Botnet Resistant Coding Protecting your users from script kiddies By Fabian Rothschild and Peter Greko.
Download ReportTranscript Botnet Resistant Coding Protecting your users from script kiddies By Fabian Rothschild and Peter Greko.
Botnet Resistant Coding
Protecting your users from script kiddies
By Fabian Rothschild
and Peter Greko
DISCLAIMER
This is not intended to teach people how to use
malicious tools. This serves to raise awareness
of their existence, functions and ways around
them.
No criminals or webservers were harmed during
the making of this presentation.
About
Brief explanation of Botnets, in particular the Zeus
Trojan.
Psychology behind a typical Botmaster.
HTML Basics
Methods of mitigation
Botnet Infection Rates
400% of all computers are infected with malware
Mostly from PR0N…...
Zeus: How does it
work?
Zeus will collect logins, password, cookies, VIEWSTATE parameters, and
virtually everything else passed in a POST request.
Infected machines communicate to a command and control server (C&C)
web application via HTTP POST using RC4 encryption.
Malicious DLL's hook the web browser and reports are entered into an
SQL database and .txt files that contain logs of activity on infected
machines.
Command and control (C&C) is a user friendly PHP web app that runs on
any LAMP server.
Zeus: How does it
work?
Propagation
• Spam, Phishing
• P2P warez
• Exploit packs on malicious and
unsuspecting websites
• Social engineering (fake codecs)
• Other methods not mentioned here
Zeus: How does it
work?
Payload & Infection
• Injects into services.exe, invisible to task
manager
• Configuration resides in hidden folders via
rootkit techniques
• Very low detection rate by AV (due to crypters,
packers, and new variants)
Zeus: How does it work?
Lifecycle
Setup
Web Exploits
Pirated Software
Malicious PDF’s
Exploit Trojan Deployment
Infection of Executable
Encrypted POST Post Logging
POST Logs in Database
Parsing Database for financial Data
Usage of Data
Transmission back to CnC Server
Zeus Control Panel
Primary tool used by
botmasters to harvest
credentials.
Sample Report File
Bot ID Name
Operating
System
This one is
from Canada
OOOH Paypal.com!! Time for some
exchange/cashout services.
Sample Report File
(continued)
Well I need this email and
password
First and Last name is always
good.
GET THAT CVV!!!!!!!
The rest of that addy,
and we are good to go.
Psychology of a Botmaster
Psychology of a Botmaster
Low technical skill
Impatient with harvesting credentials
Sometimes relies on others to setup the botnet and
exploit kits
Psychology of a Botmaster
PURCHASES THE FOLLOWING DATA
Botmaster
Carder
Credit Card Numbers
Extorter
Corporate Admin
And employee logins
Guarantor
Services
Money
Pornographer
Facebook logins
Spammer
Email logins
Most likely from
botnet logs.
Harvested Accounts
More Harvested
Accounts
HTTP Basics
What is a get
request?
Web Server
Client Computer
HTTP GET Request
Send Web Page
Display
page to
user
HTTP Basics
What is a post request?
Web Server
Client Computer
Form page is loaded on Client
HTTP POST Request
POST parameters
Display
page to
user
Send Web Page
Methods of Mitigation
Basic
• Quick methods that can be
changed in the FORM sections
Medium
• JavaScript methods of POST
Data obfuscation
Hard
• Added elements of JavaScript
and server side sessioning
Nightmare
• Symmetric encryption
Server Load
Light
SERVER
LOAD
Medium
SERVER
LOAD
Heavy
SERVER
LOAD
Methods of Mitigation:
BASIC
Obfuscation of variable names
Extraneous hidden post parameters
SERVER
LOAD
Methods of Mitigation:
BASIC
Obfuscation of Form variable names
• Typical Botmasters search their logs for phrases that are easily recognizable.
Thanks for showing me exactly
where it is, I will get this sold in no
time.
SERVER
LOAD
Methods of Mitigation: BASIC
Hidden form
fields are:
• Transparent to the user
• Can send false information
• Fill up logs with useless data
Place useless data here
<input type=“hidden” name=“access level” value=“administrator”>
HTML
name=
value=
SERVER
LOAD
EXPLANATION
EXAMPLE
Name of the field.
Name = “access level”
Value = “administrator”
Value of the field.
Methods of Mitigation: BASIC
Example of hidden input code:
<form method="post" action=“super.php">
<input name="extra data" type="hidden“
value="23948572394857293457023948572905482-398542-9854Extra data
750293847502938475"/>
<br/>
<br/>
Account number: <input name="real account data" type="text" />
<br/>
<br/>
<input name="extra data" type="hidden"
value="23948572394857293457023948572905482-398542-98549750293847502938475"/>
<input type="submit" value="submit" />
</form>
SERVER
LOAD
Methods of Mitigation: BASIC
Example of html page:
POST Request output:
SERVER
LOAD
The extraneous POST parameters
Methods of Mitigation:
Medium
All basic methods are valid.
Prefixing or postfixing data for posts via client side
JavaScript.
Post parameter obfuscation with regex replacement
methods
SERVER
LOAD
Methods of Mitigation: Medium
Form page is loaded on Client
Web Server
Client Computer
JavaScript data
mangling function
JavaScript hidden
parameter
creation
On
Submit
JavaScript
Form
input value
blanking
HTTP POST Request
SERVER
LOAD
Serverside Code
De-mangling
function
Methods of Mitigation: Medium
Prefixing and Postfixing parameters in Javascript:
function postfix(param)
{
var extra = "0000";
return param + extra;
}
function prefix(param)
{
var extra = "0000";
return extra + param;
}
SERVER
LOAD
Data mangling
functions in
JavaScript
Methods of Mitigation: Medium
Regex replacement parameters in Javascript:
function mangle(data)
{
Regular Expression
var RegExp1 = /5/gi;
replacement of 5 and 2.
var RegExp2 = /2/gi;
5 will be replaced with #
var replacement1 = "#";
2 will be replaced with %
var replacement2 = "%";
data = data.replace(RegExp1, replacement1);
return data.replace(RegExp2, replacement2);
}
SERVER
LOAD
Methods of Mitigation: Medium
Javascript function that sends the value as a hidden parameter:
function change_post()
{
var Form = document.getElementById('Form');Data mangling function
var text1 = document.createElement("input");
text1.type = "hidden";
text1.name = "changed1";
text1.value = mangle(document.getElementById('cc_number').value);
Form.appendChild(text1);
document.getElementById('cc_number').value = "+++++";
}
Sets the original input value to useless data
Form submit button invokes Javascript function from onclick:
<input name="Submit1" type="submit" value="submit" onclick="change_post();" />
SERVER
LOAD
Function is run at the click of the submit
Methods of Mitigation: Hard
All basic and medium methods
Base64 Encoding
Concatenation and tokenization
AJAX POST responses of fake data to fill logs
SERVER
LOAD
Base64 Encoding/Decoding
Base64 encoding is a method of
sending arbitrary data over a
media that is designed for text
data only.
POST Data goes
through Javascript
Base64 Function
Client Computer
Web Server
EXAMPLE
Plain Text:
Hackmiami.org
Encoded:
SGFja21pYW1pLm9yZw==
HTTPS POST Request
Server side
Base64 Decode
function
Web Server Sessions
HTTPS POST Login Request
Web Server
Client Computer
Login failure
NO
Login
credentials
checked
YES
Session ID
created
Cookie value
contains
Session ID
Set Cookie with Session ID
Variables
associated with
Session ID
Methods of Mitigation: Hard
HTML page with input
parameters without
<form> tags
Regular HTML button
with OnClick
JavaScript function
OnClick JavaScript function creates hidden form
and concatenates all input tags to one long string
with a delimiter.
Hidden form field is used for the concatenated
value and then Base64 encoded.
The hidden form is then submitted as a POST
SERVER
LOAD
Methods of Mitigation: Hard
Concatenation of Form Variables JavaScript Example:
function submit ()
{
var c1 = document.getElementById("kksk").value;
[ALL OTHER PARAMETERS]
var c4 = document.getElementById("zzsz").value;
Input parameters
Create Form Element
var concat = c1 + "|" + c2 + "|" + c3 + "|" + c4;
var newform = document.createElement("form");
newform.setAttribute("name","newform");
newform.setAttribute("method","post");
newform.setAttribute("id","newform");
newform.setAttribute("action","http://www.fake.com/super.php");
var text1 = document.createElement("input");
text1.type = "hidden";
Create hidden form element
text1.name = "concat";
and attach it to the new form
text1.value = concat;
newform.appendChild(text1);
document.getElementById('main').appendChild(newform);
SERVER
LOAD
document.newform.submit();
}
Submit new form element
Methods of Mitigation: Hard
AJAX intermittent POST Request
Client Computer
HTML Form Page
Client Side
AJAX function
Web Server
Identifier number assigned
by the server
AJAX POST Request with useless Data
On Submit
Click
Random number assigned
by the client that is ignored
by the server
Real POST Request with Data
Has Identifier number
assigned by the server
SERVER
LOAD
Session Variable:
Parameter
Number
Methods of Mitigation: Hard
AJAX False data POST JavaScript Example:
Function takes in URL and Parameters
function post(url, params)
AJAX Request
{
setup
var http = new XMLHttpRequest();
http.open("POST", url, true);
http.setRequestHeader("Content-type", "application/x-www-formurlencoded");
http.setRequestHeader("Content-length", params.length);
http.setRequestHeader("Connection", "close");
http.send(params);
Send AJAX Request as
}
a POST
SERVER
LOAD
Methods of Mitigation: Hard
AJAX False data POST JavaScript Example:
Another function that sets a
random 16 digit number
function fakeposter()
{
params = "";
params += "name="+randCC()+"&";
params += "phone="+randCC()+"&";
post("index.php", urlencode(btoa(params)));
setTimeout(fakeposter, timerRandInt());
}
POST function from previous slide
SERVER
LOAD
Base64
Encoding
Methods of Mitigation:
Nightmare
All other methods
RC4 encryption with rotating keys
SERVER
LOAD
RC4 Encryption
HTML Form Page
Client Computer
Web Server
JavaScript with symmetrical RC4 key
THIS IS NOT IN THE
POST LOGGED DATA
On Submit
Click
RC4 Encrypted POST Request
SERVER
LOAD
E%F9%C6%BE%B1%B8h4
%ED%A6%1D%8B%27%B4
O%3DXAk2%3F%88%98%E
592s%DE%8C%E6%E1IM%
0A%7F%C5f%C7V%3E%EC
%19%C7%18%DA%25%B4
%
Really useful
without a key,
chupame,
puto!!
Methods of Mitigation: Nightmare
RC4 Encryption JavaScript Function
function rc4Encrypt(key, pt)
{
s = new Array();
for (var i=0;
i<256; i++)
{
s[i] = i;
}
var j = 0;
var x;
for (i=0;
i<256; i++)
{
Yeah if you can
read that, sus ojos
estan buenos.
j = (j + s[i] + key.charCodeAt(i % key.length)) % 256;
x = s[i];
s[i] = s[j];
s[j] = x;
}
i = 0;
j = 0;
var ct = '';
for (var y=0; y<pt.length; y++)
{
i = (i + 1) % 256;
j = (j + s[i]) % 256;
x = s[i];
s[i] = s[j];
s[j] = x;
ct += String.fromCharCode(pt.charCodeAt(y) ^ s[(s[i] + s[j]) %
256]);
SERVER
LOAD
}
return ct;
}
Conclusion
Botnet resistant coding
• These examples do not prevent Identity
theft, just makes it harder for Identity theft to
happen to your customers.
Botmaster on vacation
Oye loca ven pa ka.
DEMO
Questions?