Hacking Soraya Panel – Free Bot? Free Bots!

Some security agencies have been raving about a revolutionary new bot that combines point-of-sales card grabbing (ram scraping) with form grabbing. The bot is actually not very interesting and pretty simple, but the panel is a great deal of fun (thanks to xylitol for getting me interested).

By default the panel shows the last 25 connected bots on the index page, not very interesting or helpful feature, but it opens up a whole world of possibilities. To understand what is possible, we need to take a look at the code responsible for adding new bots the the database.

From this code we can gather enough information to “impersonate” a bot. The HTTP method is POST, ‘mode’ must be ‘1’, ‘uid’ must be a unique number, ‘compname’ must be a hex encoded string and so must ‘osname’. The only difficult part is the fact the panel requires the bot to use a specific user-agent; however, we can find this by reversing a sample of the bot.

Here I’ve put together some code to add fake bots to the pane, thus add entries to the “last 25 connections”.

Now, what if we decided to be a bit naughty? Let’s try and submit HTML code as the bot’s computer name. I’m sure this won’t work because nobody is that bad at security, right? RIGHT??

Let’s see the result…

Oh dear…

We’ll, cool. We can submit HTML / JavaScript but what use can that be? Well we could mess with the botmaster by using javascript to redirect him to fbi.gov, replacing the entire page with rick roll, or modify the statistics. But could we hijack all his bot? Turns out the answer is yes!

A quick look at the command page allows us to throw together some code using “XMLHttpRequest()”, when executed it will result in an update command being issued to the bot. All we need to do is provide our exe path in urlencoded format.

We could pay for hosting to host our script, only a small price to pay for a lot of free bots. Or, we could just use pastebin… All we need to do now is submit javascript to the panel which will run the code from pastebin.

Once we run it, when the botmaster logs in he will see this on the statistics page (minus the red block over the ip of course)…

The result of him viewing the page will be this….

So looks like revolutionary new malware “Soraya” is a little less than revolutionary when it comes to web security. Anyone with a sample of the bot binary can mess with the botmaster or potentially hijack the entire botnet.

Web Security – As easy as 1, 2, 3.
Why Open Source Ransomware is Such a Problem

A while back 2sec4u posted a poll asking if people considered open source ransomware helpful to detection and prevention, with 46% voting yes. Although the poll wasn’t limited to people working in the antimalware industry, 46% is scarily high. Trying to prove a point, help me out Twitter. Is open source ransomware helping …

Mapping Mirai: A Botnet Case Study

Mirai is a piece of malware designed to hijack busybox systems (commonly used on IoT devices) in order to perform DDoS attacks, it’s also the bot used in the 620 Gbps DDoS attack on Brian Kreb’s blog and the 1.1 Tbps attack on OVH a few days later. Although Mirai isn’t even close to …

Dridex Returns to the UK With Updated TTPs

With the exception of a few unconfirmed reports of Dridex targeting Baltic countries (which doesn’t make much sense economically), infection campaigns have ceased since mid August when Dridex briefly resumed spreading to propagate multiple new botnets aimed at Switzerland. This morning a friend of mine, Liam, reported receiving a malicious email which unusually didn’t …