Back to Home

Hi, Trojan-Spy.Win32.Zbot !!! part two ... about shells, rootkits, eskloites and chat in txt file

information security · trojan · zeus · zbot · malware

Hi, Trojan-Spy.Win32.Zbot !!! part two ... about shells, rootkits, eskloites and chat in txt file

    Hello, Habr!
    Finally, I finished writing the continuation of my story .

    Let me remind you again:
    All information in this article is provided purely for review and is intended primarily to indicate errors in security systems.


    So ... I finished the story at the place where google drew my attention to the fact that there is a way to fill the web-walk .



    So I followed the link and read a mini article on how to access the admin panel of Zeus.

    Breaking - not building



    The main points in the process of admin admin hack were that you had to have:
    • Bot configuration file
    • Path to the Bot Gate
    • Config Descriptor
    • Exploit for admin panel


    The last two things were kindly provided by the author of the article, and with the first two points, the already mentioned Wireshark sniffer helped me. It was caught as I mentioned the GET request to the config file and the POST to the gate.

    The article pointed out that usually the admin panel file is called in.php and lies next to the gate, but I was not lucky and there was no admin panel at the address next to the gate :( This did not upset me because the exploit for the admin panel uploaded and executed php code, I apparently I embellished it a bit :) when I described that the exploit (and the article about filling it in) allowed to fill in the web-walk, in fact, initially exploiting using the vulnerability in the gate, it uploaded and executed php code that received connection data to the mysql database and got login and password from there user (s). Well, since there was nowhere to enter all this stuff, I had nowhere to modify the exploit code so that it would flood the web shell and send me the email address where it lies and the actual usernames and passwords.

    OWNED!



    The web shell is flooded, a letter from the user \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\: s: mail from users and of course the link to go. We go ... rubbed the traces of my exploit (php script that sent user data).

    OWNED part 2!



    And then I liked that the owner of the botnet was not particularly worried and everything was with root privileges.
    In total, I had access to a bulletproof server (in China) and to all its resources and contents (including the base, because in the admin paneli config I found again the root user to mysql).

    Sister, scalpel!



    Climbing on a server (if memory does not change P4 (1.8) \ 1024 \ 200gb \ 100mbit), after cleaning the logs and other joys of life, I got to study further what lives on the web server. Unfortunately, there was only Zeus and there was :( there was nothing else to parse there was 1 virtual host to which 6 domains were tied with aliases.

    Okay, we climb into the admin panel ...

    The admin panel turned out to be ~ 2000 bots from the CIS countries, ~ 2000 Great Britain and ~ 1000 USA.
    The admin said that in the last 24 hours about ~ 40% of bots
    have been tapping on it . On-line there were ~ 900 bots, most of all in the UK. I

    looked at the logs, the bot apparently did its job perfectly. There were a lot of stolen data.

    Well, there’s a lot more to tell Nothing about the admin panel, bot, its work and functionality I will describe in the department flax article.

    O_o who are you and what have you forgotten here !?



    Further I was visited by the thought that it is necessary to somehow spoil the raspberries so to speak.

    Having created a new user for myself in a system with root rights, I sat down to think to do it.

    The first idea was to notify the security users that they were infected (lying ... at first I wanted to enslave the world with this army and then save the poor security users).

    A simple .bat file was written (like hello world) in which there was something “You are infected with a virus, please download and install an antivirus, preferably ESET NOD32” (then I was bursting with pride that maybe I brought ESET a hundred new clients) 2 files were loaded, in Russian for the CIS and in English for others, respectively.

    After sitting, I thought, I realized that I won’t leave without a mega cool message interface and I created owned.txt in the root of the site

    the content of which was:
    owned.
    form .ru with love


    ...

    The next day I returned to look at the status of tasks for downloading my inform .bat file, I was not particularly surprised that the tasks were deleted, but I was glad that the number of active bots per day fell from ~ 40% to ~ 28% (or 25%, I don’t remember) .

    Then, for the sake of interest, I looked at the owned.txt storage site and saw there:
    owned.
    form .ru with love

    mat, mat, mat from here


    Then I checked access to root users of the system and mysql they were changed.

    I couldn’t conceive anything particularly insidious and didn’t want to.
    I registered rm -rf / in the console
    and left the server.

    That's all :)

    I will be glad to answer your questions and suggestions about what else to write from the Malvari theme.
    The other day, an article on Zeus in detail will follow.

    Read Next