Fighting banking botnets by exploiting inherent command and control vulnerabilities

Malware poses a significant threat to commerce and banking systems. Specifically, the Zeus banking botnet is reported to have caused more than 100 million dollars in damages. This type of malware has been around for over ten years, and in 2013 alone was responsible for compromising over one-million computers. The impact of banking botnets (i.e., typically Zeus or its derivatives) can be lessened by exploiting the inherent vulnerabilities of their command and control (C&C). Our approach involves: (1) fuzz testing the C&C to identify vulnerabilities and (2) designing exploits that can be used to make bot-herders less effective in their criminal endeavors. The novelty of our approach is its focus on interrogating the C&C and not the compromised clients; however we do not discourage traditional malware removal and clean-up processes. As a complement to traditional processes, we offer our approach to organizations with the proper authority for an active defense (i.e., offensive measures). We demonstrate the feasibility of this approach by using the leaked Zeus 2.0.8.9 toolkit that included the C&C web application. The following security flaws exist in the Zeus 2.0.8.9 C&C web application: (1) no authentication between the zbot (i.e., client-side malware) and the C&C, (2) a lack of proper access control in the web application folders, and (3) simple clear text authentication between C&C and the remote bot-herder. Our results suggest that because of these security flaws, a range of offensive measures are viable against the Zeus C&C, including Buffer-Overflow, Denial-of-Service, and Dictionary or Brute Force Attacks.