Using data from the Akamai Intelligent PlatformTM, Akamai has developed a new analysis technique for web application layer botnets. By locating WAF triggers related to both Remote File Inclusion attacks and OS Command Injection attacks, researchers used aggregated results to map multiple botnets operating in the studied time period.  Viewing the data in this manner yielded additional insight into the botnets and their respective capabilities. This presentation offers a summary of this technique as excerpted from the State of the Internet Q4 2014 Security Report. Watch this slideshow and then get more details at  http://bit.ly/1GEbAZ9

1. akamai.com
[Q4 2014]

2. • New analysis technique using data from the Akamai
Intelligent PlatformTM
• Automate discovery of web application vulnerabilities for
Remote File Inclusion (RFI) and OS Command Injection
attacks
• Botnets profiled by identifying malicious code resource
URLs and seemingly identical payloads
• Analysis does not require inclusion in the botnet or taking
over the botnet’s command and control (C&C, C2) server
[Download the Q4 2014 Global DDoS Attack Report for supporting data and
analysis]
= botnet profiling technique
2 / [The State of the Internet] / Security (Q4 2014)

3. = Remote File Inclusion (RFI) attacks
3 / [The State of the Internet] / Security (Q4 2014)
• Used to exploit dynamic file include mechanisms
in web applications
• Web application can be tricked into including
remote files with malicious code
• RFI vulnerabilities are easily found and exploited
by attackers
$dir = $_GET['module_name'];
include($dir . "/function.php");
Figure 1: Code vulnerable to a Remote File Inclusion attack

4. = OS Command Injection
4 / [The State of the Internet] / Security (Q4 2014)
• Used to execute unauthorized operating system
commands
• The result of mixing trusted code with untrusted data
• Commands executed by the attacker will run with the
same privileges of the commanding component
• Attackers can leverage this ability to gain access
and damage parts that are not reachable

5. = common payloads in botnets
5 / [The State of the Internet] / Security (Q4 2014)
• RFI and OS Command Injection are among the most
prevalent of vulnerabilities reported
• Attacker can take full control over the victim server
• The most favorable attack vector
• In recent months, Akamai has observed massively
orchestrated attempts to find such vulnerabilities
• Botnet machines, even geographically disparate machines belonging to
different organizations, try to inject the same remote piece of malicious
code
• Code correlations enabled Akamai to map multiple Internet botnets
operating at the time of the comparison

6. • RFI and OS Command Injection botnets targeted more
than 850 web applications across several top-level
domains over a seven-day period
• All of the botnet traffic appeared to originate from
compromised servers, most from popular Software-as-
a-Service (SaaS) and cloud hosting providers
• The botnet Akamai analyzed included a dedicated
Python script that performed web crawling disguised as
a Microsoft Bing bot
• In one instance, an observed botnet propagated
through two WordPress TimThumb vulnerabilities
= botnet findings
6 / [The State of the Internet] / Security (Q4 2014)

7. = analysis of botnet capabilities
Figure 2: Code for remote file upload
7 / [The State of the Internet] / Security (Q4 2014)
Both RFI and OS Command Injection attacks used the same
malicious code involving:
• Remote shell command execution
• Remote file upload (see figure)
• SMS sending, controlled by IRC commands
• Local FTP server credentials brute force attack
• IRC-controlled UDP/TCP denial of service flood

8. • Novel approach to understanding web application-layer
botnets
• Used attack payload as the common denominator to
aggregate data and map botnet information
• Does not require the researcher to be a part of the botnet or
to take over the botnet’s C2 server
• Can be used for mapping other types of malicious activities
that use a distinct payload
= conclusion
8 / [The State of the Internet] / Security (Q4 2014)

9. • Download the Q4 2014 State of the Internet Security Report
• The Q4 2014 report covers:
/ Analysis of DDoS attack trends
/ Breakdown of average Gbps/Mbps statistics
/ Year-over-year and quarter-by-quarter analysis
/ Types and frequency of application-layer attacks
/ Types and frequency of infrastructure attacks
/ Trends in attack frequency, size and sources
/ Where and when DDoSers launch attacks
/ Case study and analysis
= Q4 2014 global attack report
9 / [The State of the Internet] / Security (Q4 2014)

10. • StateoftheInternet.com, brought to you by Akamai,
serves as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.
• Visitors to www.stateoftheinternet.com can find current and
archived versions of Akamai’s State of the Internet
(Connectivity and Security) reports, the company’s data
visualizations, and other resources designed to put context
around the ever-changing Internet landscape.
= about Prolexic
10 / [The State of the Internet] / Security (Q4 2014)