Actually, this is not an easy question.
Think about a guy who has lots of experience for Windows security and also who
is developing tools to exploit Windows operating systems, but he’s also a newbie
to securing his tools. So, I decided not
to inform him about it J
But this is not our case that we’re going
to talk today. I found a SQL Injection vulnerability in one of Blackshades tool
namely “Blackshades HTTP Controller” and we’re going to dive into Blackshades
HTTP Controller’s features and infrastructure.
Before starting our analysis, I should give
some brief description about what R.A.T.(Remote
Access Tool) is and what Blackshades is providing to their customers.
Actually, the term of R.A.T. is a legal
conversion of our well known leakage way named as “Trojan” . I’m not going to
explain the details of Trojan but briefly, Trojans are softwares that are built
on a client-server architecture and server component (must be running in victim machine) which is responsible to run
commands that supplied from client component.( Administration tool that is running from attacker)
If you’re a Trojan coder and want your tool
to be public or want to sell it, you must publish it with term of “R.A.T.”
instead of “Trojan” and you should have a nice looking corporate website to
sell or share your tool.
Now, let’s take a look at “Blackshades” (name of brand, not the name of software
actually) website and what they provide to their customers.(potential attackers)
One of the guys from Blackshades (I think ,the founder) named Michael
Hogue (a.k.a. “xVisceral”) has been
arrested with an operation from FBI. As Symantec Security Response, (http://www.symantec.com/connect/blogs/w32shadesrat-blackshades-author-arrested)
already mentioned about, this tool used/ is using targeted attacks against
Syrian activists. I think that’s why it attracted the attention of FBI.
Here’s a screenshot of Blackshades website;
Nowadays,Blackshades provide their services
from “hxxp://bshades.eu” after lots of domain changes, their website looks
pretty good and Has cool commercial software provider design. They
even hiring some staff. :)
When
we’re checking the “Products” page, there are over 10 products/services
available.
The most
interesting and popular ones are ;
- Blackshades NET (Most advanced and stable RAT available in the world. Lots of interesting features like automatic actions, built-in spreader and surveillance options)
- Blackshades RAT (The only known Rat developed in Java with fast and reliability options)
- Blackshades HTTP (The only known Botnet with features of a R.A.T.)
- Blackshades VPN (This is a service that you can connect internet with safe. No logs,no records..)
- Blackshades Fusion(Next Generation R.A.T. with common features. You don’t need to forward ports for reverse connection, server component connecting to Blackshades Servers and your client is connecting to Blackshades servers to manage your victims.)
So, let’s
keep on with our target, Blackshades HTTP. I want you to mention about some
interesting features of Blackshades HTTP to see why it’s important.
Nowadays,
there are many Botnet’s with different features to be sold in the Blackmarkets.
Some of them built for DDOS purposes and some them for stealing information.
But
Blackshades HTTP is not dedicated to stealing information or DDOS purposes. It
has features to steal passwords, serials and it has lots of DDOS features but
the feature which makes Blackshades HTTP unique is that it has some R.A.T.
features like recording webcam and grabbing screenshots. I couldn’t find the “Server
Creator” component to check the file size of “Server” component but I’m sure
that it must be bigger than the other known BotNet droppers because more
“feature” means more increased file size.
Now,
let’s take a look at the interface and the options.
This is
our login screen and I see that the platform is PHP based, if you want to see
it live maybe you can try out some Google Dorks J
In the
menu top of the page, you can see some options and controls over there as I
explained below;
- Main (This is the home page that you can see some informational statics like Total Bots, Online Bots, Country Statics etc.)
- Bots (You can see your Bots installed with Computer Name, IP, Username, Country and Last Seen criteria. You can also make filter to see only “Online” bots or set filter for dates. )
- Logs (This page is responsible to show you the results of some commands such as “Keylogger, Form Grabber and E-Mail Grabber”, also there’s a search option to search for specific keys. )
- Passwords (You can find the passwords that captured from our victims.)
- Commands (One of the important page. You can set the commands for your Bots. You can set it for specific Bot or you can limit for some specific country.)
- DDoS ( One of the other important page. You can start DDoS attacks against victims with different DDoS settings. )
- Settings ( You can add/remove Administrators to manage Blackshades HTTP Botnet)
Now let’s
look deep inside of these features.
BOTS
This is
our “Bots” screen. As you see, by default “All” registered bot are seen in the
page and you can also filter them by date and you can also search for specific
bot.
Developer
built an ID based infrastructure to communicate with bots. In the screen above,
you can see that different ID, HWID, WAN, PC Name, User Name, Country and Last
Seen fields are available for each bot.
I hid the
“WAN (IP Addresses)” , “PC Name” and “User Name” fields for privacy. As a
summary for bot list page, you can see if it’s online, where it is from, computer-user
name and ip address.
LOGS
In the
“Logs” screen you have chance to see some kind of logs that are collected from
bots.
These
logs are not triggered with default settings; actually these are the results of
some commands like “Key logger”, “Form Grabber” and “Email Grabber” that I will
mention in Commands steps.
In my
example here, there’s something wrong with components, according to me, because
even some “Commands” can be executed, there are no logs returned back, but I’m
sure that these features are working with correct configuration.
PASSWORDS
Here’s
the one of the important page that you can see the Passwords which is collected
from your bots. There’s no evidence in the interface about the types of passwords
that can be collected but even CD-Keys can be collected and you’ll be able to see
them in DB snapshot screens later.
Commands
Heart of
our botnet, Commands. This is the page where we will explain how our bots will
act.
In the
beginning I told you something about Blackshades HTTP is a special botnet
controller. Here’s the proof !
It can
capture screens,webcams,spread it self from MSN,torrent,facebook etc. It’s more
than a R.A.T. and more than botnet. Even I didn’t have a chance to see it in
action,
I’m sure,
all of them are working with the right settings.
DDos
Main
purpose of a Botnet which is unforgotten in Blackshades HTTP. 4 types of attack
included for ports that you can specify. “HTTPS/SSL Attack” looks interesting J and you can observe how many
times our attack was executed and you can also limit it.
Settings
Under the
settings menu there’s only one option and it’s about creating Administrator
accounts with different roles.
At this
point we’re finishing our discovery in the interface. In the next final chapter,we
will take a look at database scheme and some data in the database.
