Advancements in Botnet Attacks and Malware Distribution

Size: px

Start display at page:

Download "Advancements in Botnet Attacks and Malware Distribution"

Cassandra Montgomery
8 years ago
Views:

1 Advancements in Botnet Attacks and Malware Distribution HOPE Conference, New York, July 2012 Aditya K Sood Rohit Bansal Richard J Enbody SecNiche Security Department of Computer Science and Engineering Michigan State University

2 Aditya K Sood About Us PhD Candidate at Michigan State University Rohit Bansal Working for isec Partners. Active Speaker at Security conferences LinkedIn - http :// Website: Blog: Security Researcher, SecNiche Security Labs Dr. Richard J Enbody Associate Professor, CSE, Michigan State University Since 1987, teaching computer architecture/ computer security Co-Author CS1 Python book, The Practice of Computing using Python. Patents Pending Hardware Buffer Overflow Protection 2

3 Agenda Malware Paradigm Browser Malware Taxonomy Present-day Malware Propagation Tactics Information Stealing Tactics Conclusion 3

4 FUD (Fear, Uncertainty & Doubt) FUD FUD Three pillars of robust malware design 4

5 Malware Paradigm 5

6 The Reality of Internet! 6

7 Browser Malware Taxonomy Class A Browser Malware 7

8 Browser Malware Taxonomy Class B Browser Malware 8

9 Browser Malware Taxonomy Class C Browser Malware 9

10 Malware Lifecycle Java Exploit Malware making a place into your system Step 1: Vulnerability in high traffic website is exploited To serve malware at large scale Step 2: Detecting malicious iframe in the website Lets extract the iframe from the malicious website The iframe is pointing to some domain having applet.html. Avoid running it in the browser. Fetch it directly using wget/curl 10

11 Malware Lifecycle Java Exploit Malware making a place into your system Step 3 : Detecting the malicious code So, there is Java applet with param variable holding an executable Quick analysis of the executable can be seen here c aaa3e1b4566e/analysis/ / 11

12 Malware Lifecycle Java Exploit Dissecting Malicious Java Applet Let s see what we have VBScript embedded in Java applet code 12

13 Implanting Malware (Bots) Present-day Propagation Tactics 13

14 Exploiting Web Hosting Data Centers Web Hosting - Exploitation Several websites are hosted on a single server sharing IP address DNS names are mapped virtually to the same IP Vulnerability in one website can seriously compromise the server Insecure file uploading functionality» Uploading remote management shells such c99 etc» Automated iframe injector embeds malicious iframe on all webpages» Making configuration changes such as redirecting users to malicious domains Cookie replay attacks in hosting domain website» Authentication bypass : reading customer queries on the web based management panel» Extracting credentials directly by exploiting design flaws in hosting panels 14

15 Data Centers Exploitation Exploiting Web Hosting Automated Iframe injector cpanel Exploitation Automated iframer in action 15

16 Exploiting Web Hosting Remote shell in action 16

A tactical way of exploiting the integrity of anonymous surfing Exploiting misconfigured proxies to deliver

17 Infection through Glype Proxies Glype proxies Simple PHP scripts for anonymous surfing Hosted on legitimate domains and forcing users to surf through the proxy Logging is enabled to fetch the information about users» A tactical way of exploiting the integrity of anonymous surfing Exploiting misconfigured proxies to deliver malware Embedding Browser Exploit Packs (BEPs) with Glype proxies» Very effective and successful technique 17

18 Demonstration 18

19 Obfuscated Iframes 19

20 Browser Exploit Packs (BEPs) Browser Exploit Pack BlackHole is running on fire Techniques User-agent based fingerprinting Plugin detector capability for scrutinizing the plugins Serving exploit once per IP Address Java exploits are used heavily for spreading infections Support for other exploits such as PDF, Flash etc BlackHole configuration parameters Java version fingerprinting 20

21 Browser Exploit Packs (BEPs) Browser Exploit Pack Encoded exploit with PHP Ioncube 21

Browser Exploit Packs (BEPs) Browser Exploit Pack Interesting Tactics A brief walkthrough JAVA SMB One of the most effective exploit used in BH Exploit downloads new.

22 Browser Exploit Packs (BEPs) Browser Exploit Pack Interesting Tactics A brief walkthrough JAVA SMB One of the most effective exploit used in BH Exploit downloads new.avi file for triggering exploitation At present times, Java Array exploit is on fire. Interesting to see what this file does Running file in VLC player produces an error. Can we change new.avi to new.jar? YES! We can.» Result is here. 22

23 Drive-by Frameworks 23

24 Drive-by Frameworks 24

25 Demonstration 25

26 AWS Cloud Malware Malware on the Cloud Attackers are targeting AWS to host malware Unpacked 26

27 AWS Cloud Malware Malware on the Cloud On reversing, package downloads the malware into c:\winsys directory from another repository on the AWS Downloaded files are presented below Malicious files extracted from the package 27

28 AWS Cloud Malware Afterwards Malware on the Cloud Some of the files were again packed with UPX packer All the files were flagged as malicious Sent an alert in the form of tweet to Amazon. Malware was removed. Executables are f lagged as malicious 28

29 Malvertisement Malvertisements Online malicious advertisements Content Delivery Networks (CDNs) are infected to trigger malvertising Distributed attack Armorize s Blog - Malvertisement Paper

30 Social Networks Exploiting Social Networks Attackers exploit the inherent design flaws in the social networks Use to spread malware at a large scale LikeJacking (=~ClickJacking) Use to add malicious links on user s profile in Facebook LikeJacking collaboratively used with ClickJacking Efficient in spreading malware 30

31 Demonstration 31

32 Present-day Botnets Information Stealing and Manipulation Tactics 32

authentication module does not stop it Concept of browser rootkits Implements Hooking

33 Man-in-the-Browser (MitB) Subverting Browser Integrity Exploits the victim system and the browser environment SSL / PKI does not stop the infections by MitB Two Factor/ SSO authentication module does not stop it Concept of browser rootkits Implements Hooking Exploits online banking 33

34 Web Injects Infection on the Fly Web Injects Injecting incoming request with malicious content Primary aim is to inject credential stealing forms, JavaScripts and input tags Concept of Third Generation Botnets ( Give me your money ) 34

35 Web Injects Log Detection 35

36 Web Injects Action 36

37 Understanding Web Fakes How? Web Fakes Plugins used to spoof the content in browsers Supports both protocols HTTP/HTTPS Based on the concept of internal URL redirection All browsers are affected Plugins use the defined metrics in the configuration file URL_MASK URL_REDIRECT FLAGS POST_BLACK_MASK POST_WHITE_MASK BLOCK_URL WEBFAKE_NAME UNBLOCK_URL 37

38 Web Fakes Function Calls 38

39 Web Fakes Real Example 39

40 Why? Browsers - Form Grabbing Keylogging produces plethora of data Form grabbing extracting data from the GET/POST requests Based on the concept of hooking Virtual Keyboards Implements the form grabbing functionality to send POST requests No real protection against malware 40

41 Facts and Reality Browsers - Form Grabbing All the third generation botnets use this technique Very hard to overcome the consequences All browsers can be circumvented to execute non legitimate hooks 41

42 Demonstration 42

43 Other Information Stealing Tactics.. Bot Plugin Architecture Credit Card Grabber Certificates Grabber SOCKS 5 Backconnect FTP Backconnect RDP BackConnect DDoS Plugins Webcam Hijacker Infecting Messengers (Spreaders) And so on depending on the design! 43

44 Questions! 44

45 HOPE Conference Crew Thanks SecNiche Security Labs Contact Me adi_ks [at] secniche.org 45

Botnets Die Hard Owned and Operated

Botnets Die Hard Owned and Operated,,, Las Vegas, 2012 Aditya K Sood Richard J Enbody SecNiche Security Department of Computer Science and Engineering Michigan State University Aditya K Sood About Us PhD