際際滷

際際滷Share a Scribd company logo

2010 za con_ivan_burke

J
Johan Klerk

This document summarizes research into exploiting Google gadgets for malicious purposes. It describes how the researcher was able to build a basic botnet by taking advantage of vulnerabilities in how Google gadgets communicate and access browser data. They were able to perform man-in-the-middle attacks, harvest browser information, set up basic command and control, and create an anonymous browsing gadget. While not a full-fledged botnet, it demonstrated how Google gadgets meet some key requirements for being exploited in this way, like access to data and stealthy communication channels. The document recommends fixes like Google following standard web protocols and consumers blocking certain agents and cleaning browser histories.

1 of 21
Download to read offline
by 油Ivan 油Burke 油from 油DPSS, 油CSIR 油
Overview 油 р Basic 油goals 油of 油a 油Botnet 油 р Basic 油requirements 油for 油a 油Botnet 油 р Event 油that 油spawned 油this 油research 油 р Building 油the 油puzzle 油 р What 油we 油did? 油 р How 油we 油did 油it? 油 р The 油鍖x 油
Basic 油goals 油of 油a 油Botnet 油 р PROFIT 油 р Disruption 油 р Growth 油 р Hide 油in 油the 油masses 油
Requirements 油for 油Botnet 油 р Botnets 油need 油to 油be 油Viral 油 р Access 油to 油valuable 油Data 油or 油services 油 р They 油require 油C2 油to 油communicate 油 р Stealth 油
All 油plausible 油goals 油 р Tools 油exist 油that 油are 油capable 油of 油achieving 油most 油 of 油these 油goals 油to 油some 油extent. 油 р The 油problem 油is 油not 油the 油tools. 油How 油you 油are 油 going 油to 油make 油all 油that 油work 油for 油your 油speci鍖c 油 needs? 油It's 油pretty 油complex 油 油Joe 油Stewart 油 Speaking 油at 油Blackhat 油2008 油
Event 油that 油sparked 油this 油 research 油 SEACOM 油failure 油April 油2010 油
Building 油the 油puzzle 油
Google 油gadget 油FAQ 油section 油 Does 油not 油follow 油standard 油web 油protocol 油 油
Google 油gadget 油FAQ 油section 油 No 油validation 油of 油page 油existence 油 Multiple 油IPs 油and 油locations 油
Google 油gadget 油FAQ 油section 油 Jackpot 油
What 油we 油did 油with 油this 油info 油 р Created 油a 油PoC 油man 油in 油the 油middle 油attack 油 р Harvested 油browser 油info. 油 р Establish 油crude 油C2 油capabilities 油between 油 server 油and 油Gadgets 油 р Attempted 油a 油DDoS, 油settled 油messing 油with 油 AdSense 油stats 油and 油website 油tra鍖c 油generator 油 р Created 油basic 油anonymous 油brows 油gadget 油
How 油did 油we 油do 油this 油 р Man 油in 油the 油middle 油PoC 油 р Gadgets 油are 油iFrames 油no 油address 油bar. 油Easy 油to 油fake 油iFrame 油source 油 by 油obfuscating 油request 油via 油gadget 油makeRequest() 油 р Fetch 油legit 油site 油yet 油replace 油one 油or 油more 油links 油with 油makeRequest() 油to 油 redirect 油to 油malicious 油site 油 р Similar 油 油techniques 油dating 油back 油to 油2004: 油 http://blogs.geekdojo.net/brian/archive/2004/10/14/ googlephishing.aspx 油
Harvest 油Browser 油Info 油 JPort Scanner Browser History (Determin banks used, social network sites used) Other gadget Cookie data
Basic 油C2 油 р Basic 油sending 油and 油receiving 油of 油data 油using 油google 油 servers 油to 油act 油as 油carrier 油to 油hide 油IP 油of 油origin 油and 油 destination 油 р Data 油transfer 油seamless 油thanks 油to 油asynchronous 油 JavaScript 油calls 油 р Open 油ports 油(Javascript 油port 油scanner), 油Browser 油 history(window.history), 油Botnet/DDoS 油instructions 油
DDoS 油attempt 油 р Option 油1: 油 р Set 油refresh 油interval 油to 油Zero 油 р Option 油2: 油 р Request 油鍖ctitious 油sites 油in 油for 油loop 油
Advertisements 油ruin 油everything 油 р Googles 油AdSense 油actually 油causes 油Gadget 油 user 油PC 油to 油freeze 油before 油DDoS 油can 油occur 油 油 р Googles 油AdSense 油triggers 油on 油each 油page 油 request 油 р Now 油the 油question 油arrises 油 油 р Should 油I 油exploit 油this 油for 油money 油 油 油 油or 油 油 р Just 油block 油AdSense 油and 油cause 油DDoS 油
Anonymous 油browsing 油gadget 油 р Quite 油simple 油actually, 油just 油use 油gadget 油to 油 recursively 油replace 油hyperlinks 油with 油 makeURLRequest(); 油 р Hides 油your 油IP 油from 油servers 油allows 油user 油to 油post 油 content 油on 油Web 油2.0 油sites 油without 油having 油their 油 IP 油logged 油
Final 油Gadget 油Structure 油
Does 油Google 油gadgets 油meet 油 requirements 油for 油a 油Botnet 油 р Botnets 油need 油to 油be 油Viral 油 油We 油did 油not 油explicitly 油tackle 油this 油issue 油 as 油Google 油gadgets 油in 油itself 油is 油meant 油to 油be 油viral. 油Easy 油to 油share, 油 Social 油by 油design. 油 財 http://code.google.com/apis/opensocial/articles/ bestprac.html 油 油 р Access 油to 油valuable 油Data 油or 油services 油 油Browser 油History, 油Data 油 contained 油on 油other 油Gadgets, 油Port 油scanning, 油MITM 油info 油 р They 油require 油C2 油to 油communicate 油 油Basic 油communication 油 achieved 油via 油GET 油and 油POST 油 р Stealth 油 油All 油actions 油taken 油are 油done 油by 油Google 油gadget 油server, 油 target 油servers 油logs 油only 油contain 油Gadget 油server 油IP. 油Data 油 transmitted 油via 油HTTP 油hence 油no 油鍖rewall 油alerts 油
The 油Fix 油 р Googles 油side 油 財 Follow 油common 油web 油protocol, 油listen 油to 油Robots.txt 油 財 Prevent/Notify 油users 油of 油gadget 油redirects 油 р Consumer 油side 油 財 Block 油google-足feedfetch 油agent 油 財 Clean 油browser 油history 油regularly 油 財 Better 油education 油about 油the 油risks 油
Questions 油

More Related Content

2010 za con_ivan_burke

  • 1. by 油Ivan 油Burke 油from 油DPSS, 油CSIR 油
  • 2. Overview 油 р Basic 油goals 油of 油a 油Botnet 油 р Basic 油requirements 油for 油a 油Botnet 油 р Event 油that 油spawned 油this 油research 油 р Building 油the 油puzzle 油 р What 油we 油did? 油 р How 油we 油did 油it? 油 р The 油鍖x 油
  • 3. Basic 油goals 油of 油a 油Botnet 油 р PROFIT 油 р Disruption 油 р Growth 油 р Hide 油in 油the 油masses 油
  • 4. Requirements 油for 油Botnet 油 р Botnets 油need 油to 油be 油Viral 油 р Access 油to 油valuable 油Data 油or 油services 油 р They 油require 油C2 油to 油communicate 油 р Stealth 油
  • 5. All 油plausible 油goals 油 р Tools 油exist 油that 油are 油capable 油of 油achieving 油most 油 of 油these 油goals 油to 油some 油extent. 油 р The 油problem 油is 油not 油the 油tools. 油How 油you 油are 油 going 油to 油make 油all 油that 油work 油for 油your 油speci鍖c 油 needs? 油It's 油pretty 油complex 油 油Joe 油Stewart 油 Speaking 油at 油Blackhat 油2008 油
  • 6. Event 油that 油sparked 油this 油 research 油 SEACOM 油failure 油April 油2010 油
  • 8. Google 油gadget 油FAQ 油section 油 Does 油not 油follow 油standard 油web 油protocol 油 油
  • 9. Google 油gadget 油FAQ 油section 油 No 油validation 油of 油page 油existence 油 Multiple 油IPs 油and 油locations 油
  • 10. Google 油gadget 油FAQ 油section 油 Jackpot 油
  • 11. What 油we 油did 油with 油this 油info 油 р Created 油a 油PoC 油man 油in 油the 油middle 油attack 油 р Harvested 油browser 油info. 油 р Establish 油crude 油C2 油capabilities 油between 油 server 油and 油Gadgets 油 р Attempted 油a 油DDoS, 油settled 油messing 油with 油 AdSense 油stats 油and 油website 油tra鍖c 油generator 油 р Created 油basic 油anonymous 油brows 油gadget 油
  • 12. How 油did 油we 油do 油this 油 р Man 油in 油the 油middle 油PoC 油 р Gadgets 油are 油iFrames 油no 油address 油bar. 油Easy 油to 油fake 油iFrame 油source 油 by 油obfuscating 油request 油via 油gadget 油makeRequest() 油 р Fetch 油legit 油site 油yet 油replace 油one 油or 油more 油links 油with 油makeRequest() 油to 油 redirect 油to 油malicious 油site 油 р Similar 油 油techniques 油dating 油back 油to 油2004: 油 http://blogs.geekdojo.net/brian/archive/2004/10/14/ googlephishing.aspx 油
  • 13. Harvest 油Browser 油Info 油 JPort Scanner Browser History (Determin banks used, social network sites used) Other gadget Cookie data
  • 14. Basic 油C2 油 р Basic 油sending 油and 油receiving 油of 油data 油using 油google 油 servers 油to 油act 油as 油carrier 油to 油hide 油IP 油of 油origin 油and 油 destination 油 р Data 油transfer 油seamless 油thanks 油to 油asynchronous 油 JavaScript 油calls 油 р Open 油ports 油(Javascript 油port 油scanner), 油Browser 油 history(window.history), 油Botnet/DDoS 油instructions 油
  • 15. DDoS 油attempt 油 р Option 油1: 油 р Set 油refresh 油interval 油to 油Zero 油 р Option 油2: 油 р Request 油鍖ctitious 油sites 油in 油for 油loop 油
  • 16. Advertisements 油ruin 油everything 油 р Googles 油AdSense 油actually 油causes 油Gadget 油 user 油PC 油to 油freeze 油before 油DDoS 油can 油occur 油 油 р Googles 油AdSense 油triggers 油on 油each 油page 油 request 油 р Now 油the 油question 油arrises 油 油 р Should 油I 油exploit 油this 油for 油money 油 油 油 油or 油 油 р Just 油block 油AdSense 油and 油cause 油DDoS 油
  • 17. Anonymous 油browsing 油gadget 油 р Quite 油simple 油actually, 油just 油use 油gadget 油to 油 recursively 油replace 油hyperlinks 油with 油 makeURLRequest(); 油 р Hides 油your 油IP 油from 油servers 油allows 油user 油to 油post 油 content 油on 油Web 油2.0 油sites 油without 油having 油their 油 IP 油logged 油
  • 19. Does 油Google 油gadgets 油meet 油 requirements 油for 油a 油Botnet 油 р Botnets 油need 油to 油be 油Viral 油 油We 油did 油not 油explicitly 油tackle 油this 油issue 油 as 油Google 油gadgets 油in 油itself 油is 油meant 油to 油be 油viral. 油Easy 油to 油share, 油 Social 油by 油design. 油 財 http://code.google.com/apis/opensocial/articles/ bestprac.html 油 油 р Access 油to 油valuable 油Data 油or 油services 油 油Browser 油History, 油Data 油 contained 油on 油other 油Gadgets, 油Port 油scanning, 油MITM 油info 油 р They 油require 油C2 油to 油communicate 油 油Basic 油communication 油 achieved 油via 油GET 油and 油POST 油 р Stealth 油 油All 油actions 油taken 油are 油done 油by 油Google 油gadget 油server, 油 target 油servers 油logs 油only 油contain 油Gadget 油server 油IP. 油Data 油 transmitted 油via 油HTTP 油hence 油no 油鍖rewall 油alerts 油
  • 20. The 油Fix 油 р Googles 油side 油 財 Follow 油common 油web 油protocol, 油listen 油to 油Robots.txt 油 財 Prevent/Notify 油users 油of 油gadget 油redirects 油 р Consumer 油side 油 財 Block 油google-足feedfetch 油agent 油 財 Clean 油browser 油history 油regularly 油 財 Better 油education 油about 油the 油risks 油