Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure Paper By : V.T.Lam, S.Antonatos, P.Akritidis, K.G.Anagnostakis Conference : ACM Conference on Computer and Communications Security 2006 Presented By : Ramanarayanan Ramani

Scenario Attacker 1.Compromise 2.Embed Malicious Code in Webpage 3.Clients Access Webpage and execute malicious code Clients are the Puppets – they can be controlled till they have the webpage open in the browser.

Puppetnet vs Botnet  Not heavily dependent on the exploitation of specific implementation flaws  The attacker does not have complete control over the actions of the participating nodes  Participation in puppetnets is more dynamic

Overview  Attack Scenarios using Puppetnet  Analysis of attack scenarios  Defense against Puppetnets  Paper Review  Suggestions

DDoS (Distributed Denial of Service)

DDoS  Sample Code : setTimeout(pingVictim,1000); Function pingVictim() { var image1 = getElementById(‘img1’); image1.src = “ setTimeout(pingVictim,1000); }

Worm Propagation

 Embed Worm Code in the Webpage  Perform scanning and try to propagate the worm code  If outbound from server blocked – it can propagate using webpage  Client behind NAT/Firewall can propagate in the secure network

Reconnaissance probes

 Problem : Browsers refuse access to the contents of an inline frame, unless the source of the frame is in the same domain with the parent page  “Sandwich” the probe request between two requests to the malicious Web site Use onLoad,onError event handlers to sandwich request

Protocols other than HTTP  Limitation of Puppetnets : Bound to use HTTP as part of browser Solution :  Tunnel SMTP/IRC/FTP..  Protocol messages wrapped around the HTTP message GET /index.html HTTP/1.1 Host: HELO mydomain.com … (For SMTP)

Exploiting cookie authenticated services Constraints :  The inline frame needs to be able to post cookies; this works on Firefox, but not IE  Have knowledge about the structure and content of the form to be posted, as well as the target URL  Able to instruct browsers to automatically post such forms (Supported by all browsers)

Distributed malicious computations  Can be done through Javascript, Active-X or Java applets  ActiveX : Produces ‘Accept’ or ‘Deny’ box  Applets : Instantiate JVM – but can be placed in hidden frames  Script : Slower but can be hidden  Example : MD5 computation  Javascript : 380 checksums/sec  Applet : 434K checksums/sec  1,000-node puppetnet can crack an MD5 hash as fast as a 128-node cluster

Analysis - DDoS

Two types of attacks: A simple attack aiming to maximize SYN packets (maxSYN) One aiming to maximize the ingress bandwidth consumed (maxURL)

Analysis - DDoS * Estimate for a 1000-node puppetnet

Analysis – Worm Propagation CodeRed Worm CodeRed attacks IIS server (Web Server) A vulnerable population of 360,000 and a server scanning rate of 358 scans/min Browsers performing 36 scans/min

Analysis – Worm Propagation CodeRed Worm

Analysis - Reconnaissance probes

Defense  Disabling Javascript  Careful implementation of existing defenses  Filtering using attack signatures  Client-side behavioral controls  Server-side controls and puppetnet tracing  Server-directed client-side controls

Advantages  Simple and very effective to attack  Light-weight compared to botnet  Uses HTTP which makes detection difficult

Disadvantages  No complete control over client  Tough to compromise web servers (not explained how to do it in the paper)  View Source Command on HTML page will reveal puppetnet code

Suggestions  Look into hiding code using encoding or embed code into objects like Flash  Use puppetnet to create botnet in the client machine  Provide ideas to compromise the web server

?Questions?