270 likes | 359 Views
Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure. Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM Conference on Computer and Communications Security 2006 Presented By : Ramanarayanan Ramani. Attacker. 1.Compromise. Scenario.
E N D
Puppetnets: Misusing Web Browsers as a DistributedAttack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM Conference on Computer and Communications Security 2006 Presented By : Ramanarayanan Ramani
Attacker 1.Compromise Scenario 3.Clients Access Webpage and execute malicious code 2.Embed Malicious Code in Webpage Clients are the Puppets – they can be controlled till they have the webpage open in the browser.
Puppetnet vs Botnet • Not heavily dependent on the exploitation of specific implementation flaws • The attacker does not have complete control over the actions of the participating nodes • Participation in puppetnets is more dynamic
Overview • Attack Scenarios using Puppetnet • Analysis of attack scenarios • Defense against Puppetnets • Paper Review • Suggestions
DDoS • Sample Code : <script language=‘javascript’> setTimeout(pingVictim,1000); Function pingVictim() { var image1 = getElementById(‘img1’); image1.src = “www.victim.com/badurl.jpg”; setTimeout(pingVictim,1000); } </script> <body> <img id=‘img1’ /> </body>
Worm Propagation • Embed Worm Code in the Webpage • Perform scanning and try to propagate the worm code • If outbound from server blocked – it can propagate using webpage • Client behind NAT/Firewall can propagate in the secure network
Reconnaissance probes • Problem : Browsers refuse access to the contents of an inline frame, unless the source of the frame is in the same domain with the parent page • “Sandwich” the probe request between two requests to the malicious Web site Use onLoad,onError event handlers to sandwich request
Protocols other than HTTP • Limitation of Puppetnets : Bound to use HTTP as part of browser Solution : • Tunnel SMTP/IRC/FTP.. • Protocol messages wrapped around the HTTP message GET /index.html HTTP/1.1 Host: www.example.com:25 HELO mydomain.com … (For SMTP)
Exploiting cookie authenticatedservices Constraints : • The inline frame needs to be able to post cookies; this works on Firefox, but not IE • Have knowledge about the structure and content of the form to be posted, as well as the target URL • Able to instruct browsers to automatically post such forms (Supported by all browsers)
Distributed malicious computations • Can be done through Javascript, Active-X or Java applets • ActiveX : Produces ‘Accept’ or ‘Deny’ box • Applets : Instantiate JVM – but can be placed in hidden frames • Script : Slower but can be hidden • Example : MD5 computation • Javascript : 380 checksums/sec • Applet : 434K checksums/sec • 1,000-node puppetnet can crack an MD5 hash as fast as a 128-node cluster
Analysis - DDoS • Two types of attacks: • A simple attack aiming to maximize SYN packets (maxSYN) • One aiming to maximize the ingress bandwidth consumed (maxURL)
Analysis - DDoS * Estimate for a 1000-node puppetnet
Analysis – Worm PropagationCodeRed Worm • CodeRed attacks IIS server (Web Server) • A vulnerable population of 360,000 and a server scanning rate of 358 scans/min • Browsers performing 36 scans/min
Defense • Disabling Javascript • Careful implementation of existing defenses • Filtering using attack signatures • Client-side behavioral controls • Server-side controls and puppetnet tracing • Server-directed client-side controls
Advantages • Simple and very effective to attack • Light-weight compared to botnet • Uses HTTP which makes detection difficult
Disadvantages • No complete control over client • Tough to compromise web servers (not explained how to do it in the paper) • View Source Command on HTML page will reveal puppetnet code
Suggestions • Look into hiding code using encoding or embed code into objects like Flash • Use puppetnet to create botnet in the client machine • Provide ideas to compromise the web server