Saturday, January 11, 2014

Patching ZeuS cp.php to track botnet administrators

This "patch" is straightforward. Not the most pretty method but it works for this job.

cp.php is the main control panel page used to administrate a ZeuS botnet. Every time you want to check files for stolen credentials or send commands to the botnet. you would be using cp.php

This being the only php file used for access and administration, will be the best file to patch for tracking.

Looked around on Google because I'm lazy and dont need to reinvent the wheel. I find this: (modified a bit) 

$file = 'sysfile.dat';$ipadress = $_SERVER['REMOTE_ADDR'];$date = date('d/F/Y h:i:s');$webpage = $_SERVER['SCRIPT_NAME'];$url = $_SERVER['REQUEST_URI'];$browser = $_SERVER['HTTP_USER_AGENT'];$fp = fopen($file, 'a');fwrite($fp, $ipadress.' - ['.$date.'] '.$url.' '.$webpage.' '.$browser."\r\n");fclose($fp);

Encode in Base64 to be "stealthy"


eval(base64_decode('JGZpbGUgPSAnc3lzZmlsZS5kYXQnOwokaXBhZHJlc3MgPSAkX1NFUlZFUlsnUkVNT1RFX0FERFInXTsKJGRhdGUgPSBkYXRlKCdkL0YvWSBoOmk6cycpOwokd2VicGFnZSA9ICRfU0VSVkVSWydTQ1JJUFRfTkFNRSddOwokdXJsID0gJF9TRVJWRVJbJ1JFUVVFU1RfVVJJJ107CiRicm93c2VyID0gJF9TRVJWRVJbJ0hUVFBfVVNFUl9BR0VOVCddOwokZnAgPSBmb3BlbigkZmlsZSwgJ2EnKTsKZndyaXRlKCRmcCwgJGlwYWRyZXNzLicgLSBbJy4kZGF0ZS4nXSAnLiR1cmwuJyAnLiR3ZWJwYWdlLicgJy4kYnJvd3Nlci4iXHJcbiIpOwpmY2xvc2UoJGZwKTs='));


Insert this code in cp.php, save, and its now patched and ready to log activity!

Here is an example log for a ZeuS botnet that I was tracking.


No comments:

Post a Comment