Panagiotis Papadopoulos, profile picture
Uploaded byPanagiotis Papadopoulos
253 views

Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation

The document discusses a framework called Marionet that exploits HTML5 features to execute malicious JavaScript code persistently and stealthily through web browsers, enabling various attacks like DDoS and cryptojacking. Marionet allows attackers to maintain control over a victim's browser even after the user navigates away from the malicious site, utilizing service workers and WebSockets for covert operations. It highlights the ease of infecting users either through intentionally malicious websites or through compromised third-party content, and discusses potential countermeasures to mitigate such threats.

Embed presentation

Download to read offline
Panagiotis Ilia, Michalis Polychronakis, Evangelos Markatos, Sotiris Ioannidis, Giorgos Vasiliadis Panagiotis Papadopoulos Abusing Web Browsers for Persistent and Stealthy Computation WEB
Our paper in 1 slide ● We show that malicious JS execution is not any more constrained to the lifetime of the browser window or tab ● We show that features of HTML5 API can be used for malicious purposes ● We present and implement MarioNet: a multi-attack framework ○ persistent and stealthy bot operation through web browsers (e.g., DDoS, crypto-jacking, malicious file hosting and sharing). ○ malicious activity is not attached to any browsing session and thus withstands tab crash/closing. Now you are free to go back to your emails! 2Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
Panagiotis Ilia, Michalis Polychronakis, Evangelos Markatos, Sotiris Ioannidis, Giorgos Vasiliadis Panagiotis Papadopoulos Abusing Web Browsers for Persistent and Stealthy Computation WEB
Nowadays... increasing reliance on the web sophisticated web browsing software integrated operating system for web applications abundance of JS APIs and sensors (e.g., gyroscope, location, battery status) publishers transfer parts of the critical computations on the user side (minimizes latency, better user experience and usability, scalability of the service) 4Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
Nowadays... in-browser running malicious code (e.g., cryptojacking) users remain oblivious to the performed operations publishers are considered by default trusted to run any JS code on the user-side without restrictions (even from third-parties) publishers transfer parts of the critical computations on the user side (minimize latency, better user experience and usability, scalability of the service) 5Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
Threat Model Publishers can infect users: ● Intentionally: ○ malicious or “shady” website serves directly the malicious payload to visitors ● Unintentionally: ○ hijacked/compromised website ○ website that includes a third party library which becomes compromised ○ malicious third-party content that it dynamic loaded in iframes* (e.g., through real-time ad auctions). * Browser as Botnet, or the Coming War on Your Web Browser https://medium.com/@brannondorsey/browser-as-botnet-or-the-coming-war-on-your-web-browser-be920c4f718 6Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
On the bright side... malicious JS execution is constrained chronologically to the lifetime of the browser window or tab Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
This is not the case nowadays... to demonstrate that we present MarioNet Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
MarioNet ● a system that enables a remote attacker to control users’ browsers and hijack device resources ● infected browser joins a centrally orchestrated botnet which can launch a wide variety of distributed attacks ● persistent and stealthy: attackers continue having control of the victim’s browser even after the user browses away from the website ● leverages only off-the-shelf technologies provided by HTML5 9Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
MarioNet: Basic ingredients ● Service Worker: ○ non-blocking (i.e., fully asynchronous) module, ○ resides between the webpage and the publisher’s web server: ○ once registered and activated, runs in a separate thread in the background (no DOM access) ○ can intercept and handle network requests (e.g., is used for programmatically managing the caching of responses) ● WebSocket: ○ persistent full-duplex communication channel over a single TCP connection. ● Depending on the attack scenario: ○ WebRTC, high-resolution performance timers, Cross-Origin Resource Sharing (CORS) 10Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
MarioNet: Key roles 1. Distributor: ○ a website under the attacker’s control that delivers to users along with the regular content of the webpage, the Servant component 2. Servant: ○ the in-browser component embedded in a Service Worker ○ runs in a separate process: continues to operate even after its parent tab closes ○ establishes a connection with Puppeteer for heartbeats and receiving malicious tasks 3. Puppeteer: ○ the remote C&C component that sends tasks to the Servant to be executed ○ sets the attack’s target, orchestrates the botnet 11Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
MarioNet: Overview 12Panagiotis Papadopoulos ~ panpap@csd.uoc.gr Servant Servant
Basic Characteristics 1. Isolation: ○ MarioNet's operations are independent from the browsing session's thread/process ○ heavyweight malicious computations cannot affect tab's functionality 2. Persistence: ○ MarioNet’s operations are detached from any ephemeral browser tabs ○ browser remains under attacker’s control for longer than a website visit (<1 min*) 3. Stealthiness: ○ Servant-Puppeteer communication channel is not-detectable by browser extensions** ○ operations are throttled based on system's recourse utilization (not-detectable by user) *How long do users stay on web pages? https://www.nngroup.com/articles/how-long-do-users-stay-on-web-pages/ ** Bashir et al., How Tracking Companies Circumvented Ad Blockers Using WebSockets 13
Attack Scenarios After infection Puppeteer can instrument infected browsers to perform attacks like: a) DDoS b) cryptocurrency mining c) distributed password cracking d) illicit file hosting or anonymized communications 14Panagiotis Papadopoulos ~ panpap@csd.uoc.gr Target Puppeteer Botnet do visit Target visit Target Botnet docomputereturnresult Puppeteer (a) (b)
Performance Evaluation ● Abuse of network resources: DDoS ● Abuse of computation power: Distributed 10-digit Password Cracking Rate of asynchronous outgoing HTTP requests for different browsers and network connections in the DDoS attack scenario. An orchestrated DDoS attack in MarioNet can achieve rates of up to 1632 reqs/sec per infected device. Cracking speed of different browsers in the distributed password- cracking scenario. A single infected browser can bruteforce around 500K MD5 hashes/sec or 300K SHA-256 hashes/sec. 15Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
Countermeasures ● Restricting or Disabling Service Workers: ○ breaks important functionality of apps like Google Docs, Gmail, LinkedIn, Whatsapp web client (e.g., periodic background synchronization, push notifications, caching, message relaying across pages, offline fallback, user-side load balancing) ● Whitelists/Blacklists: ○ Service Workers will be blocked, unless the domain of origin is whitelisted. ● Click to Activate: ○ require user’s permission before registering a service worker (like Push Notifications) ● Host-based approaches: ○ Signature-based Detection ○ Behavioral Analysis and Anomaly Detection 16Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
Conclusion ● Malicious code execution is not constrained to the lifetime of the browser session ● We present MarioNet: ○ Ingredients: Service Workers, WebRTC, WebSockets, CORS ○ a multi-attack framework ○ allows persistent and stealthy bot operation through web browsers ○ Malicious payload is not attached to any browsing session and thus withstands tab crash/closing. ● We launch and evaluate various possible attack scenarios on top of MarioNet: (e.g., DDoS, Distributed password cracking, cryptomining) 17Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
Panagiotis Papadopoulos Abusing Web Browsers for Persistent and Stealthy Computation WEB
Backup Slides 19Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
Detectability of MarioNet 1. Not detectable by browser extensions: ○ the only request that reveals the existence of a Service Worker is the initial GET request upon first visit, before SW gets registered ○ but no malicious tasks have been sent yet by Puppeteer ○ upon registration Servant establishes a WebSocket channel with Puppeteer that extensions cannot monitor** ○ verified using (i) Chrome’s default DevTools, (ii) Tamper Chrome HTTP capturing extension, (iii) WebSniffer and (iv) HTTP Spy 2. Not detectable by user: ○ MarioNet device’s state at real time, and adjusts accordingly the resources utilization (e.g., CPU utilization, battery status) and throttles or pauses execution ** Bashir et al., How Tracking Companies Circumvented Ad Blockers Using WebSockets 20
Characteristics of various APIs of interest Four axes related to the efficiency of a distributed botnet: 1. the execution model (i.e., whether it can run in parallel to the main webpage or in the background) 2. if direct network access is possible 3. the ability to use persistent storage, and 4. the ability to access the DOM of the webpage. 21Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
Need more persistence? ● Persistence across Browser Reboots ○ MarioNet runs in the background as long as the browser is open ○ After browser shutdown: the victim has to re-visit the malicious domain to re-activate the service worker and allow the Servant to continue its operation ○ BUT by abusing HTML5's Push API: Puppeteer can periodically probe Servants and re-activate them after a browser reboot ○ Push Notifications feature require user permission ○ social engineering is easy using custom permission requesting popups 22Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
MarioNet Vs Traditional Botnets MarioNet: ● does not exploit any implementation flaw on the victim’s system and does not require the installation of any software. ● leverages provided capabilities of JS relying on existing HTML5 compatible with the vast majority of both desktop and mobile browsers. ● remains operational even after the user browses away from the malicious webpage 23Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
Threat Model (detailed) ● websites that deliver malicious intentionally, ○ to gain profit by infecting as many user browsers as possible to carry out distributed (malicious) computations or mount large-scale attacks. ● websites that host such malicious content unintentionally: ○ the website registers a benign service worker that includes untrusted dynamic third-party scripts, which in turn possibly load malicious code; ○ the website includes third-party libraries, one of which can turn rogue or be compromised, and then divert the user to a new tab (e.g., using popunders or clickjacking) where it can register its own service worker bound to a third-party domain; ○ the website is compromised and attackers plant their malicious JavaScript code directly into the page, thus registering their malicious service worker or the website includes iframes with dynamic content, which are typically auctioned at real-time and loaded with content from third parties. 24Panagiotis Papadopoulos ~ panpap@csd.uoc.gr

More Related Content

PDF
Secure client
byHai Nguyen
 
PDF
Content Security Policy - PHPUGFFM
byWalter Ebert
 
PDF
Anatomy of a browser-based botnet
byEli Nesterov
 
PDF
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
byAditya K Sood
 
PDF
Www usenix-org
byOuzza Brahim
 
PPTX
Mcs2453 aniq mc101053-assignment1
byAniq Eastrarulkhair
 
PPT
GNUCITIZEN Pdp Owasp Day September 2007
byguest20ab09
 
PDF
Final year Major Project Final Presentation.pdf
byAkshayDwivedi31
 
Secure client
byHai Nguyen
 
Content Security Policy - PHPUGFFM
byWalter Ebert
 
Anatomy of a browser-based botnet
byEli Nesterov
 
BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in...
byAditya K Sood
 
Www usenix-org
byOuzza Brahim
 
Mcs2453 aniq mc101053-assignment1
byAniq Eastrarulkhair
 
GNUCITIZEN Pdp Owasp Day September 2007
byguest20ab09
 
Final year Major Project Final Presentation.pdf
byAkshayDwivedi31
 

Similar to Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation

PPTX
I Want These * Bugs Off My * Internet
byDan Kaminsky
 
PDF
Web Application Security
byMarketingArrowECS_CZ
 
PDF
Owning bad guys {and mafia} with javascript botnets
byChema Alonso
 
PPTX
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
byEric Vanderburg
 
PDF
Lecture #18 - #20: Web Browser and Web Application Security
byDr. Ramchandra Mangrulkar
 
PPTX
Botnets' networks
byBederna Zsolt
 
PPT
Botnets
byrichashri3
 
PDF
EC Council - Botnet Briefings
byAditya K Sood
 
PDF
Html5 security
bytsinghua university
 
PDF
XCS110_All_Slides.pdf
byssuser01066a
 
PDF
Xfocus xcon 2008_aks_oknock
byownerkhan
 
PDF
INSECURE MAGAZINE 38
byFelipe Prado
 
PPTX
Leveraging Honest Users: Stealth Command-and-Control of Botnets
byDiogo Mónica
 
PPTX
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
byEric Vanderburg
 
PPT
Browser Security
byRoberto Suggi Liverani
 
PDF
4 Mapping the Application
bySam Bowne
 
PDF
Emerging Trends in Online Social Networks Malware
byAditya K Sood
 
PDF
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
byYaJUG
 
PDF
How Tracking Companies Circumvented Ad Blockers Using WebSockets
bySajjad "JJ" Arshad
 
PDF
Million Browser Botnet
byJeremiah Grossman
 
I Want These * Bugs Off My * Internet
byDan Kaminsky
 
Web Application Security
byMarketingArrowECS_CZ
 
Owning bad guys {and mafia} with javascript botnets
byChema Alonso
 
The Bot Stops Here: Removing the BotNet Threat - Public and Higher Ed Securit...
byEric Vanderburg
 
Lecture #18 - #20: Web Browser and Web Application Security
byDr. Ramchandra Mangrulkar
 
Botnets' networks
byBederna Zsolt
 
Botnets
byrichashri3
 
EC Council - Botnet Briefings
byAditya K Sood
 
Html5 security
bytsinghua university
 
XCS110_All_Slides.pdf
byssuser01066a
 
Xfocus xcon 2008_aks_oknock
byownerkhan
 
INSECURE MAGAZINE 38
byFelipe Prado
 
Leveraging Honest Users: Stealth Command-and-Control of Botnets
byDiogo Mónica
 
Eradicate the Bots in the Belfry - Information Security Summit - Eric Vanderburg
byEric Vanderburg
 
Browser Security
byRoberto Suggi Liverani
 
4 Mapping the Application
bySam Bowne
 
Emerging Trends in Online Social Networks Malware
byAditya K Sood
 
VoxxedDays Luxembourg - Abuse web browsers for fun & profits - Dominique Righ...
byYaJUG
 
How Tracking Companies Circumvented Ad Blockers Using WebSockets
bySajjad "JJ" Arshad
 
Million Browser Botnet
byJeremiah Grossman
 

More from Panagiotis Papadopoulos

PDF
Keeping out the Masses: Understanding the Popularity and Implications of Int...
byPanagiotis Papadopoulos
 
PDF
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
byPanagiotis Papadopoulos
 
PDF
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
byPanagiotis Papadopoulos
 
PDF
Is privacy possible without Anonymity? The case for microblogging services
byPanagiotis Papadopoulos
 
PDF
Where’s Wally? How to Privately Discover your Friends on the Internet
byPanagiotis Papadopoulos
 
PDF
The Cost of Digital Advertisement: Comparing User and Advertiser Views
byPanagiotis Papadopoulos
 
PDF
Exclusive: How the (synced) Cookie Monster breached my encrypted VPN session
byPanagiotis Papadopoulos
 
PDF
0pass: Zero-storage Password Management Based on Password Reminders
byPanagiotis Papadopoulos
 
PPTX
If you are not paying for it, you are the product: How much do advertisers p...
byPanagiotis Papadopoulos
 
PPTX
MAD: A Middleware Framework for Multi-Step Attack Detection
byPanagiotis Papadopoulos
 
PDF
Cassandra Consistency: Tradeoffs and Limitations
byPanagiotis Papadopoulos
 
Keeping out the Masses: Understanding the Popularity and Implications of Int...
byPanagiotis Papadopoulos
 
Truth in Web Mining: Measuring the Profitability and the Imposed Overheads of...
byPanagiotis Papadopoulos
 
Cookie Synchronization: Everything You Always Wanted to Know But Were Afraid ...
byPanagiotis Papadopoulos
 
Is privacy possible without Anonymity? The case for microblogging services
byPanagiotis Papadopoulos
 
Where’s Wally? How to Privately Discover your Friends on the Internet
byPanagiotis Papadopoulos
 
The Cost of Digital Advertisement: Comparing User and Advertiser Views
byPanagiotis Papadopoulos
 
Exclusive: How the (synced) Cookie Monster breached my encrypted VPN session
byPanagiotis Papadopoulos
 
0pass: Zero-storage Password Management Based on Password Reminders
byPanagiotis Papadopoulos
 
If you are not paying for it, you are the product: How much do advertisers p...
byPanagiotis Papadopoulos
 
MAD: A Middleware Framework for Multi-Step Attack Detection
byPanagiotis Papadopoulos
 
Cassandra Consistency: Tradeoffs and Limitations
byPanagiotis Papadopoulos
 

Recently uploaded

PDF
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
PDF
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
PDF
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
PDF
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
PDF
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
PDF
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
PDF
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
PDF
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
PPTX
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
PDF
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
PDF
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
PDF
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
PDF
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
PDF
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
PDF
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
PDF
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
PDF
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
PDF
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
PDF
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
PDF
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 
The Manifesto for AI-enabled Governance !
byYannis Charalabidis
 
shayk.online - Anonymous chat with Sinatra and WebSockets
byEleanor McHugh
 
Poročilo odbora CIS (CH08873) za leto 2025 na letni skupščini IEEE Slovenija ...
byUniversity of Maribor
 
Session 1/5: Enhancing Automation with Screenplay & Business Rules
bysuhanisingh58689
 
GenerationAI Paris 2025 | How Agentic AI is Reinventing Organizations
byapidays
 
How to Install XRDP on CentOS 10 .pdf
byGreen Webpage
 
Automated Governance for FME Flow: Smarter Admin at Scale
bySafe Software
 
February 2026 Patch Tuesday hosted by Chris Goettl and Todd Schell
byIvanti
 
Automation Without Apprentices: How AI Challenges the Open Source Way
byIcinga
 
20260212 Security-JAWS activity results for 2025 and activity goals for 2026
byTyphon 666
 
Towards a Vibrant AI Hardware Accelerator Ecosystem, invited talk at the 4th ...
byMichiaki Tatsubori
 
final~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~.pdf
byomarbishtawi04
 
UiPath Modern Automation Playbook -Session 2
bysuhanisingh58689
 
Traditional-Security-Models-No-Longer-Work.pptx (1).pdf
byOhhproJunction
 
How does MES(Manufacturing Execution System) work?
byakipii ogaoga
 
GTM-and-Sales-Plan for a cyber security product
byAshish Jangir
 
The new book “Marketing in the Metaverse” spotlights Scott M. Graffius’ research
byScott M. Graffius
 
Spec-Driven Development with Kiro: Elevating Software Quality, Traceability, ...
byHaim Michael
 
AI Vector Search Best Practices Multicloud Feb 2026
bySandesh Rao
 
UiPath Automation Developer Associate Training Series 2026 - Session 3
byDianaGray10
 

Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Computation

  • 1.
    Panagiotis Ilia, MichalisPolychronakis, Evangelos Markatos, Sotiris Ioannidis, Giorgos Vasiliadis Panagiotis Papadopoulos Abusing Web Browsers for Persistent and Stealthy Computation WEB
  • 2.
    Our paper in1 slide ● We show that malicious JS execution is not any more constrained to the lifetime of the browser window or tab ● We show that features of HTML5 API can be used for malicious purposes ● We present and implement MarioNet: a multi-attack framework ○ persistent and stealthy bot operation through web browsers (e.g., DDoS, crypto-jacking, malicious file hosting and sharing). ○ malicious activity is not attached to any browsing session and thus withstands tab crash/closing. Now you are free to go back to your emails! 2Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 3.
    Panagiotis Ilia, MichalisPolychronakis, Evangelos Markatos, Sotiris Ioannidis, Giorgos Vasiliadis Panagiotis Papadopoulos Abusing Web Browsers for Persistent and Stealthy Computation WEB
  • 4.
    Nowadays... increasing reliance onthe web sophisticated web browsing software integrated operating system for web applications abundance of JS APIs and sensors (e.g., gyroscope, location, battery status) publishers transfer parts of the critical computations on the user side (minimizes latency, better user experience and usability, scalability of the service) 4Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 5.
    Nowadays... in-browser running maliciouscode (e.g., cryptojacking) users remain oblivious to the performed operations publishers are considered by default trusted to run any JS code on the user-side without restrictions (even from third-parties) publishers transfer parts of the critical computations on the user side (minimize latency, better user experience and usability, scalability of the service) 5Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 6.
    Threat Model Publishers caninfect users: ● Intentionally: ○ malicious or “shady” website serves directly the malicious payload to visitors ● Unintentionally: ○ hijacked/compromised website ○ website that includes a third party library which becomes compromised ○ malicious third-party content that it dynamic loaded in iframes* (e.g., through real-time ad auctions). * Browser as Botnet, or the Coming War on Your Web Browser https://medium.com/@brannondorsey/browser-as-botnet-or-the-coming-war-on-your-web-browser-be920c4f718 6Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 7.
    On the brightside... malicious JS execution is constrained chronologically to the lifetime of the browser window or tab Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 8.
    This is notthe case nowadays... to demonstrate that we present MarioNet Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 9.
    MarioNet ● a systemthat enables a remote attacker to control users’ browsers and hijack device resources ● infected browser joins a centrally orchestrated botnet which can launch a wide variety of distributed attacks ● persistent and stealthy: attackers continue having control of the victim’s browser even after the user browses away from the website ● leverages only off-the-shelf technologies provided by HTML5 9Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 10.
    MarioNet: Basic ingredients ●Service Worker: ○ non-blocking (i.e., fully asynchronous) module, ○ resides between the webpage and the publisher’s web server: ○ once registered and activated, runs in a separate thread in the background (no DOM access) ○ can intercept and handle network requests (e.g., is used for programmatically managing the caching of responses) ● WebSocket: ○ persistent full-duplex communication channel over a single TCP connection. ● Depending on the attack scenario: ○ WebRTC, high-resolution performance timers, Cross-Origin Resource Sharing (CORS) 10Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 11.
    MarioNet: Key roles 1.Distributor: ○ a website under the attacker’s control that delivers to users along with the regular content of the webpage, the Servant component 2. Servant: ○ the in-browser component embedded in a Service Worker ○ runs in a separate process: continues to operate even after its parent tab closes ○ establishes a connection with Puppeteer for heartbeats and receiving malicious tasks 3. Puppeteer: ○ the remote C&C component that sends tasks to the Servant to be executed ○ sets the attack’s target, orchestrates the botnet 11Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 12.
    MarioNet: Overview 12Panagiotis Papadopoulos~ panpap@csd.uoc.gr Servant Servant
  • 13.
    Basic Characteristics 1. Isolation: ○MarioNet's operations are independent from the browsing session's thread/process ○ heavyweight malicious computations cannot affect tab's functionality 2. Persistence: ○ MarioNet’s operations are detached from any ephemeral browser tabs ○ browser remains under attacker’s control for longer than a website visit (<1 min*) 3. Stealthiness: ○ Servant-Puppeteer communication channel is not-detectable by browser extensions** ○ operations are throttled based on system's recourse utilization (not-detectable by user) *How long do users stay on web pages? https://www.nngroup.com/articles/how-long-do-users-stay-on-web-pages/ ** Bashir et al., How Tracking Companies Circumvented Ad Blockers Using WebSockets 13
  • 14.
    Attack Scenarios After infectionPuppeteer can instrument infected browsers to perform attacks like: a) DDoS b) cryptocurrency mining c) distributed password cracking d) illicit file hosting or anonymized communications 14Panagiotis Papadopoulos ~ panpap@csd.uoc.gr Target Puppeteer Botnet do visit Target visit Target Botnet docomputereturnresult Puppeteer (a) (b)
  • 15.
    Performance Evaluation ● Abuseof network resources: DDoS ● Abuse of computation power: Distributed 10-digit Password Cracking Rate of asynchronous outgoing HTTP requests for different browsers and network connections in the DDoS attack scenario. An orchestrated DDoS attack in MarioNet can achieve rates of up to 1632 reqs/sec per infected device. Cracking speed of different browsers in the distributed password- cracking scenario. A single infected browser can bruteforce around 500K MD5 hashes/sec or 300K SHA-256 hashes/sec. 15Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 16.
    Countermeasures ● Restricting orDisabling Service Workers: ○ breaks important functionality of apps like Google Docs, Gmail, LinkedIn, Whatsapp web client (e.g., periodic background synchronization, push notifications, caching, message relaying across pages, offline fallback, user-side load balancing) ● Whitelists/Blacklists: ○ Service Workers will be blocked, unless the domain of origin is whitelisted. ● Click to Activate: ○ require user’s permission before registering a service worker (like Push Notifications) ● Host-based approaches: ○ Signature-based Detection ○ Behavioral Analysis and Anomaly Detection 16Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 17.
    Conclusion ● Malicious codeexecution is not constrained to the lifetime of the browser session ● We present MarioNet: ○ Ingredients: Service Workers, WebRTC, WebSockets, CORS ○ a multi-attack framework ○ allows persistent and stealthy bot operation through web browsers ○ Malicious payload is not attached to any browsing session and thus withstands tab crash/closing. ● We launch and evaluate various possible attack scenarios on top of MarioNet: (e.g., DDoS, Distributed password cracking, cryptomining) 17Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 18.
    Panagiotis Papadopoulos Abusing WebBrowsers for Persistent and Stealthy Computation WEB
  • 19.
  • 20.
    Detectability of MarioNet 1.Not detectable by browser extensions: ○ the only request that reveals the existence of a Service Worker is the initial GET request upon first visit, before SW gets registered ○ but no malicious tasks have been sent yet by Puppeteer ○ upon registration Servant establishes a WebSocket channel with Puppeteer that extensions cannot monitor** ○ verified using (i) Chrome’s default DevTools, (ii) Tamper Chrome HTTP capturing extension, (iii) WebSniffer and (iv) HTTP Spy 2. Not detectable by user: ○ MarioNet device’s state at real time, and adjusts accordingly the resources utilization (e.g., CPU utilization, battery status) and throttles or pauses execution ** Bashir et al., How Tracking Companies Circumvented Ad Blockers Using WebSockets 20
  • 21.
    Characteristics of variousAPIs of interest Four axes related to the efficiency of a distributed botnet: 1. the execution model (i.e., whether it can run in parallel to the main webpage or in the background) 2. if direct network access is possible 3. the ability to use persistent storage, and 4. the ability to access the DOM of the webpage. 21Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 22.
    Need more persistence? ●Persistence across Browser Reboots ○ MarioNet runs in the background as long as the browser is open ○ After browser shutdown: the victim has to re-visit the malicious domain to re-activate the service worker and allow the Servant to continue its operation ○ BUT by abusing HTML5's Push API: Puppeteer can periodically probe Servants and re-activate them after a browser reboot ○ Push Notifications feature require user permission ○ social engineering is easy using custom permission requesting popups 22Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 23.
    MarioNet Vs TraditionalBotnets MarioNet: ● does not exploit any implementation flaw on the victim’s system and does not require the installation of any software. ● leverages provided capabilities of JS relying on existing HTML5 compatible with the vast majority of both desktop and mobile browsers. ● remains operational even after the user browses away from the malicious webpage 23Panagiotis Papadopoulos ~ panpap@csd.uoc.gr
  • 24.
    Threat Model (detailed) ●websites that deliver malicious intentionally, ○ to gain profit by infecting as many user browsers as possible to carry out distributed (malicious) computations or mount large-scale attacks. ● websites that host such malicious content unintentionally: ○ the website registers a benign service worker that includes untrusted dynamic third-party scripts, which in turn possibly load malicious code; ○ the website includes third-party libraries, one of which can turn rogue or be compromised, and then divert the user to a new tab (e.g., using popunders or clickjacking) where it can register its own service worker bound to a third-party domain; ○ the website is compromised and attackers plant their malicious JavaScript code directly into the page, thus registering their malicious service worker or the website includes iframes with dynamic content, which are typically auctioned at real-time and loaded with content from third parties. 24Panagiotis Papadopoulos ~ panpap@csd.uoc.gr