My previous post was intended to demonstrate that malicious software could also be affected by security vulnerabilities. The example considered a remote code execution in a PHP page used in a phishing attack. However, the debate is still open concerning the possibility that the security issue had been intentionally introduced as a back door.
I want to now focus my attention on another piece of malicious code used to control and coordinate the systems belonging to a particular botnet. A botnet is a group of infected zombie machines under a common control infrastructure; usually, a Web application is employed to remotely instruct the systems in order to pursue a variety of illicit purposes.
An authentication bypass vulnerability was found to be affecting the command and control Web interface used in this particular botnet, thereby allowing users to bypass the authentication mechanism and take the control of the botnet and its zombies....
Volume XIII of the Symantec Internet Security Threat Report highlighted the fact that the number of vulnerabilities affecting web applications is growing. However, these security issues are not only affecting common legitimate applications, but also malicious code. In fact, a source code analysis of several samples revealed serious vulnerabilities that could, ironically, open security holes in programs designed to compromise other users' security.
The investigation originated while analyzing a phishing kit (that is, a package containing a clone website of a financial institution) including a PHP page that was neither called nor apparently used by the fraudster to accomplish his task. The phishing kit contained the following code:
