From this code we can gather enough information to “impersonate” a bot. The HTTP method is POST, ‘mode’ must be ‘1’, ‘uid’ must be a unique number, ‘compname’ must be a hex encoded string and so must ‘osname’. The only difficult part is the fact the panel requires the bot to use a specific user-agent; however, we can find this by reversing a sample of the bot.
Here I’ve put together some code to add fake bots to the pane, thus add entries to the “last 25 connections”.
Now, what if we decided to be a bit naughty? Let’s try and submit HTML code as the bot’s computer name. I’m sure this won’t work because nobody is that bad at security, right? RIGHT??
Let’s see the result…
A quick look at the command page allows us to throw together some code using “XMLHttpRequest()”, when executed it will result in an update command being issued to the bot. All we need to do is provide our exe path in urlencoded format.
Once we run it, when the botmaster logs in he will see this on the statistics page (minus the red block over the ip of course)…
The result of him viewing the page will be this….
So looks like revolutionary new malware “Soraya” is a little less than revolutionary when it comes to web security. Anyone with a sample of the bot binary can mess with the botmaster or potentially hijack the entire botnet.
|Web Security – As easy as 1, 2, 3.|