2010 za con_ivan_burke
TRANSCRIPT
by Ivan Burke from DPSS, CSIR
Overview
Basic goals of a Botnet Basic requirements for a Botnet Event that spawned this research Building the puzzle What we did? How we did it? The fix
Basic goals of a Botnet
PROFIT Disruption Growth Hide in the masses
Requirements for Botnet
Botnets need to be Viral Access to valuable Data or services They require C2 to communicate Stealth
All plausible goals
Tools exist that are capable of achieving most of these goals to some extent.
“The problem is not the tools. How you are going to make all that work for your specific needs? It's pretty complex” – Joe Stewart Speaking at Blackhat 2008
Event that sparked this research
SEACOM failure April 2010
Building the puzzle
Google gadget FAQ section
Does not follow standard web protocol
Google gadget FAQ section No validation of page existence
Multiple IPs and locations
Google gadget FAQ section
Jackpot
What we did with this info
Created a PoC man in the middle attack Harvested browser info. Establish crude C2 capabilities between server and Gadgets
Attempted a DDoS, settled messing with AdSense stats and website traffic generator
Created basic anonymous brows gadget
How did we do this
Man in the middle PoC Gadgets are iFrames no address bar. Easy to fake iFrame source
by obfuscating request via gadget makeRequest() Fetch legit site yet replace one or more links with makeRequest() to
redirect to malicious site Similar techniques dating back to 2004:
http://blogs.geekdojo.net/brian/archive/2004/10/14/googlephishing.aspx
Harvest Browser Info
JPort Scanner
Browser History (Determin banks used, social network sites used)
Other gadget Cookie data
Basic C2
Basic sending and receiving of data using google servers to act as carrier to hide IP of origin and destination
Data transfer seamless thanks to asynchronous JavaScript calls
Open ports (Javascript port scanner), Browser history(window.history), Botnet/DDoS instructions
DDoS attempt
Option 1: Set refresh interval to Zero
Option 2: Request fictitious sites in for loop
Advertisements ruin everything
Google’s AdSense actually causes Gadget user PC to freeze before DDoS can occur
Google’s AdSense triggers on each page request
Now the question arrises Should I exploit this for money or
Just block AdSense and cause DDoS
Anonymous browsing gadget
Quite simple actually, just use gadget to recursively replace hyperlinks with makeURLRequest();
Hides your IP from servers allows user to post content on Web 2.0 sites without having their IP logged
Final Gadget Structure
Does Google gadgets meet requirements for a Botnet
Botnets need to be Viral – We did not explicitly tackle this issue as Google gadgets in itself is meant to be viral. Easy to share, Social by design. http://code.google.com/apis/opensocial/articles/bestprac.html
Access to valuable Data or services – Browser History, Data contained on other Gadgets, Port scanning, MITM info
They require C2 to communicate – Basic communication achieved via GET and POST
Stealth – All actions taken are done by Google gadget server, target server’s logs only contain Gadget server IP. Data transmitted via HTTP hence no firewall alerts
The Fix
Google’s side Follow common web protocol, listen to Robots.txt Prevent/Notify users of gadget redirects
Consumer side Block google-‐feedfetch agent Clean browser history regularly Better education about the risks
Questions