by  Ivan  Burke  from  DPSS,  CSIR  

Overview  

  Basic  goals  of  a  Botnet    Basic  requirements  for  a  Botnet    Event  that  spawned  this  research    Building  the  puzzle    What  we  did?    How  we  did  it?    The  fix  

Basic  goals  of  a  Botnet  

  PROFIT    Disruption    Growth    Hide  in  the  masses  

Requirements  for  Botnet  

  Botnets  need  to  be  Viral    Access  to  valuable  Data  or  services    They  require  C2  to  communicate    Stealth  

All  plausible  goals  

  Tools  exist  that  are  capable  of  achieving  most  of  these  goals  to  some  extent.  

  “The  problem  is  not  the  tools.  How  you  are  going  to  make  all  that  work  for  your  specific  needs?  It's  pretty  complex”  –  Joe  Stewart  Speaking  at  Blackhat  2008  

Event  that  sparked  this  research  

SEACOM  failure  April  2010  

Building  the  puzzle  

Google  gadget  FAQ  section  

Does  not  follow  standard  web  protocol    

Google  gadget  FAQ  section  No  validation  of  page  existence  

Multiple  IPs  and  locations  

Google  gadget  FAQ  section  

Jackpot  

What  we  did  with  this  info  

  Created  a  PoC  man  in  the  middle  attack    Harvested  browser  info.    Establish  crude  C2  capabilities  between  server  and  Gadgets  

  Attempted  a  DDoS,  settled  messing  with  AdSense  stats  and  website  traffic  generator  

  Created  basic  anonymous  brows  gadget  

How  did  we  do  this  

  Man  in  the  middle  PoC    Gadgets  are  iFrames  no  address  bar.  Easy  to  fake  iFrame  source  

by  obfuscating  request  via  gadget  makeRequest()    Fetch  legit  site  yet  replace  one  or  more  links  with  makeRequest()  to  

redirect  to  malicious  site    Similar    techniques  dating  back  to  2004:  

http://blogs.geekdojo.net/brian/archive/2004/10/14/googlephishing.aspx  

Harvest  Browser  Info  

JPort Scanner

Browser History (Determin banks used, social network sites used)

Other gadget Cookie data

Basic  C2  

  Basic  sending  and  receiving  of  data  using  google  servers  to  act  as  carrier  to  hide  IP  of  origin  and  destination  

  Data  transfer  seamless  thanks  to  asynchronous  JavaScript  calls  

  Open  ports  (Javascript  port  scanner),  Browser  history(window.history),  Botnet/DDoS  instructions  

DDoS  attempt  

  Option  1:    Set  refresh  interval  to  Zero  

  Option  2:    Request  fictitious  sites  in  for  loop  

Advertisements  ruin  everything  

  Google’s  AdSense  actually  causes  Gadget  user  PC  to  freeze  before  DDoS  can  occur    

  Google’s  AdSense  triggers  on  each  page  request  

  Now  the  question  arrises      Should  I  exploit  this  for  money        or    

  Just  block  AdSense  and  cause  DDoS  

Anonymous  browsing  gadget  

  Quite  simple  actually,  just  use  gadget  to  recursively  replace  hyperlinks  with  makeURLRequest();  

  Hides  your  IP  from  servers  allows  user  to  post  content  on  Web  2.0  sites  without  having  their  IP  logged  

Final  Gadget  Structure  

Does  Google  gadgets  meet  requirements  for  a  Botnet  

  Botnets  need  to  be  Viral  –  We  did  not  explicitly  tackle  this  issue  as  Google  gadgets  in  itself  is  meant  to  be  viral.  Easy  to  share,  Social  by  design.    http://code.google.com/apis/opensocial/articles/bestprac.html    

  Access  to  valuable  Data  or  services  –  Browser  History,  Data  contained  on  other  Gadgets,  Port  scanning,  MITM  info  

  They  require  C2  to  communicate  –  Basic  communication  achieved  via  GET  and  POST  

  Stealth  –  All  actions  taken  are  done  by  Google  gadget  server,  target  server’s  logs  only  contain  Gadget  server  IP.  Data  transmitted  via  HTTP  hence  no  firewall  alerts  

The  Fix  

  Google’s  side    Follow  common  web  protocol,  listen  to  Robots.txt    Prevent/Notify  users  of  gadget  redirects  

  Consumer  side    Block  google-­‐feedfetch  agent    Clean  browser  history  regularly    Better  education  about  the  risks  

Questions