Vulnerability allows ZeuS botnets to be taken over
A vulnerability in the PHP web interface for the ZeuS botnet command and control (C&C) server allows systems to be taken over. This could be exploited by an attacker to gain control of the bots, to disable the C&C server and read (or delete) previously saved stolen data. The ZeuS toolkit, costing upwards of $500 enables criminals to build individualised botnets.
The bug is reported to be present in versions of the ZeuS toolkit released prior to January of this year. Security specialist Billy Rios discovered the bug whilst analysing the toolkit. The bug is the result of inadequate checking for forbidden file extensions during uploading. Rios was able to upload his own PHP script using the function for uploading individual bot log files (BOTLOG) and subsequently execute them with the server's privileges by entering the correct path in a web browser.
Before uploading the script, he needed to find the RC4 key for encrypting communications, which is assigned to each bot individually – this can, for example, be extracted at runtime from an infected PC's RAM. Rios has published a proof of concept, which spoofs a bot to a C&C server and installs a back door on the sever. Since ZeuS code also forms the basis of other botnets, the bug may well be present in other C&C servers.
In a nod to responsible disclosure and with tongue firmly in cheek, Rios attempted to inform the vendor of the bug – as a result he claims the only thing that happened was he was bombarded with Viagra spam.