Sep 27, 2010 14:02 GMT  ·  By

A reputed security researcher has identified a gaping security hole in the ZeuS command and control Web application, which allows Zbot-based botnets to be easily hijacked.

The flaw was discovered by Google security engineer Billy Rios (BK) in a version of ZeuS released earlier this year. But, given the nature of the bug, it's very likely that it affects all versions.

ZeuS is the most popular crimeware toolkit and is used to generate customized versions of an information stealing trojan, as well as associated command and control (C&C) Web applications to manage infected computers.

Unlike other malware authors, the creators of ZeuS take their job very seriously. They push bug fixes, implement new features and maintain a changelog for their code.

There are hundreds of ZBot (ZeuS Bot) botnets active at any given time. The ZeuS Tracker project currently monitors 312 known C&C servers.

The C&C application exposes only two public pages, the login form and one through which infected computers upload stolen data and receive instructions.

The name of this "gateway" page can vary and the information passed to and from it is encrypted using an RC4 cipher.

Rios explains that both the location of the page and the encryption key can be obtained fairly easily from the memory of an infected computer or by other means.

As it turns out, one of the things that Zbot clients can do via this page is to upload logfiles to the server, a feature that can theoretically be abused to upload rogue code.

The ZeuS authors have thought of this attack scenario and have implemented a blacklist of executable extensions like PHP.

However, what they didn't know is that most PHP implementations also execute ".php." (with trailing dot) by default.

This is the inherent problem with all blacklists – sooner or later someone will figure out how to evade them.

A whitelist approach, where everything is unallowed except for a couple of non-executable extensions associated with logs, would have been a better a solution.

In addition, the folder where the rogue .php. file gets uploaded can easily be guessed or forced to "webroot" with some directory traversal tricks.

"Boom… we’ve just taken over a Zeus C&C. Once we have our own PHP code running on the C&C, we can include the /system/config.php file.

"Config.php contains the location of the MySQL database as well as the DB username and password (via connection string), giving us complete control over the management console and all the bots associated with this C&C," Rios explains.

This vulnerability gives security researchers the ability to hijack botnets and notify victims, but such actions have ethical and possibly legal implications.

Unfortunately, it also allows criminals to hijack each other's botnets, meaning that stolen sensitive information might get even more exposure than before.