Transcript Puppetnets: Misusing Web Browsers as a Distributed Attack

Puppetnets: Misusing Web
Browsers as a Distributed
Attack Infrastructure
Paper By : V.T.Lam, S.Antonatos, P.Akritidis,
K.G.Anagnostakis
Conference : ACM Conference on Computer and
Communications Security 2006
Presented By : Ramanarayanan Ramani
Scenario
3.Clients Access
Webpage and execute
malicious code
1.Compromise
Attacker
2.Embed Malicious
Code in Webpage
Clients are the Puppets – they can be controlled till
they have the webpage open in the browser.
Puppetnet vs Botnet

Not heavily dependent on the exploitation
of specific implementation flaws

The attacker does not have complete
control over the actions of the
participating nodes

Participation in puppetnets is more
dynamic
Overview
 Attack
Scenarios using
Puppetnet
 Analysis of attack scenarios
 Defense against Puppetnets
 Paper Review
 Suggestions
DDoS (Distributed Denial of Service)
DDoS

Sample Code :
<script language=‘javascript’>
setTimeout(pingVictim,1000);
Function pingVictim()
{
var image1 = getElementById(‘img1’);
image1.src = “www.victim.com/badurl.jpg”;
setTimeout(pingVictim,1000);
}
</script>
<body> <img id=‘img1’ /> </body>
Worm Propagation
Worm Propagation
Embed Worm Code in the Webpage
 Perform scanning and try to propagate the
worm code

If outbound from server blocked – it can
propagate using webpage
 Client behind NAT/Firewall can propagate
in the secure network

Reconnaissance probes
Reconnaissance probes
Problem : Browsers refuse access to the
contents of an inline frame, unless the
source of the frame is in the same domain
with the parent page
 “Sandwich” the probe request between
two requests to the malicious Web site

Use onLoad,onError event handlers to
sandwich request
Protocols other than HTTP

Limitation of Puppetnets : Bound to use HTTP as
part of browser

Solution :
Tunnel SMTP/IRC/FTP..
Protocol messages wrapped around the HTTP
message

GET /index.html HTTP/1.1 Host:
www.example.com:25
HELO mydomain.com
… (For SMTP)
Exploiting cookie authenticated
services
Constraints :
 The inline frame needs to be able to post
cookies; this works on Firefox, but not IE
 Have knowledge about the structure and
content of the form to be posted, as well
as the target URL
 Able to instruct browsers to automatically
post such forms (Supported by all
browsers)
Distributed malicious computations








Can be done through Javascript, Active-X or Java
applets
ActiveX : Produces ‘Accept’ or ‘Deny’ box
Applets : Instantiate JVM – but can be
placed in hidden frames
Script : Slower but can be hidden
Example : MD5 computation
Javascript : 380 checksums/sec
Applet
: 434K checksums/sec
1,000-node puppetnet can crack an MD5 hash as fast
as a 128-node cluster
Analysis - DDoS
Analysis - DDoS
Analysis - DDoS
Two types of attacks:
• A simple attack aiming to maximize SYN packets (maxSYN)
• One aiming to maximize the ingress bandwidth consumed
(maxURL)
Analysis - DDoS
* Estimate for a 1000-node puppetnet
Analysis – Worm Propagation
CodeRed Worm
CodeRed attacks IIS server (Web Server)
• A vulnerable population of 360,000 and a server scanning rate
of 358 scans/min
• Browsers performing 36 scans/min
Analysis – Worm Propagation
CodeRed Worm
Analysis – Worm Propagation
CodeRed Worm
Analysis - Reconnaissance probes
Analysis - Reconnaissance probes
Defense
Disabling Javascript
 Careful implementation of existing
defenses
 Filtering using attack signatures
 Client-side behavioral controls
 Server-side controls and puppetnet tracing
 Server-directed client-side controls

Advantages
Simple and very effective to attack
 Light-weight compared to botnet
 Uses HTTP which makes detection difficult

Disadvantages
No complete control over client
 Tough to compromise web servers (not
explained how to do it in the paper)
 View Source Command on HTML page will
reveal puppetnet code

Suggestions
Look into hiding code using encoding or
embed code into objects like Flash
 Use puppetnet to create botnet in the
client machine
 Provide ideas to compromise the web
server

?Questions?