Puppetnets: Misusing Web Browsers as a Distributed Attack

download report

Transcript Puppetnets: Misusing Web Browsers as a Distributed Attack

Puppetnets: Misusing Web
Browsers as a Distributed
Attack Infrastructure
Paper By : V.T.Lam, S.Antonatos, P.Akritidis,
Conference : ACM Conference on Computer and
Communications Security 2006
Presented By : Ramanarayanan Ramani
3.Clients Access
Webpage and execute
malicious code
2.Embed Malicious
Code in Webpage
Clients are the Puppets – they can be controlled till
they have the webpage open in the browser.
Puppetnet vs Botnet
Not heavily dependent on the exploitation
of specific implementation flaws
The attacker does not have complete
control over the actions of the
participating nodes
Participation in puppetnets is more
 Attack
Scenarios using
 Analysis of attack scenarios
 Defense against Puppetnets
 Paper Review
 Suggestions
DDoS (Distributed Denial of Service)
Sample Code :
<script language=‘javascript’>
Function pingVictim()
var image1 = getElementById(‘img1’);
image1.src = “www.victim.com/badurl.jpg”;
<body> <img id=‘img1’ /> </body>
Worm Propagation
Worm Propagation
Embed Worm Code in the Webpage
 Perform scanning and try to propagate the
worm code
If outbound from server blocked – it can
propagate using webpage
 Client behind NAT/Firewall can propagate
in the secure network
Reconnaissance probes
Reconnaissance probes
Problem : Browsers refuse access to the
contents of an inline frame, unless the
source of the frame is in the same domain
with the parent page
 “Sandwich” the probe request between
two requests to the malicious Web site
Use onLoad,onError event handlers to
sandwich request
Protocols other than HTTP
Limitation of Puppetnets : Bound to use HTTP as
part of browser
Solution :
Protocol messages wrapped around the HTTP
GET /index.html HTTP/1.1 Host:
HELO mydomain.com
… (For SMTP)
Exploiting cookie authenticated
Constraints :
 The inline frame needs to be able to post
cookies; this works on Firefox, but not IE
 Have knowledge about the structure and
content of the form to be posted, as well
as the target URL
 Able to instruct browsers to automatically
post such forms (Supported by all
Distributed malicious computations
Can be done through Javascript, Active-X or Java
ActiveX : Produces ‘Accept’ or ‘Deny’ box
Applets : Instantiate JVM – but can be
placed in hidden frames
Script : Slower but can be hidden
Example : MD5 computation
Javascript : 380 checksums/sec
: 434K checksums/sec
1,000-node puppetnet can crack an MD5 hash as fast
as a 128-node cluster
Analysis - DDoS
Analysis - DDoS
Analysis - DDoS
Two types of attacks:
• A simple attack aiming to maximize SYN packets (maxSYN)
• One aiming to maximize the ingress bandwidth consumed
Analysis - DDoS
* Estimate for a 1000-node puppetnet
Analysis – Worm Propagation
CodeRed Worm
CodeRed attacks IIS server (Web Server)
• A vulnerable population of 360,000 and a server scanning rate
of 358 scans/min
• Browsers performing 36 scans/min
Analysis – Worm Propagation
CodeRed Worm
Analysis – Worm Propagation
CodeRed Worm
Analysis - Reconnaissance probes
Analysis - Reconnaissance probes
Disabling Javascript
 Careful implementation of existing
 Filtering using attack signatures
 Client-side behavioral controls
 Server-side controls and puppetnet tracing
 Server-directed client-side controls
Simple and very effective to attack
 Light-weight compared to botnet
 Uses HTTP which makes detection difficult
No complete control over client
 Tough to compromise web servers (not
explained how to do it in the paper)
 View Source Command on HTML page will
reveal puppetnet code
Look into hiding code using encoding or
embed code into objects like Flash
 Use puppetnet to create botnet in the
client machine
 Provide ideas to compromise the web