Saturday, January 11, 2014

ZeuS C&C via Google Dorks and tracking ZeuS Admins -

Over the weekend I found some ZeuS C&Cs using Google.

Most command and control servers found using dorks are offline now, but not all. This one was still active and getting larger.

I had an idea to "patch" cp.php so that I could track the guys who admin this.

ZeuS C&C
Uname: Linux 2.6.18-448.16.1.el5.lve0.8.70PAE

OriginAS:       AS36444, AS2828
NetName:        ACENETMI

3x ZeuS botnets hosted:

(357 bots)
OS Statistics:
Search for Files:

Summary page from last week, showing 331 bots.

Options & Encryption Key:

named botnets: vti, will, txt

hxxp:// (RU language set on Panel)
32 bots, Active since Aug 2013 (txt)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_biterel';
$config['mysql_pass'] = 'h7Uu6wpW9A%s';
$config['mysql_db'] = 'bitereli_bitereli

10 bots (will)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_bits';
$config['mysql_pass'] = 'Go;vEI-;le94';
$config['mysql_db'] = 'bitereli_biterel';

350+ bots (vti)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_admin';
$config['mysql_pass'] = '@ph;yiTpFg}?';
$config['mysql_db'] = 'bitereli_admin';

A shell was here:

Used the shell to patch cp.php as discussed in this post. 

Here is the access log for this ZeuS botnet.

Admin IP and ISP: - Blackberry UK RIM - Blackberry UK RIM - Blackberry UK RIM - AirTel Nigeria - AirTel Nigeria - AirTel Nigeria - Globacom Nigeria - Globacom Nigeria - Globacom Nigeria

We can clearly see who was working on this botnet. We have access from two wireless provider networks in Nigeria, user agent showed Win7 using Firefox, and a Blackberry from the UK.

Law enforcement should be able to use these access logs as evidence against the admins.. or at least give a clue as to who is behind this.

No comments:

Post a Comment