Read Reverse Deception: Organized Cyber Threat Counter-Exploitation Online
Authors: Sean Bodmer
Tags: #General, #security, #Computers
SpyEye main CP server desktop
You need to run this VM image locally using an open source or commercial version of a VM manager system, such as Virtual Box or VMware.
We also used BurpSuite, developed by Port Swigger (
http://portswigger.net
), which is a Java-based application for testing the security of web applications. This is a highly recommended tool when analyzing the security cyber criminal support infrastructures. Download the free version of BurpSuite, and with the SpyEye CP running locally, run the BurpSuite tool and set it with the following settings in the proxy tab under proxy listeners.
Proxy listeners setting to add new listener
Further down on the same tab, set the “match and replace” for the proxy of the session to overwrite the header request with one that would dupe the remote system into communicating openly between the SpyEye collector and the local CP, as shown here:
Request header overwrite between the local and remote server
Once these two settings have been made, all requests that are generated locally are sent to the remote server, and due to the nature of Ajax session management, you will be able to manipulate the remote server into responding to a local request. In practice, the vulnerability works, as Ajax is seeing the request coming in to the server, but it cannot distinguish between a remote and local request. Upon generating a local request, the remote server responds and sends all of the remote server information to the local server, seeing it to be a part of the remote infrastructure.
By using this technique, you are provided with
all
of the information stored on the remote CnC server, which is transferred seamlessly to the local CP for full inspection by the analysis team. You also have the data related to the victims that is stored in a SpyEye collector and all of the applicable statistics. The remote server then copies the following files to the local root directory of the web server running the SpyEye CP, which provide even more information related to the criminals’ infrastructure and their current campaign.
Debug.log (general traffic)
Error.log (possible leaked IP addresses and other information)
Tasks.log (what it’s doing)
Backup.sh
(SQL dump and passwords)
Config.ini (settings)
Although you may think what we have done is illegal, it actually is not. The analysis team worked with cyber law legal counsel for several weeks to refine the legal explanation and walk through the processes and procedures of this technique. By following the steps and recommendations covered in
Chapter 5
, we were able to convey the appropriate information for our legal counsel to understand the technique. Per the counsel, we were simply locally requesting remote files on obfuscated directories.
As the local CP in our control was obtained publicly, and the exploitable vulnerability did not affect or alter the state of the remote server, we were provided a legal analysis approving our technique for counter-exploiting criminal servers to learn more about the operators behind the campaigns. You may be surprised that the technique we developed was approved for use by not only our immediate legal counsel, but also by US law enforcement. This being said, we will now dive into the analysis of the data of more than 30 different criminal CnC infrastructures, and examine the habits and practices of the criminal operators to determine the motive, intent, and capability of the criminals behind the campaigns.
About SpyEye
SpyEye is a low-cost and effective do-it-yourself (DIY) Trojan kit with many features. With SpyEye, sorting can be based on infected processes, bot globally unique identifiers (GUIDs), and FTP logins. The configuration requires a standard Linux, Apache, MySQL, and PHP (LAMP) environment. The installation is simple, and the majority of the front-end web code uses Ajax (XML/HTTP) to post the data queries to the viewer.
SpyEye divides itself into two setups: the CnC controller (this houses the statistics and communication with the machines interactively) and the form grabber, which is used to collect the login data and store it in a database for querying. The form grabber and the CnC controller identify themselves to an outside observer via the HTML
Figure 9-1
CnC identifier within the
Figure 9-2
Form grabber identifier within the
To access either CN 1 or SYN 1, a password prompt is displayed to authenticate access, as shown in
Figure 9-3
.