Part Two in a three-part series. Read Part I
In my last post, I argued that mature, seemingly tamed malware families such as ZeuS can still do some serious damage. In this post, I’ll prove it.
Numerous technical presentations and articles aimed at security professionals have described various botnet families and detailed their inner workings. What I haven’t seen is a simple, straightforward explanation of how easy building a botnet is and key features available to anyone with a criminal bent and 15 minutes to spare. So in the interest of showing you what you are up against, here is a step-by-step outline of how easily someone can create a ZeuS-based botnet targeting your organization.
Before I begin, let me be clear: my aim is not to instigate more botnets or give cybercriminals new ideas for attacks. The bad guys already know how simple this is — I’m trying to help the good guys appreciate precisely how vulnerable they might be. To this end, after much thought, I have decided to remove a couple of steps to make the process slightly (but only slightly) more opaque. Honestly, if you're determined to do this, then you don't need my blog post to figure it out. Just spend some time with your favorite search engine looking through the murkier parts of the web...
Step 1: Find a builder kit (3 minutes)
Using a combination of search terms, you can usually find a link to a version of a popular builder kit in 3 minutes or less. Our chosen kit was originally an underground - yet commercial - product based on the ZeuS code, and originally cost $600 for a hardcoded command-and-control (CnC) server and $1,800 for an unlimited builder license. But considering that you’re building a botnet to steal massive amounts of sensitive data, we’ll assume that you have no qualms about using a pirated copy.
Our bot has the following core components:
- A settings.txt file for configuring the CnC callback channel
- The Full_builder.exe file for compiling the bot payload
- CnC host files. This is a PHP-based website used for reporting and CnC functions
- bot-bc.exe. This process allows your malware to back-connect through the Socket Secure (SOCKS) protocol for remotely controlling compromised machines
[caption id="attachment_2538" align="alignnone" width="441"] Figure 1: The builder kit's settings.txt file[/caption]
Figure 1 shows the settings.txt file, highlighting a number of options. The “URL Masks” section lets you specify certain actions if the user of the compromised machine visits a website whose URL matches a given text string. These URLs can be anything you want. In Figure 1, the URL masks include ebay.com and owa (Outlook Web access, for gaining control of the target’s corporate email account).
The “URL Masks” options enable any of the following when the user visits any of the sites defined in the URL Masks section:
- N — do not write data in reports
- S — make screenshot with mouse clicks on the page area
- C —preserve all cookies associated with that site and block access to it
- B — block access to the site
The injects.txt file highlighted in Figure 1 is arguably the killer feature of the Zeus family of bots. Essentially, the “injects” capability lets you interact with any site that the compromised machine accesses. Because it works on the infected user’s machine directly, the feature renders meaningless security features on those sites, such as two-factor authentication and SSL/TLS encryption. Forget man-in-the-middle attacks — this is a “man-at-the-keyboard” attack!
[caption id="attachment_2536" align="alignnone" width="540"] Figure 2: Example use-cases of the "Injects" functionality[/caption]
In Example 1, the contents of the accountOverview section are uploaded to the CnC server whenever the compromised host goes to a URL containing “https://www.payment-site.com/*/webscr?cmd=_login-done*.” With this handy report of users’ account balances, you can focus on targeting those with the most money in their accounts.
In Example 2, a "Big Bank Corp" site viewed by a compromised system would show an additional field on the password page asking for user’s “ATM PIN.” Because your grafted-in field is designed in the same style as the standard page, it looks like it belongs there. Sensing nothing amiss, many computer users would not hesitate to enter this information — which is immediately sent to you, the attacker.
Those are only two examples. As a botnet owner, you could create all sorts of targeted injects files to steal new and useful information. If that’s too much work, you can download ready-to-use injects definitions that serve as recipe books of sorts for specific attacks. Need to target end-users in France? Simply download the French Banks injects pack containing recipes for the purely illustrative and imaginary “La Banque Centrale” or “Crédit Français”, among others.
Step 2: Build your payload (5 minutes)
Once your injects file is ready, open the easy-to-use GUI interface to build the executable malware file (see Figure 3).
You’ll need two pieces of information to build the malware:
- The URL to your setting.txt file (you’ll store the file on your CnC server so you can change it at will)
- A symmetric-key encryption key to embed in the payload, so that it can communicate securely with your CnC server. This key can be any string of characters
[caption id="attachment_2537" align="alignnone" width="424"] Figure 3: The builder GUI for compiling the malware payload[/caption]
After you have compiled the malware, you’ll run your executable through a file compressor or obfuscator, also known as a packer or a crypter. Originally designed to reduce the file size of an executable file, these packers have the added benefit of disguising files when scanned by anti-virus software. For this example, I have used popular compressors which is this example I have called packers "A" to "C".
To see whether the compressed files are sufficiently camouflaged, you’ll submit your files to VirusTotal, a free site that scans uploaded files using a number of anti-virus engines. "(Note: if you were a real cybercriminal, you’d probably choose a different virus-scanning site such as Scan4You, Chk4Me, or ElementScanner. VirusTotal shares its scanning results with anyone — including IT security companies — which could put your malware on the radar.) As I mentioned in my last entry, it’s important to note that using using these AV checking sites can only be illustrative and should not be thought of as a way to determine the absolute efficacy of AV. However, it can give us an indication."
For better cover, you can shop a virtual bazaar of obscure file packers and "crypters" that promise to hide the malware from a larger percentage of anti-virus engines. As little as $20 (USD) will buy a couple of months access to an crypter guaranteed to evade every anti-virus engine on the market.
Some builder kits offer higher-priced “Enhanced”, “Private”, or “Enterprise” editions that compile malware already packed and obfuscated to beat anti-virus engines. They even come with regular updates.
If you have a little more time, you can use other techniques to obscure your file. For example, the shikata ga nai encoder can give your malware polymorphic properties, producing a brand new, undetectable file with each new encoding.
Step 3: Set up your CnC infrastructure (5 minutes)
Now that the malware payload is ready, you’ll need a CnC server to control infected computers. The bot builder kit includes all of the files you need.
You can sign on with a Web host or cloud server provider to create a low-cost, low-power Unix server in minutes. Figure 5 shows the web user interface for a popular host.
After uploading the CnC files provided by our kit, a Web interface for the installer appears (see Figure 6).
Fill out the relevant fields, and you’re all set. Now that you have a working malware payload and CnC server, your botnet is ready for its first target.
As I mentioned earlier, these steps are not some groundbreaking new way to build a botnet — this is all child’s play for today’s sophisticated attackers. If you can build a botnet with a few spare minutes, imagine what a team of well-trained, well-funded threat actors can do working around the clock.
Up Next: Why this all matters — and the surprising effect of a dummy botnet I created while researching this blog entry.