Advancements in Botnet Attacks and      Malware Distribution        HOPE Conference, New York , July 2012     Aditya K Soo...
About Us Aditya K Sood      ● PhD Candidate at Michigan State University          –   Working for iSEC Partners.         ...
Agenda   Malware Paradigm   Browser Malware Taxonomy   Present-day Malware Propagation Tactics   Information Stealing ...
FUD (Fear, Uncertainty & Doubt) FUD – FUD ||   ─ Three pillars of robust malware design                                  ...
Malware Paradigm                   5
The Reality of Internet !                            6
Browser Malware Taxonomy Class A – Browser Malware                                  7
Browser Malware Taxonomy Class B – Browser Malware                                  8
Browser Malware Taxonomy Class C – Browser Malware                                  9
Malware Lifecycle – Java Exploit Malware making a place into your system   ─ Step 1: Vulnerability in high traffic websit...
Malware Lifecycle – Java Exploit Malware making a place into your system   ─ Step 3 : Detecting the malicious code       ...
Malware Lifecycle – Java Exploit Dissecting Malicious Java Applet          – Let’s see what we have                      ...
Implanting Malware (Bots)Present-day Propagation Tactics                                  13
Exploiting Web Hosting Data Centers | Web Hosting - Exploitation   ─ Several websites are hosted on a single server shari...
Exploiting Web Hosting Data Centers Exploitation   ─ Automated Iframe injector – cPanel Exploitation                     ...
Exploiting Web Hosting                         Remote shell in action                                                  16
Infection through Glype Proxies Glype proxies      ● Simple PHP scripts for anonymous surfing      ● Hosted on legitimate...
Demonstration                18
Obfuscated Iframes                     19
Browser Exploit Packs (BEPs) Browser Exploit Pack   ─ BlackHole is running on fire       ● Techniques           –   User-...
Browser Exploit Packs (BEPs) Browser Exploit Pack   ─ Encoded exploit with PHP Ioncube                                   ...
Browser Exploit Packs (BEPs) Browser Exploit Pack   ─ Interesting Tactics – A brief walkthrough       ● JAVA SMB – One of...
Drive-by Frameworks                      23
Drive-by Frameworks                      24
Demonstration                25
Malware on the Cloud AWS Cloud Malware   ─ Attackers are targeting AWS to host malware  Unpacked                         ...
Malware on the Cloud AWS Cloud Malware  ─ On reversing, package downloads the malware into “c:winsys” directory    from a...
Malware on the Cloud AWS Cloud Malware                                           Sent an alert in the form of            ...
Malvertisements Malvertisement        ● Online malicious advertisements        ● Content Delivery Networks (CDNs) are inf...
Exploiting Social Networks Social Networks      ● Attackers exploit the inherent design flaws in the social networks     ...
Demonstration                31
Present-day BotnetsInformation Stealing and Manipulation               Tactics                                   32
Man-in-the-Browser (MitB) Subverting Browser Integrity   ─ Exploits the victim system and the browser environment        ...
Web Injects – Infection on the Fly Web Injects   ─ Injecting incoming request with malicious content   ─ Primary aim is t...
Web Injects – Log Detectionhttp://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html               ...
Web Injects – Action                       36
Web Fakes Understanding Web Fakes       ●   Plugins used to spoof the content in browsers       ●   Supports both protoco...
Web Fakes – Function Calls                             38
Web Fakes – Real Example                           39
Browsers - Form Grabbing Why?  ─   Keylogging produces plethora of data  ─   Form grabbing – extracting data from the GET...
Browsers - Form Grabbing Facts and Reality   ─ All the third generation botnets use this technique   ─ Very hard to overc...
Demonstration                42
Other Information Stealing Tactics .. Bot Plugin Architecture   ─   Credit Card Grabber   ─   Certificates Grabber   ─   ...
Questions !              44
Thanks HOPE Conference Crew       ● http://www.hope.net SecNiche Security Labs       ● http://www.secniche.org       ● h...
Upcoming SlideShare
Loading in...5
×

Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks

2,793

Published on

HOPE 2012 Presentation

Published in: Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
2,793
On Slideshare
0
From Embeds
0
Number of Embeds
21
Actions
Shares
0
Downloads
0
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Transcript of "Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks "

  1. 1. Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York , July 2012 Aditya K Sood | Rohit Bansal | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University
  2. 2. About Us Aditya K Sood ● PhD Candidate at Michigan State University – Working for iSEC Partners. – Active Speaker at Security conferences – LinkedIn - http ://www.linkedin.com/in/adityaks – Website: http://www.secniche.org | Blog: http://secniche.blogspot.com – Twitter: @AdityaKSood Rohit Bansal – Security Researcher, SecNiche Security Labs – Twitter: @0xrb Dr. Richard J Enbody ● Associate Professor, CSE, Michigan State University – Since 1987, teaching computer architecture/ computer security – Co-Author CS1 Python book, The Practice of Computing using Python. – Patents Pending – Hardware Buffer Overflow Protection 2
  3. 3. Agenda Malware Paradigm Browser Malware Taxonomy Present-day Malware Propagation Tactics Information Stealing Tactics Conclusion 3
  4. 4. FUD (Fear, Uncertainty & Doubt) FUD – FUD || ─ Three pillars of robust malware design 4
  5. 5. Malware Paradigm 5
  6. 6. The Reality of Internet ! 6
  7. 7. Browser Malware Taxonomy Class A – Browser Malware 7
  8. 8. Browser Malware Taxonomy Class B – Browser Malware 8
  9. 9. Browser Malware Taxonomy Class C – Browser Malware 9
  10. 10. Malware Lifecycle – Java Exploit Malware making a place into your system ─ Step 1: Vulnerability in high traffic website is exploited – To serve malware at large scale ─ Step 2: Detecting malicious iframe in the website ● Lets extract the iframe from the malicious website ● The iframe is pointing to some domain having applet.html. – Avoid running it in the browser. Fetch it directly using wget/curl 10
  11. 11. Malware Lifecycle – Java Exploit Malware making a place into your system ─ Step 3 : Detecting the malicious code ● So, there is Java applet with “param” variable holding an executable – Quick analysis of the executable can be seen here https://www.virustotal.com/file/5cb024356e6b391b367bc6a313da5b5f744d8a14ce c860502446aaa3e1b4566e/analysis/1330713741/ 11
  12. 12. Malware Lifecycle – Java Exploit Dissecting Malicious Java Applet – Let’s see what we have VBScript embedded in Java applet code 12
  13. 13. Implanting Malware (Bots)Present-day Propagation Tactics 13
  14. 14. Exploiting Web Hosting Data Centers | Web Hosting - Exploitation ─ Several websites are hosted on a single server sharing IP address – DNS names are mapped virtually to the same IP ● Vulnerability in one website can seriously compromise the server – Insecure file uploading functionality » Uploading remote management shells such c99 etc » Automated iframe injector embeds malicious iframe on all webpages » Making configuration changes such as redirecting users to malicious domains – Cookie replay attacks in hosting domain website » Authentication bypass : reading customer queries on the web based management panel » Extracting credentials directly by exploiting design flaws in hosting panels 14
  15. 15. Exploiting Web Hosting Data Centers Exploitation ─ Automated Iframe injector – cPanel Exploitation Automated iframer in action 15
  16. 16. Exploiting Web Hosting Remote shell in action 16
  17. 17. Infection through Glype Proxies Glype proxies ● Simple PHP scripts for anonymous surfing ● Hosted on legitimate domains and forcing users to surf through the proxy – Logging is enabled to fetch the information about users » A tactical way of exploiting the integrity of anonymous surfing ● Exploiting misconfigured proxies to deliver malware – Embedding Browser Exploit Packs (BEPs) with Glype proxies » Very effective and successful technique 17
  18. 18. Demonstration 18
  19. 19. Obfuscated Iframes 19
  20. 20. Browser Exploit Packs (BEPs) Browser Exploit Pack ─ BlackHole is running on fire ● Techniques – User-agent based fingerprinting – Plugin detector capability for scrutinizing the plugins – Serving exploit once per IP Address – Java exploits are used heavily for spreading infections – Support for other exploits such as PDF, Flash etc – BlackHole configuration Java version fingerprinting parameters 20
  21. 21. Browser Exploit Packs (BEPs) Browser Exploit Pack ─ Encoded exploit with PHP Ioncube 21
  22. 22. Browser Exploit Packs (BEPs) Browser Exploit Pack ─ Interesting Tactics – A brief walkthrough ● JAVA SMB – One of the most effective exploit used in BH – Exploit downloads “new.avi” file for triggering exploitation – At present times, Java Array exploit is on fire. ● Interesting to see what this file does – Running file in VLC player produces an error. – Can we change “new.avi” to “new.jar”? YES ! We can. » Result is here. 22
  23. 23. Drive-by Frameworks 23
  24. 24. Drive-by Frameworks 24
  25. 25. Demonstration 25
  26. 26. Malware on the Cloud AWS Cloud Malware ─ Attackers are targeting AWS to host malware Unpacked 26
  27. 27. Malware on the Cloud AWS Cloud Malware ─ On reversing, package downloads the malware into “c:winsys” directory from another repository on the AWS ● Downloaded files are presented below Malicious files extracted from the package 27
  28. 28. Malware on the Cloud AWS Cloud Malware Sent an alert in the form of tweet to Amazon. ─ Afterwards Malware was removed. – Some of the files were again packed with UPX packer – All the files were flagged as malicious Executables are f lagged as malicious 28
  29. 29. Malvertisements Malvertisement ● Online malicious advertisements ● Content Delivery Networks (CDNs) are infected to trigger malvertising – Distributed attack Armorize’s Blog - http://blog.armorize.com/2011/05/porn-sites-have-lots-of-trafficand.html Malvertisement Paper - http://www.slideshare.net/adityaks/malvertising-exploiting-web-advertising 29
  30. 30. Exploiting Social Networks Social Networks ● Attackers exploit the inherent design flaws in the social networks ● Use to spread malware at a large scale ─ LikeJacking (=~ClickJacking) ● Use to add malicious links on user’s profile in Facebook ● LikeJacking collaboratively used with ClickJacking ● Efficient in spreading malware 30
  31. 31. Demonstration 31
  32. 32. Present-day BotnetsInformation Stealing and Manipulation Tactics 32
  33. 33. Man-in-the-Browser (MitB) Subverting Browser Integrity ─ Exploits the victim system and the browser environment ● SSL / PKI does not stop the infections by MitB ● Two Factor/ SSO authentication module does not stop it ● Concept of browser rootkits ● Implements Hooking ● Exploits online bankinghttp://www.cronto.com/download/internet_banking_fraud_beyond_phishing.pdf 33
  34. 34. Web Injects – Infection on the Fly Web Injects ─ Injecting incoming request with malicious content ─ Primary aim is to inject credential stealing forms, JavaScripts and input tags ─ Concept of Third Generation Botnets ( Give me your money  ) 34
  35. 35. Web Injects – Log Detectionhttp://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html 35
  36. 36. Web Injects – Action 36
  37. 37. Web Fakes Understanding Web Fakes ● Plugins used to spoof the content in browsers ● Supports both protocols HTTP/HTTPS ● Based on the concept of internal URL redirection ● All browsers are affected How ? ─ Plugins use the defined metrics in the configuration file ● URL_MASK ● URL_REDIRECT ● FLAGS ● POST_BLACK_MASK ● POST_WHITE_MASK ● BLOCK_URL ● WEBFAKE_NAME ● UNBLOCK_URL 37
  38. 38. Web Fakes – Function Calls 38
  39. 39. Web Fakes – Real Example 39
  40. 40. Browsers - Form Grabbing Why? ─ Keylogging produces plethora of data ─ Form grabbing – extracting data from the GET/POST requests ─ Based on the concept of hooking ─ Virtual Keyboards ● Implements the form grabbing functionality to send POST requests ● No real protection against malware 40
  41. 41. Browsers - Form Grabbing Facts and Reality ─ All the third generation botnets use this technique ─ Very hard to overcome the consequences ─ All browsers can be circumvented to execute non legitimate hooks 41
  42. 42. Demonstration 42
  43. 43. Other Information Stealing Tactics .. Bot Plugin Architecture ─ Credit Card Grabber ─ Certificates Grabber ─ SOCKS 5 Backconnect ─ FTP Backconnect ─ RDP BackConnect ─ DDoS Plugins ─ Webcam Hijacker ─ Infecting Messengers (Spreaders) ─ And so on…… depending on the design ! 43
  44. 44. Questions ! 44
  45. 45. Thanks HOPE Conference Crew ● http://www.hope.net SecNiche Security Labs ● http://www.secniche.org ● http://secniche.blogspot.com Contact Me ─ Email : adi_ks [at] secniche.org 45

×