Saturday, January 11, 2014

ZeuS C&C via Google Dorks and tracking ZeuS Admins - biterelish.co.za

Over the weekend I found some ZeuS C&Cs using Google.

Most command and control servers found using dorks are offline now, but not all. This one was still active and getting larger.

I had an idea to "patch" cp.php so that I could track the guys who admin this.


ZeuS C&C

biterelish.co.za
207.45.186.26
Uname: Linux serve16.serve-hosting.net 2.6.18-448.16.1.el5.lve0.8.70PAE

CIDR:           207.45.176.0/20
OriginAS:       AS36444, AS2828
NetName:        ACENETMI

3x ZeuS botnets hosted:


Summary:
(357 bots)
OS Statistics:
Search for Files:



Summary page from last week, showing 331 bots.



Options & Encryption Key:
Monkey@Bannana123!!!

named botnets: vti, will, txt


hxxp://biterelish.co.za/txt/cp.php?m=home (RU language set on Panel)
32 bots, Active since Aug 2013 (txt)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_biterel';
$config['mysql_pass'] = 'h7Uu6wpW9A%s';
$config['mysql_db'] = 'bitereli_bitereli



hxxp://biterelish.co.za/will/cp.php?m=home
10 bots (will)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_bits';
$config['mysql_pass'] = 'Go;vEI-;le94';
$config['mysql_db'] = 'bitereli_biterel';


hxxp://biterelish.co.za/vti/cp.php?m=login
350+ bots (vti)
$config['mysql_host'] = 'localhost';
$config['mysql_user'] = 'bitereli_admin';
$config['mysql_pass'] = '@ph;yiTpFg}?';
$config['mysql_db'] = 'bitereli_admin';


A shell was here:
hxxp://biterelish.co.za/images/temp.php#




Used the shell to patch cp.php as discussed in this post. 

Here is the access log for this ZeuS botnet.


Admin IP and ISP:
93.186.23.83 - Blackberry UK RIM
93.186.23.115 - Blackberry UK RIM
93.186.31.113 - Blackberry UK RIM
196.46.245.50 - AirTel Nigeria
196.46.245.49 - AirTel Nigeria
196.46.245.48 - AirTel Nigeria
41.203.69.2 - Globacom Nigeria
41.203.69.5 - Globacom Nigeria
41.203.69.6 - Globacom Nigeria

We can clearly see who was working on this botnet. We have access from two wireless provider networks in Nigeria, user agent showed Win7 using Firefox, and a Blackberry from the UK.

Law enforcement should be able to use these access logs as evidence against the admins.. or at least give a clue as to who is behind this.

No comments:

Post a Comment