Advancements in Botnet Attacks

Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York , July 2012 Aditya K Sood | Rohit Bansal | Richard J Enbody SecNiche Security | Department of Computer Science and Engineering Michigan State University

About Us Aditya K Sood ● PhD Candidate at Michigan State University – Working for iSEC Partners. – Active Speaker at Security conferences – LinkedIn - http ://www.linkedin.com/in/adityaks – Website: http://www.secniche.org | Blog: http://secniche.blogspot.com – Twitter: @AdityaKSood Rohit Bansal – Security Researcher, SecNiche Security Labs – Twitter: @0xrb Dr. Richard J Enbody ● Associate Professor, CSE, Michigan State University – Since 1987, teaching computer architecture/ computer security – Co-Author CS1 Python book, The Practice of Computing using Python. – Patents Pending – Hardware Buffer Overflow Protection 2

Agenda Malware Paradigm Browser Malware Taxonomy Present-day Malware Propagation Tactics Information Stealing Tactics Conclusion 3

FUD (Fear, Uncertainty & Doubt) FUD – FUD || ─ Three pillars of robust malware design 4

Malware Paradigm 5

The Reality of Internet ! 6

Browser Malware Taxonomy Class A – Browser Malware 7

Browser Malware Taxonomy Class B – Browser Malware 8

Browser Malware Taxonomy Class C – Browser Malware 9

Malware Lifecycle – Java Exploit Malware making a place into your system ─ Step 1: Vulnerability in high traffic website is exploited – To serve malware at large scale ─ Step 2: Detecting malicious iframe in the website ● Lets extract the iframe from the malicious website ● The iframe is pointing to some domain having applet.html. – Avoid running it in the browser. Fetch it directly using wget/curl 10

Malware Lifecycle – Java Exploit Malware making a place into your system ─ Step 3 : Detecting the malicious code ● So, there is Java applet with “param” variable holding an executable – Quick analysis of the executable can be seen here https://www.virustotal.com/file/5cb024356e6b391b367bc6a313da5b5f744d8a14ce c860502446aaa3e1b4566e/analysis/1330713741/ 11

Malware Lifecycle – Java Exploit Dissecting Malicious Java Applet – Let’s see what we have VBScript embedded in Java applet code 12

Implanting Malware (Bots)Present-day Propagation Tactics 13

Exploiting Web Hosting Data Centers | Web Hosting - Exploitation ─ Several websites are hosted on a single server sharing IP address – DNS names are mapped virtually to the same IP ● Vulnerability in one website can seriously compromise the server – Insecure file uploading functionality » Uploading remote management shells such c99 etc » Automated iframe injector embeds malicious iframe on all webpages » Making configuration changes such as redirecting users to malicious domains – Cookie replay attacks in hosting domain website » Authentication bypass : reading customer queries on the web based management panel » Extracting credentials directly by exploiting design flaws in hosting panels 14

Exploiting Web Hosting Data Centers Exploitation ─ Automated Iframe injector – cPanel Exploitation Automated iframer in action 15

Exploiting Web Hosting Remote shell in action 16

Infection through Glype Proxies Glype proxies ● Simple PHP scripts for anonymous surfing ● Hosted on legitimate domains and forcing users to surf through the proxy – Logging is enabled to fetch the information about users » A tactical way of exploiting the integrity of anonymous surfing ● Exploiting misconfigured proxies to deliver malware – Embedding Browser Exploit Packs (BEPs) with Glype proxies » Very effective and successful technique 17

Demonstration 18

Obfuscated Iframes 19

Browser Exploit Packs (BEPs) Browser Exploit Pack ─ BlackHole is running on fire ● Techniques – User-agent based fingerprinting – Plugin detector capability for scrutinizing the plugins – Serving exploit once per IP Address – Java exploits are used heavily for spreading infections – Support for other exploits such as PDF, Flash etc – BlackHole configuration Java version fingerprinting parameters 20

Browser Exploit Packs (BEPs) Browser Exploit Pack ─ Encoded exploit with PHP Ioncube 21

Browser Exploit Packs (BEPs) Browser Exploit Pack ─ Interesting Tactics – A brief walkthrough ● JAVA SMB – One of the most effective exploit used in BH – Exploit downloads “new.avi” file for triggering exploitation – At present times, Java Array exploit is on fire. ● Interesting to see what this file does – Running file in VLC player produces an error. – Can we change “new.avi” to “new.jar”? YES ! We can. » Result is here. 22

Drive-by Frameworks 23

Drive-by Frameworks 24

Demonstration 25

Malware on the Cloud AWS Cloud Malware ─ Attackers are targeting AWS to host malware Unpacked 26

Malware on the Cloud AWS Cloud Malware ─ On reversing, package downloads the malware into “c:winsys” directory from another repository on the AWS ● Downloaded files are presented below Malicious files extracted from the package 27

Malware on the Cloud AWS Cloud Malware Sent an alert in the form of tweet to Amazon. ─ Afterwards Malware was removed. – Some of the files were again packed with UPX packer – All the files were flagged as malicious Executables are f lagged as malicious 28

Malvertisements Malvertisement ● Online malicious advertisements ● Content Delivery Networks (CDNs) are infected to trigger malvertising – Distributed attack Armorize’s Blog - http://blog.armorize.com/2011/05/porn-sites-have-lots-of-trafficand.html Malvertisement Paper - http://www.slideshare.net/adityaks/malvertising-exploiting-web-advertising 29

Exploiting Social Networks Social Networks ● Attackers exploit the inherent design flaws in the social networks ● Use to spread malware at a large scale ─ LikeJacking (=~ClickJacking) ● Use to add malicious links on user’s profile in Facebook ● LikeJacking collaboratively used with ClickJacking ● Efficient in spreading malware 30

Demonstration 31

Present-day BotnetsInformation Stealing and Manipulation Tactics 32

Man-in-the-Browser (MitB) Subverting Browser Integrity ─ Exploits the victim system and the browser environment ● SSL / PKI does not stop the infections by MitB ● Two Factor/ SSO authentication module does not stop it ● Concept of browser rootkits ● Implements Hooking ● Exploits online bankinghttp://www.cronto.com/download/internet_banking_fraud_beyond_phishing.pdf 33

Web Injects – Infection on the Fly Web Injects ─ Injecting incoming request with malicious content ─ Primary aim is to inject credential stealing forms, JavaScripts and input tags ─ Concept of Third Generation Botnets ( Give me your money  ) 34

Web Injects – Log Detectionhttp://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html 35

Web Injects – Action 36

Web Fakes Understanding Web Fakes ● Plugins used to spoof the content in browsers ● Supports both protocols HTTP/HTTPS ● Based on the concept of internal URL redirection ● All browsers are affected How ? ─ Plugins use the defined metrics in the configuration file ● URL_MASK ● URL_REDIRECT ● FLAGS ● POST_BLACK_MASK ● POST_WHITE_MASK ● BLOCK_URL ● WEBFAKE_NAME ● UNBLOCK_URL 37

Web Fakes – Function Calls 38

Web Fakes – Real Example 39

Browsers - Form Grabbing Why? ─ Keylogging produces plethora of data ─ Form grabbing – extracting data from the GET/POST requests ─ Based on the concept of hooking ─ Virtual Keyboards ● Implements the form grabbing functionality to send POST requests ● No real protection against malware 40

Browsers - Form Grabbing Facts and Reality ─ All the third generation botnets use this technique ─ Very hard to overcome the consequences ─ All browsers can be circumvented to execute non legitimate hooks 41

Demonstration 42

Other Information Stealing Tactics .. Bot Plugin Architecture ─ Credit Card Grabber ─ Certificates Grabber ─ SOCKS 5 Backconnect ─ FTP Backconnect ─ RDP BackConnect ─ DDoS Plugins ─ Webcam Hijacker ─ Infecting Messengers (Spreaders) ─ And so on…… depending on the design ! 43

Questions ! 44

Thanks HOPE Conference Crew ● http://www.hope.net SecNiche Security Labs ● http://www.secniche.org ● http://secniche.blogspot.com Contact Me ─ Email : adi_ks [at] secniche.org 45

http://secniche.blogspot.com	504
http://secniche.blogspot.in	58
http://secniche.blogspot.jp	27
http://secniche.blogspot.dk	26
http://secniche.blogspot.de	23
http://secniche.blogspot.co.il	22
http://secniche.blogspot.co.uk	19
http://secniche.blogspot.fr	18
http://secniche.blogspot.ro	16
http://secniche.blogspot.mx	16
http://secniche.blogspot.ca	15
http://secniche.blogspot.com.br	14
http://secniche.blogspot.com.es	13
http://secniche.blogspot.kr	12
http://secniche.blogspot.it	9
https://si0.twimg.com	7
http://secniche.blogspot.nl	7
http://secniche.blogspot.hk	5
http://tweetedtimes.com	5
http://secniche.blogspot.sg	4
http://secniche.blogspot.com.au	3
http://secniche.blogspot.be	3
http://secniche.blogspot.com.ar	3
http://secniche.blogspot.gr	3
http://www.secniche.blogspot.in	3
http://secniche.blogspot.no	3
http://secniche.blogspot.se	2
https://twimg0-a.akamaihd.net	2
http://www.techgig.com	2
http://feeds.feedburner.com	1
http://secniche.org	1
http://secniche.blogspot.ru	1
http://secniche.blogspot.tw	1
http://secniche.blogspot.fi	1
http://secniche.blogspot.ie	1
http://secniche.blogspot.co.at	1
http://webcache.googleusercontent.com	1
http://www.secniche.blogspot.com	1
http://www.hanrss.com	1
http://secniche.blogspot.ch	1
http://us-w1.rockmelt.com	1
http://www.netvibes.com	1
http://115.112.206.131	1

Advancements in Botnet Attacks

by Aditya K Sood on Jul 15, 2012

Accessibility

Categories

Upload Details

Usage Rights

43 Embeds 858

Statistics

Advancements in Botnet Attacks Presentation Transcript