777 access flags (rather open permission settings), allowing read and write access.
The bottom line though, as Websense noted, is that "while Zeus is regarded as an 'advanced' banking Trojan, it is far from perfect, and its creators made some very amateurish mistakes, which can allow anyone with the technical skill set to take over a botnet’s C&C server."