Documents
Resources
Learning Center
Upload
Plans & pricing Sign in
Sign Out

by Ivan Burke from DPSS_ CSIR

VIEWS: 10 PAGES: 21

									by	
  Ivan	
  Burke	
  from	
  DPSS,	
  CSIR	
  
Overview	
  


  Basic	
  goals	
  of	
  a	
  Botnet	
  
  Basic	
  requirements	
  for	
  a	
  Botnet	
  
  Event	
  that	
  spawned	
  this	
  research	
  
  Building	
  the	
  puzzle	
  
  What	
  we	
  did?	
  
  How	
  we	
  did	
  it?	
  
  The	
  fix	
  
Basic	
  goals	
  of	
  a	
  Botnet	
  

  PROFIT	
  
  Disruption	
  
  Growth	
  
  Hide	
  in	
  the	
  masses	
  
Requirements	
  for	
  Botnet	
  

  Botnets	
  need	
  to	
  be	
  Viral	
  
  Access	
  to	
  valuable	
  Data	
  or	
  services	
  
  They	
  require	
  C2	
  to	
  communicate	
  
  Stealth	
  
All	
  plausible	
  goals	
  

  Tools	
  exist	
  that	
  are	
  capable	
  of	
  achieving	
  most	
  
   of	
  these	
  goals	
  to	
  some	
  extent.	
  
  “The	
  problem	
  is	
  not	
  the	
  tools.	
  How	
  you	
  are	
  
   going	
  to	
  make	
  all	
  that	
  work	
  for	
  your	
  specific	
  
   needs?	
  It's	
  pretty	
  complex”	
  –	
  Joe	
  Stewart	
  
   Speaking	
  at	
  Blackhat	
  2008	
  
Event	
  that	
  sparked	
  this	
  
           research	
  




     SEACOM	
  failure	
  April	
  2010	
  
Building	
  the	
  puzzle	
  
Google	
  gadget	
  FAQ	
  section	
  
 Does	
  not	
  follow	
  standard	
  web	
  protocol	
  	
  
Google	
  gadget	
  FAQ	
  section	
  
  No	
  validation	
  of	
  page	
  existence	
  




Multiple	
  IPs	
  and	
  locations	
  
Google	
  gadget	
  FAQ	
  section	
  

 Jackpot	
  
What	
  we	
  did	
  with	
  this	
  info	
  

  Created	
  a	
  PoC	
  man	
  in	
  the	
  middle	
  attack	
  
  Harvested	
  browser	
  info.	
  
  Establish	
  crude	
  C2	
  capabilities	
  between	
  
   server	
  and	
  Gadgets	
  
  Attempted	
  a	
  DDoS,	
  settled	
  messing	
  with	
  
   AdSense	
  stats	
  and	
  website	
  traffic	
  generator	
  
  Created	
  basic	
  anonymous	
  brows	
  gadget	
  
How	
  did	
  we	
  do	
  this	
  




  Man	
  in	
  the	
  middle	
  PoC	
  
  Gadgets	
  are	
  iFrames	
  no	
  address	
  bar.	
  Easy	
  to	
  fake	
  iFrame	
  source	
  
   by	
  obfuscating	
  request	
  via	
  gadget	
  makeRequest()	
  
  Fetch	
  legit	
  site	
  yet	
  replace	
  one	
  or	
  more	
  links	
  with	
  makeRequest()	
  to	
  
   redirect	
  to	
  malicious	
  site	
  
  Similar	
  	
  techniques	
  dating	
  back	
  to	
  2004:	
  
   http://blogs.geekdojo.net/brian/archive/2004/10/14/
   googlephishing.aspx	
  
Harvest	
  Browser	
  Info	
  




                          JPort Scanner

                          Browser History (Determin
                          banks used, social network
                          sites used)

                          Other gadget Cookie data
Basic	
  C2	
  




  Basic	
  sending	
  and	
  receiving	
  of	
  data	
  using	
  google	
  
   servers	
  to	
  act	
  as	
  carrier	
  to	
  hide	
  IP	
  of	
  origin	
  and	
  
   destination	
  
  Data	
  transfer	
  seamless	
  thanks	
  to	
  asynchronous	
  
   JavaScript	
  calls	
  
  Open	
  ports	
  (Javascript	
  port	
  scanner),	
  Browser	
  
   history(window.history),	
  Botnet/DDoS	
  instructions	
  
DDoS	
  attempt	
  



  Option	
  1:	
  
  Set	
  refresh	
  interval	
  to	
  Zero	
  



  Option	
  2:	
  
  Request	
  fictitious	
  sites	
  in	
  for	
  loop	
  
Advertisements	
  ruin	
  everything	
  

    Google’s	
  AdSense	
  actually	
  causes	
  Gadget	
  
     user	
  PC	
  to	
  freeze	
  before	
  DDoS	
  can	
  occur	
  	
  
    Google’s	
  AdSense	
  triggers	
  on	
  each	
  page	
  
     request	
  

    Now	
  the	
  question	
  arrises	
  	
  
    Should	
  I	
  exploit	
  this	
  for	
  money	
  	
  
    	
  	
  or	
  	
  
    Just	
  block	
  AdSense	
  and	
  cause	
  DDoS	
  
Anonymous	
  browsing	
  gadget	
  

  Quite	
  simple	
  actually,	
  just	
  use	
  gadget	
  to	
  
   recursively	
  replace	
  hyperlinks	
  with	
  
   makeURLRequest();	
  
  Hides	
  your	
  IP	
  from	
  servers	
  allows	
  user	
  to	
  post	
  
   content	
  on	
  Web	
  2.0	
  sites	
  without	
  having	
  their	
  
   IP	
  logged	
  
Final	
  Gadget	
  Structure	
  
      Does	
  Google	
  gadgets	
  meet	
  
      requirements	
  for	
  a	
  Botnet	
  
  Botnets	
  need	
  to	
  be	
  Viral	
  –	
  We	
  did	
  not	
  explicitly	
  tackle	
  this	
  issue	
  
    as	
  Google	
  gadgets	
  in	
  itself	
  is	
  meant	
  to	
  be	
  viral.	
  Easy	
  to	
  share,	
  
    Social	
  by	
  design.	
  
      http://code.google.com/apis/opensocial/articles/
          bestprac.html	
  	
  
  Access	
  to	
  valuable	
  Data	
  or	
  services	
  –	
  Browser	
  History,	
  Data	
  
   contained	
  on	
  other	
  Gadgets,	
  Port	
  scanning,	
  MITM	
  info	
  
  They	
  require	
  C2	
  to	
  communicate	
  –	
  Basic	
  communication	
  
   achieved	
  via	
  GET	
  and	
  POST	
  
  Stealth	
  –	
  All	
  actions	
  taken	
  are	
  done	
  by	
  Google	
  gadget	
  server,	
  
    target	
  server’s	
  logs	
  only	
  contain	
  Gadget	
  server	
  IP.	
  Data	
  
    transmitted	
  via	
  HTTP	
  hence	
  no	
  firewall	
  alerts	
  
The	
  Fix	
  

  Google’s	
  side	
  
     Follow	
  common	
  web	
  protocol,	
  listen	
  to	
  Robots.txt	
  
     Prevent/Notify	
  users	
  of	
  gadget	
  redirects	
  


  Consumer	
  side	
  
     Block	
  google-­‐feedfetch	
  agent	
  
     Clean	
  browser	
  history	
  regularly	
  
     Better	
  education	
  about	
  the	
  risks	
  
Questions	
  

								
To top