SlideShare uma empresa Scribd logo

BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell)

Aditya K Sood
Aditya K Sood
Tecnologia
1 de 43
Botnets and Browsers Brothers in the Ghost Shell BruCon Security/Hacking Conference Brussels . 19-20 September, 2011 Aditya K Sood (Security Practitioner) SecNiche Security | Department of Computer Science and Engineering Michigan State University
Whoami !  Aditya K Sood ─ Founder , SecNiche Security Labs ● Independent Security Consultant, Researcher and Practitioner ● Worked previously for Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content – Virus Bulletin/ ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NESE|CFS ● LinkedIn : http://www.linkedin.com/in/adityaks ● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com ─ PhD Candidate at Michigan State University ● http://www.cse.msu.edu/~soodadit 2
Overview and Disclaimer  Benchmark ─ This talk discusses about the infection model of browsers and bots ─ Botnets have many capabilities. Our target is only browsers and bots. ● Mainly exploitation of browsers. ─ This talk is not about simple botnet commands. Sorry ! ─ Scope is third generation botnets and browser manipulation ─ This research relates to my own efforts and does not provide the view of any of my employers. 3
Agenda  Walking through the Agenda ─ Browser Malware Taxonomy ─ Bots & Browsers – Collaborative Design ─ Bots & Browsers – Exploitation Paradigm ─ Browser/ Bot – Web Injects & Web Fakes ─ Conclusion 4
World Wide Web - Problem 5
# Browser Malware Taxonomy # 6
Browser Malware Taxonomy  Class A – Browser Malware http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy 7
Browser Malware Taxonomy  Class B – Browser Malware http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy 8
Browser Malware Taxonomy  Class C – Browser Malware http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy 9
Infection Model – Malware Serving Exploiting Web vulnerabilities ( XSS/SQL) Obfuscated Code Injected JavaScript eval() – The Evil Machine Browser DOM Calls Rendered Interactive Frames Pointed to Malicious Domain 10
Drive by Downloads – Insidious Infection Browser – Loads Malicious URL Vulnerability in Browser is Exploited Exploits trigger Shellcode Malware Binary Dropped Parasitic Infection Occurs in System Malware Installed and Connect Back 11
# Browser/ Bot – Collaborative Design # 12
Browsers  Botnets :SDK  Custom Designed SDK ─ Botnets use self build SDK for infection purposes ─ Browser communication ● Bots use the SDK functions with plugins to communicate back to C&C using browser interface ─ Concept of Bot Development Kit (BDT) – as similar to SDK ─ Example: ● SpyEye BDT 13
Bots and Custom Connector Plugin  Design of Plugins ● Bot requires separate plugin to communicate back with the C&C server ● Bot sends critical information through GET requests  Why Plugin is Used? ● Provides modular control over the bots ● Update the main bot executable present on the victim machine ● Update the bot configuration directly through admin panel ● Start/Stop for a bot plugin – Depends on the availability  What Type of Information? ● gate.php?guid=!USER- 5C377A2CCF!046502F4&ver=10207&stat=ONLINE&ie=6.0.2900.2180&os= 5.1.2600&ut=Admin&ccrc=13A7F1B3&md5=b9c3cb2cdc66b1f4465fe56cc3 4040b2&plg=customconnector 14
Bots and Custom Connector Plugin  Design of Plugins ● API in Action – TakeBotGuid / TakeBotVersion / TakeConfigCrc32Callback TakeBotExeMd5Callback / TakePluginsListCallback Gate.php Get Page Custom Connector Plugin Input – Main Panel Output – Main Panel SpyEye Bot 15
Custom Connector Plugin  What Lies Beneath ? ● A mediator between bot and the main admin panel ● Good enough to make decisions whether to send request to C&C or not ● Generates encryption based channel between C&C and itself ● Very productive for creating decentralized botnet based on plugins  Operations ! ● Update bot configuration - UPDATE_CONFIG ● Update bot executable - UPDATE ● Manage plugins – PLUGIN ● Load third-party exe - LOAD 16
Bot – Custom Connector in Action 17
# Browser/ Bot – Exploitation Paradigm # 18
Reality of the Bots  Inside Bot - Characteristics ● Similar working to ring 3 rootkit – Hooking and hijacking in userland space – Perform injections in the web processes ● Hooks HTTP communication interface – Exploit browsers - on the fly content injections ● Infection = {Bots + Plugins} 19
Man In the Browser (MITB)  The Reality of MITB ● Malware (bot/trojan) having an ability to infect victim browsers ● Capable enough to modify web pages, perform non legitimate transactions ● Invisible to users and browsers ● Steal the credit card number efficiently ● Spying on browser sessions http://www.cronto.com/download/internet_banking_fraud_beyond_phishing.pdf 20
Browser – User Agent Fingerprinting  User Agent Fingerprinting ─ Detecting the state of running browser in the system ─ Provides plethora of information about browser versions ● Typically requires to serve specific exploits for downloading bots User visits a malware domain Browser sends a User Agent string Malware exploits the browser Malware scans the User Agent string Malware detects the browser version 21
Browser – User Agents 22
Real Time Example : Browser Sniffing Sniffer.js is passed in cookie 23
Real Time Example : Browser Sniffing 24
Browser Exploit Packs and Bots  Is This True Artifact? ─ Yes it is. – BEP’s are used in conjunction with botnets – On successful exploitation, bot is dropped onto the victim machine – Harnessing the power of two different frameworks to deliver malware – Some traces have been seen of ZEUS (Botnet) + BlackHole (BEP) 25
Browser – Screen Scrapers  Why? ● Capturing screenshots from the victim machines during bank transactions ● It is possible to capture whole system screenshots not only the browser activities ● Provides additional support for bots for data exfiltration ● Exploit the system level functions and generic modules  How? ─ Mouse cursor is the reference point which is the center of the screenshot ─ Explicit rules are defined for capturing screenshots ─ Rules consist of following parameters ● URL_MASK ● WIDTH ● HEIGHT ● MINIMUM_CLICKS ● MINIMUM_SECONDS 26
Browser – Screen Scrapers 27
Browsers - Form Grabbing  Why? ─ Keylogging produces plethora of data ─ Form grabbing – extracting data from the GET/POST requests ─ Based on the concept of hooking and DLL injection ─ Virtual Keyboards ● Implements the form grabbing functionality to send POST requests ● No real protection against malware 28
Browsers - Form Grabbing  Facts and Reality ─ All the botnets (Banking, IRC etc) use this technique ─ Very hard to overcome the consequences ─ All browsers can be circumvented to execute non legitimate hooks 29
Credit Card Grabber - Verification  Why the Credit Card number stealing is a success? ● Bots are always successful in extracting credentials from the POST request ● Question – Aren’t bot make mistakes in extracting Credit Card (CC) numbers? ● Well, bots are very smart in nature. They use inbuilt CC plugins. ● CC Verification – The credit card number is verified against LUHN’s algorithm prior to send it to botnet database. Viola ! 30
# Browser/ Bot – Web Injects & Web Fakes # 31
Web Injects – Infection on the Fly  Web Injects ─ Injecting incoming request with malicious content ─ Web page is tampered which looks legitimate ● Primary aim is to inject credential stealing forms and input tags ● Similar concept is used to inject pointers to remote malware site ● Concept of Third Generation Botnets ( Give me your money  ) 32
Web Injects – How ?  Web Injects ─ Hooking ● Long live exploitation technique ─ Browser Libraries ● Hooking nspr4.dll and wininet.dll – IAT hooking, Inline hooking or through DLL injections. ● Webinjects.txt – Rule file used for defining injection metrics (discussed in next part) – Used for debugging purposes to test and verify the injections before the actual bot performs infection – The exploitation is done on the HTTP responses returning back form the sever 33
Web Injects – Log Detection http://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html 34
Web Injects – Action 35
Web Injects – Metrics  What is meant by GPH flags? ─ Exploitation and infection metrics ● G - injection will be made only for the resources that are requested by the GET ● P - injection will be made only for the resources that are requested by the POST ● L - is a flag for grabbing content between the tags data_before and data_after inclusive ● H – similar as L except the ripped content is not included and the contents of tags data_before and data_after 36
Web Injects – Zeus and SpyEye  Web Injects ─ Sequence of metrics (as discussed earlier) ● SpyEye – sequence should follow data_before, data_inject, data_after ● Zeus –sequence does not matter ─ Injection content ● SpyEye requires specific rules to be designed using set_url ● Zeus primarily injects malicious Cascading Style Sheets (CSS) and JavaScripts (JS). ─ Source – bots ● Zeus and SpyEye bots perform the requisite infection ● Bot reads the configuration parameters using plugin interface ● Browser’s HTTP communication channel is infected 37
Web Fakes  Understanding Web Fakes ● Plugins used to spoof the content in browsers ● Supports both protocols HTTP/HTTPS ● Based on the concept of internal URL redirection ● All browsers are affected  How ? ─ Plugins use the defined metrics in the configuration file ● URL_MASK ● URL_REDIRECT ● FLAGS ● POST_BLACK_MASK ● POST_WHITE_MASK ● BLOCK_URL ● WEBFAKE_NAME ● UNBLOCK_URL 38
Web Fakes – Function Calls 39
Web Fakes – Real Example 40
The Ghost (Exploitation) Shell Persists 41
Conclusion  So What ! ─ Third generation botnets success greatly depends on browsers ─ Browser has become the most predominant part of exploitation ─ Dropping bots using Drive by Downloads is an easy process ─ Hooking browser is not a big stake factor ─ Bot Development Kits (BDKs) are in action ─ Browser is the main window to the internet, so as to the risk ─ Hard to prevent malware that resides inside browsers ─ Plugins-Addons are also responsible for circumventing the browser security ─ Protection requires much more efforts than the present times 42
Questions / Thanks  BruCon Crew ─ For all the support and help  SecNiche Security Labs ─ All my team members for their cooperation  Contact ─ LinkedIn – http://www.linkedin.com/in/adityaks ─ Twitter - @AdityaKSood 43

Recomendados

Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...Aditya K Sood
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
paper review about botnet
paper review about botnetpaper review about botnet
paper review about botnetJhang Raymond
 
Headless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenHeadless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenSheikhMoonwaraAnjumM
 

Recomendados

Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Dissecting Java Server Faces for Penetration Testing
Dissecting Java Server Faces for Penetration Testing Aditya K Sood
 
PenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingPenTest Magazine Teaser - Mobile Hacking
PenTest Magazine Teaser - Mobile HackingAditya K Sood
 
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...
Malvertising - Exploiting Web Advertising | Elsevier Computer Fraud and Secur...Aditya K Sood
 
Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.Make profit with UI-Redressing attacks.
Make profit with UI-Redressing attacks.n|u - The Open Security Community
 
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?
HackInTheBox - AMS 2011 , Spying on SpyEye - What Lies Beneath ?Aditya K Sood
 
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...
Evolving Threat Landscapes Web-Based Botnet Through Exploit Kits and Scripts ...Julia Yu-Chin Cheng
 
paper review about botnet
paper review about botnetpaper review about botnet
paper review about botnetJhang Raymond
 
Headless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenHeadless browser: puppeteer and git client : GitKraken
Headless browser: puppeteer and git client : GitKrakenSheikhMoonwaraAnjumM
 
DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
 
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Panagiotis Papadopoulos
 
Secure client
Secure clientSecure client
Secure clientHai Nguyen
 
Micro-Frontends JSVidCon
Micro-Frontends JSVidConMicro-Frontends JSVidCon
Micro-Frontends JSVidConAmir Zuker
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
Bot detection deck 042514 final
Bot detection deck 042514 finalBot detection deck 042514 final
Bot detection deck 042514 finalVindicoGroup
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)msz
 
Open Hack Taiwan 2012 - Mojito intro
Open Hack Taiwan 2012 - Mojito introOpen Hack Taiwan 2012 - Mojito intro
Open Hack Taiwan 2012 - Mojito introsriramiyer2007
 
Easy as pie creating widgets for ibm connections
Easy as pie creating widgets for ibm connectionsEasy as pie creating widgets for ibm connections
Easy as pie creating widgets for ibm connectionsLetsConnect
 
Drupalcamp New York 2009
Drupalcamp New York 2009Drupalcamp New York 2009
Drupalcamp New York 2009Tom Deryckere
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
 
The Internal Architecture of Chrome Developer Tools
The Internal Architecture of Chrome Developer ToolsThe Internal Architecture of Chrome Developer Tools
The Internal Architecture of Chrome Developer ToolsMiroslav Bajtoš
 
oVirt UI Plugin Infrastructure and the oVirt-Foreman plugin
oVirt UI Plugin Infrastructure and the oVirt-Foreman pluginoVirt UI Plugin Infrastructure and the oVirt-Foreman plugin
oVirt UI Plugin Infrastructure and the oVirt-Foreman pluginOved Ourfali
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07Enough Software
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010Stephan Chenette
 
Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 

Mais conteúdo relacionado

Semelhante a BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell)

DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedAditya K Sood
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Aditya K Sood
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksAditya K Sood
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetTakashi Yamanoue
 
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Panagiotis Papadopoulos
 
Micro-Frontends JSVidCon
Micro-Frontends JSVidConMicro-Frontends JSVidCon
Micro-Frontends JSVidConAmir Zuker
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsAditya K Sood
 
Bot detection deck 042514 final
Bot detection deck 042514 finalBot detection deck 042514 final
Bot detection deck 042514 finalVindicoGroup
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)msz
 
Open Hack Taiwan 2012 - Mojito intro
Open Hack Taiwan 2012 - Mojito introOpen Hack Taiwan 2012 - Mojito intro
Open Hack Taiwan 2012 - Mojito introsriramiyer2007
 
Easy as pie creating widgets for ibm connections
Easy as pie creating widgets for ibm connectionsEasy as pie creating widgets for ibm connections
Easy as pie creating widgets for ibm connectionsLetsConnect
 
Drupalcamp New York 2009
Drupalcamp New York 2009Drupalcamp New York 2009
Drupalcamp New York 2009Tom Deryckere
 
Taming botnets
Taming botnetsTaming botnets
Taming botnetsf00d
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisPositive Hack Days
 
The Internal Architecture of Chrome Developer Tools
The Internal Architecture of Chrome Developer ToolsThe Internal Architecture of Chrome Developer Tools
The Internal Architecture of Chrome Developer ToolsMiroslav Bajtoš
 
oVirt UI Plugin Infrastructure and the oVirt-Foreman plugin
oVirt UI Plugin Infrastructure and the oVirt-Foreman pluginoVirt UI Plugin Infrastructure and the oVirt-Foreman plugin
oVirt UI Plugin Infrastructure and the oVirt-Foreman pluginOved Ourfali
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Aditya K Sood
 
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07Enough Software
 

Semelhante a BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell) (20)

DEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and OperatedDEF CON 20 - Botnets Die Hard - Owned and Operated
DEF CON 20 - Botnets Die Hard - Owned and Operated
 
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
Hackers on Planet Earth (HOPE - 2012) Advancements in Botnet Attacks
 
Toorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit PacksToorcon Seattle 2011 - Browser Exploit Packs
Toorcon Seattle 2011 - Browser Exploit Packs
 
A Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial BotnetA Botnet Detecting Infrastructure Using a Beneficial Botnet
A Botnet Detecting Infrastructure Using a Beneficial Botnet
 
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
Master of Web Puppets: Abusing Web Browsers for Persistent and Stealthy Compu...
 
Secure client
Secure clientSecure client
Secure client
 
Micro-Frontends JSVidCon
Micro-Frontends JSVidConMicro-Frontends JSVidCon
Micro-Frontends JSVidCon
 
ToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android InfectionsToorCon 14 : Malandroid : The Crux of Android Infections
ToorCon 14 : Malandroid : The Crux of Android Infections
 
Bot detection deck 042514 final
Bot detection deck 042514 finalBot detection deck 042514 final
Bot detection deck 042514 final
 
New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)New or obscure web browsers 4x3 (rcsi draft 6)
New or obscure web browsers 4x3 (rcsi draft 6)
 
Open Hack Taiwan 2012 - Mojito intro
Open Hack Taiwan 2012 - Mojito introOpen Hack Taiwan 2012 - Mojito intro
Open Hack Taiwan 2012 - Mojito intro
 
Easy as pie creating widgets for ibm connections
Easy as pie creating widgets for ibm connectionsEasy as pie creating widgets for ibm connections
Easy as pie creating widgets for ibm connections
 
Drupalcamp New York 2009
Drupalcamp New York 2009Drupalcamp New York 2009
Drupalcamp New York 2009
 
Taming botnets
Taming botnetsTaming botnets
Taming botnets
 
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic AnalysisLife Cycle And Detection Of Bot Infections Through Network Traffic Analysis
Life Cycle And Detection Of Bot Infections Through Network Traffic Analysis
 
The Internal Architecture of Chrome Developer Tools
The Internal Architecture of Chrome Developer ToolsThe Internal Architecture of Chrome Developer Tools
The Internal Architecture of Chrome Developer Tools
 
oVirt UI Plugin Infrastructure and the oVirt-Foreman plugin
oVirt UI Plugin Infrastructure and the oVirt-Foreman pluginoVirt UI Plugin Infrastructure and the oVirt-Foreman plugin
oVirt UI Plugin Infrastructure and the oVirt-Foreman plugin
 
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
Virus Bulletin 2011 Conference - Browser Exploit Packs - Death by Bundled Exp...
 
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07Ugly truths about html5 moosecon - robert virkus - 2013-03-07
Ugly truths about html5 moosecon - robert virkus - 2013-03-07
 
Fireshark - Brucon 2010
Fireshark - Brucon 2010Fireshark - Brucon 2010
Fireshark - Brucon 2010
 

Mais de Aditya K Sood

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareAditya K Sood
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesAditya K Sood
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchAditya K Sood
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...Aditya K Sood
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...Aditya K Sood
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodAditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAditya K Sood
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineAditya K Sood
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...Aditya K Sood
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...Aditya K Sood
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis PaperAditya K Sood
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Aditya K Sood
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareAditya K Sood
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareAditya K Sood
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware TaxonomyAditya K Sood
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)Aditya K Sood
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Aditya K Sood
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserAditya K Sood
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelAditya K Sood
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...Aditya K Sood
 

Mais de Aditya K Sood (20)

Emerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks MalwareEmerging Trends in Online Social Networks Malware
Emerging Trends in Online Social Networks Malware
 
Enfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB InstancesEnfilade: Tool to Detect Infections in MongoDB Instances
Enfilade: Tool to Detect Infections in MongoDB Instances
 
Detecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in ElasticsearchDetecting Ransomware/Bot Infections in Elasticsearch
Detecting Ransomware/Bot Infections in Elasticsearch
 
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
BlackHat 2014 Briefings - Exploiting Fundamental Weaknesses in Botnet C&C Pan...
 
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
BlackHat Arsenal 2014 - C-SCAD : Assessing Security Flaws in C-SCAD WebX Clie...
 
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K SoodNetwork Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
Network Security : Book Review : Targeted Cyber Attacks : Aditya K Sood
 
Abusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and DefencesAbusing Glype Proxies - Attacks, Exploits and Defences
Abusing Glype Proxies - Attacks, Exploits and Defences
 
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin MagazineNIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
NIframer - CPanel IFrame Injector (Bash based) - Virus Bulletin Magazine
 
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
CrossTalk - The Art of Cyber Bank Robbery - Stealing your Money Through Insid...
 
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
BlackHat USA 2013 Arsenal - Sparty : A FrontPage and SharePoint Security Audi...
 
NGR Bot Analysis Paper
NGR Bot Analysis PaperNGR Bot Analysis Paper
NGR Bot Analysis Paper
 
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
Virus bulletin 2011 Conference Paper - Browser Exploit Packs - Exploitation T...
 
Commercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks MalwareCommercial Cyber Crime - Social Networks Malware
Commercial Cyber Crime - Social Networks Malware
 
OWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web MalwareOWASP AppSec USA 2011 - Dismantling Web Malware
OWASP AppSec USA 2011 - Dismantling Web Malware
 
Browser Malware Taxonomy
Browser Malware TaxonomyBrowser Malware Taxonomy
Browser Malware Taxonomy
 
VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)VxWorks - Holistic Security (Art of Testing)
VxWorks - Holistic Security (Art of Testing)
 
Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011Art of InfoJacking, Source Conference Seattle, 2011
Art of InfoJacking, Source Conference Seattle, 2011
 
Elsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the BrowserElsevier NESE - Spying on the Browser
Elsevier NESE - Spying on the Browser
 
ISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection ModelISSA Journal Paper - JavaScript Infection Model
ISSA Journal Paper - JavaScript Infection Model
 
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
13th Symposium of Association of Anti Virus Asia Researchers (AAVAR 2010) con...
 

Último

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Neo4j
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024The Digital Insurer
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxMalak Abu Hammad
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesSinan KOZAK
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slidevu2urc
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationMichael W. Hawkins
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slidespraypatel2
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024The Digital Insurer
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdfhans926745
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityPrincipled Technologies
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024The Digital Insurer
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking MenDelhi Call girls
 

Último (20)

Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
Workshop - Best of Both Worlds_ Combine KG and Vector search for enhanced R...
 
Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024Tata AIG General Insurance Company - Insurer Innovation Award 2024
Tata AIG General Insurance Company - Insurer Innovation Award 2024
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
The Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptxThe Codex of Business Writing Software for Real-World Solutions 2.pptx
The Codex of Business Writing Software for Real-World Solutions 2.pptx
 
Unblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen FramesUnblocking The Main Thread Solving ANRs and Frozen Frames
Unblocking The Main Thread Solving ANRs and Frozen Frames
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
Histor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slideHistor y of HAM Radio presentation slide
Histor y of HAM Radio presentation slide
 
GenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day PresentationGenCyber Cyber Security Day Presentation
GenCyber Cyber Security Day Presentation
 
Slack Application Development 101 Slides
Slack Application Development 101 SlidesSlack Application Development 101 Slides
Slack Application Development 101 Slides
 
Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024Finology Group – Insurtech Innovation Award 2024
Finology Group – Insurtech Innovation Award 2024
 
[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf[2024]Digital Global Overview Report 2024 Meltwater.pdf
[2024]Digital Global Overview Report 2024 Meltwater.pdf
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
Boost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivityBoost PC performance: How more available memory can improve productivity
Boost PC performance: How more available memory can improve productivity
 
Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024Axa Assurance Maroc - Insurer Innovation Award 2024
Axa Assurance Maroc - Insurer Innovation Award 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men08448380779 Call Girls In Greater Kailash - I Women Seeking Men
08448380779 Call Girls In Greater Kailash - I Women Seeking Men
 

BruCon (Brussels 2011) Hacking Conference - Botnets and Browsers (Brothers in the Ghost Shell)

  • 1. Botnets and Browsers Brothers in the Ghost Shell BruCon Security/Hacking Conference Brussels . 19-20 September, 2011 Aditya K Sood (Security Practitioner) SecNiche Security | Department of Computer Science and Engineering Michigan State University
  • 2. Whoami !  Aditya K Sood ─ Founder , SecNiche Security Labs ● Independent Security Consultant, Researcher and Practitioner ● Worked previously for Armorize, Coseinc and KPMG ● Active Speaker at Security conferences ● Written Content – Virus Bulletin/ ISSA/ISACA/CrossTalk/HITB/Hakin9/Elsevier NESE|CFS ● LinkedIn : http://www.linkedin.com/in/adityaks ● Website: http://www.secniche.org | Blog: http://secniche.blogspot.com ─ PhD Candidate at Michigan State University ● http://www.cse.msu.edu/~soodadit 2
  • 3. Overview and Disclaimer  Benchmark ─ This talk discusses about the infection model of browsers and bots ─ Botnets have many capabilities. Our target is only browsers and bots. ● Mainly exploitation of browsers. ─ This talk is not about simple botnet commands. Sorry ! ─ Scope is third generation botnets and browser manipulation ─ This research relates to my own efforts and does not provide the view of any of my employers. 3
  • 4. Agenda  Walking through the Agenda ─ Browser Malware Taxonomy ─ Bots & Browsers – Collaborative Design ─ Bots & Browsers – Exploitation Paradigm ─ Browser/ Bot – Web Injects & Web Fakes ─ Conclusion 4
  • 5. World Wide Web - Problem 5
  • 6. # Browser Malware Taxonomy # 6
  • 7. Browser Malware Taxonomy  Class A – Browser Malware http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy 7
  • 8. Browser Malware Taxonomy  Class B – Browser Malware http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy 8
  • 9. Browser Malware Taxonomy  Class C – Browser Malware http://www.virusbtn.com/virusbulletin/archive/2011/06/vb201106-browser-malware-taxonomy 9
  • 10. Infection Model – Malware Serving Exploiting Web vulnerabilities ( XSS/SQL) Obfuscated Code Injected JavaScript eval() – The Evil Machine Browser DOM Calls Rendered Interactive Frames Pointed to Malicious Domain 10
  • 11. Drive by Downloads – Insidious Infection Browser – Loads Malicious URL Vulnerability in Browser is Exploited Exploits trigger Shellcode Malware Binary Dropped Parasitic Infection Occurs in System Malware Installed and Connect Back 11
  • 12. # Browser/ Bot – Collaborative Design # 12
  • 13. Browsers  Botnets :SDK  Custom Designed SDK ─ Botnets use self build SDK for infection purposes ─ Browser communication ● Bots use the SDK functions with plugins to communicate back to C&C using browser interface ─ Concept of Bot Development Kit (BDT) – as similar to SDK ─ Example: ● SpyEye BDT 13
  • 14. Bots and Custom Connector Plugin  Design of Plugins ● Bot requires separate plugin to communicate back with the C&C server ● Bot sends critical information through GET requests  Why Plugin is Used? ● Provides modular control over the bots ● Update the main bot executable present on the victim machine ● Update the bot configuration directly through admin panel ● Start/Stop for a bot plugin – Depends on the availability  What Type of Information? ● gate.php?guid=!USER- 5C377A2CCF!046502F4&ver=10207&stat=ONLINE&ie=6.0.2900.2180&os= 5.1.2600&ut=Admin&ccrc=13A7F1B3&md5=b9c3cb2cdc66b1f4465fe56cc3 4040b2&plg=customconnector 14
  • 15. Bots and Custom Connector Plugin  Design of Plugins ● API in Action – TakeBotGuid / TakeBotVersion / TakeConfigCrc32Callback TakeBotExeMd5Callback / TakePluginsListCallback Gate.php Get Page Custom Connector Plugin Input – Main Panel Output – Main Panel SpyEye Bot 15
  • 16. Custom Connector Plugin  What Lies Beneath ? ● A mediator between bot and the main admin panel ● Good enough to make decisions whether to send request to C&C or not ● Generates encryption based channel between C&C and itself ● Very productive for creating decentralized botnet based on plugins  Operations ! ● Update bot configuration - UPDATE_CONFIG ● Update bot executable - UPDATE ● Manage plugins – PLUGIN ● Load third-party exe - LOAD 16
  • 17. Bot – Custom Connector in Action 17
  • 18. # Browser/ Bot – Exploitation Paradigm # 18
  • 19. Reality of the Bots  Inside Bot - Characteristics ● Similar working to ring 3 rootkit – Hooking and hijacking in userland space – Perform injections in the web processes ● Hooks HTTP communication interface – Exploit browsers - on the fly content injections ● Infection = {Bots + Plugins} 19
  • 20. Man In the Browser (MITB)  The Reality of MITB ● Malware (bot/trojan) having an ability to infect victim browsers ● Capable enough to modify web pages, perform non legitimate transactions ● Invisible to users and browsers ● Steal the credit card number efficiently ● Spying on browser sessions http://www.cronto.com/download/internet_banking_fraud_beyond_phishing.pdf 20
  • 21. Browser – User Agent Fingerprinting  User Agent Fingerprinting ─ Detecting the state of running browser in the system ─ Provides plethora of information about browser versions ● Typically requires to serve specific exploits for downloading bots User visits a malware domain Browser sends a User Agent string Malware exploits the browser Malware scans the User Agent string Malware detects the browser version 21
  • 22. Browser – User Agents 22
  • 23. Real Time Example : Browser Sniffing Sniffer.js is passed in cookie 23
  • 24. Real Time Example : Browser Sniffing 24
  • 25. Browser Exploit Packs and Bots  Is This True Artifact? ─ Yes it is. – BEP’s are used in conjunction with botnets – On successful exploitation, bot is dropped onto the victim machine – Harnessing the power of two different frameworks to deliver malware – Some traces have been seen of ZEUS (Botnet) + BlackHole (BEP) 25
  • 26. Browser – Screen Scrapers  Why? ● Capturing screenshots from the victim machines during bank transactions ● It is possible to capture whole system screenshots not only the browser activities ● Provides additional support for bots for data exfiltration ● Exploit the system level functions and generic modules  How? ─ Mouse cursor is the reference point which is the center of the screenshot ─ Explicit rules are defined for capturing screenshots ─ Rules consist of following parameters ● URL_MASK ● WIDTH ● HEIGHT ● MINIMUM_CLICKS ● MINIMUM_SECONDS 26
  • 27. Browser – Screen Scrapers 27
  • 28. Browsers - Form Grabbing  Why? ─ Keylogging produces plethora of data ─ Form grabbing – extracting data from the GET/POST requests ─ Based on the concept of hooking and DLL injection ─ Virtual Keyboards ● Implements the form grabbing functionality to send POST requests ● No real protection against malware 28
  • 29. Browsers - Form Grabbing  Facts and Reality ─ All the botnets (Banking, IRC etc) use this technique ─ Very hard to overcome the consequences ─ All browsers can be circumvented to execute non legitimate hooks 29
  • 30. Credit Card Grabber - Verification  Why the Credit Card number stealing is a success? ● Bots are always successful in extracting credentials from the POST request ● Question – Aren’t bot make mistakes in extracting Credit Card (CC) numbers? ● Well, bots are very smart in nature. They use inbuilt CC plugins. ● CC Verification – The credit card number is verified against LUHN’s algorithm prior to send it to botnet database. Viola ! 30
  • 31. # Browser/ Bot – Web Injects & Web Fakes # 31
  • 32. Web Injects – Infection on the Fly  Web Injects ─ Injecting incoming request with malicious content ─ Web page is tampered which looks legitimate ● Primary aim is to inject credential stealing forms and input tags ● Similar concept is used to inject pointers to remote malware site ● Concept of Third Generation Botnets ( Give me your money  ) 32
  • 33. Web Injects – How ?  Web Injects ─ Hooking ● Long live exploitation technique ─ Browser Libraries ● Hooking nspr4.dll and wininet.dll – IAT hooking, Inline hooking or through DLL injections. ● Webinjects.txt – Rule file used for defining injection metrics (discussed in next part) – Used for debugging purposes to test and verify the injections before the actual bot performs infection – The exploitation is done on the HTTP responses returning back form the sever 33
  • 34. Web Injects – Log Detection http://secniche.blogspot.com/2011/07/spyeye-zeus-web-injects-parameters-and.html 34
  • 35. Web Injects – Action 35
  • 36. Web Injects – Metrics  What is meant by GPH flags? ─ Exploitation and infection metrics ● G - injection will be made only for the resources that are requested by the GET ● P - injection will be made only for the resources that are requested by the POST ● L - is a flag for grabbing content between the tags data_before and data_after inclusive ● H – similar as L except the ripped content is not included and the contents of tags data_before and data_after 36
  • 37. Web Injects – Zeus and SpyEye  Web Injects ─ Sequence of metrics (as discussed earlier) ● SpyEye – sequence should follow data_before, data_inject, data_after ● Zeus –sequence does not matter ─ Injection content ● SpyEye requires specific rules to be designed using set_url ● Zeus primarily injects malicious Cascading Style Sheets (CSS) and JavaScripts (JS). ─ Source – bots ● Zeus and SpyEye bots perform the requisite infection ● Bot reads the configuration parameters using plugin interface ● Browser’s HTTP communication channel is infected 37
  • 38. Web Fakes  Understanding Web Fakes ● Plugins used to spoof the content in browsers ● Supports both protocols HTTP/HTTPS ● Based on the concept of internal URL redirection ● All browsers are affected  How ? ─ Plugins use the defined metrics in the configuration file ● URL_MASK ● URL_REDIRECT ● FLAGS ● POST_BLACK_MASK ● POST_WHITE_MASK ● BLOCK_URL ● WEBFAKE_NAME ● UNBLOCK_URL 38
  • 39. Web Fakes – Function Calls 39
  • 40. Web Fakes – Real Example 40
  • 41. The Ghost (Exploitation) Shell Persists 41
  • 42. Conclusion  So What ! ─ Third generation botnets success greatly depends on browsers ─ Browser has become the most predominant part of exploitation ─ Dropping bots using Drive by Downloads is an easy process ─ Hooking browser is not a big stake factor ─ Bot Development Kits (BDKs) are in action ─ Browser is the main window to the internet, so as to the risk ─ Hard to prevent malware that resides inside browsers ─ Plugins-Addons are also responsible for circumventing the browser security ─ Protection requires much more efforts than the present times 42
  • 43. Questions / Thanks  BruCon Crew ─ For all the support and help  SecNiche Security Labs ─ All my team members for their cooperation  Contact ─ LinkedIn – http://www.linkedin.com/in/adityaks ─ Twitter - @AdityaKSood 43