Quantcast

Owning Bad Guys and Mafia with JavaScript Botnets 2: Creating a JavaScript Botnet from Scratch

Having rejected several overly complicated tactics, Chema Alonso and his colleagues came up with a fairly simple, yet effective method for making a botnet to be used in their study, which is being thoroughly described in this part of the presentation.

Taking advantage of TOR nodes

Taking advantage of TOR nodes

Another idea that we thought might work in our case is just to do cache poisoning. The problem is that we needed to configure this on the Internet, and it’s quite complicated as you want to infect a lot of bots on the network. So, we were thinking about how to make it easy, and we came up with the following: the idea is how to create a JavaScript botnet from scratch, and it’s quite simple.

We were detected

We were detected

First of all, we thought about the TOR nodes. The idea with TOR nodes is quite simple: if you are the last one on the line, you will be able to access all the content, you will be able to intercept all the communication. The problem when we tried to create the rogue TOR node was that they are using some security test to discover who is modifying the DNS response, or who is having some special files, and so on. And we got detected (see image to the left). So we thought: “Well, it’s too complicated, we need to detect when they are sending their test and create interception for the test – too difficult, we are Spaniards.”

It doesn’t take a rocket scientist to create a proxy

It doesn’t take a rocket scientist to create a proxy

The next thing that we did was just create a proxy. Creating a proxy is quite simple, because a proxy is not a big infrastructure like the TOR network, in which everyone is connected. A proxy server is a standalone server that people decide to connect to.

So, the idea is that if you read all the manuals online about how to be anonymous, the first thing is: “Connect to any proxy server on the Internet.” We thought: “Hey, it’s very interesting, because it’s a man-in-the-middle scheme.” So, if we are a proxy server on the Internet and people decide to connect to the Internet through our proxy server, we will be able to collect all data and infect all browsers. So, we did it.

Rent the 'right' server

Rent the ‘right’ server

The first thing we needed to do was just rent a server on the Internet; of course you have to take care about what kind of server you are going to use. Don’t use any Pirate Bay server, not one in Amazon – remember what happened to WikiLeaks, and not in Megaupload. It’s better to select any country in which there are no laws. So, we were renting servers in Iraq, Afghanistan, Kazakhstan, Spain.

Then, once you rent your server, you only need to configure something that is very simple – Apache web server and SQUID proxy. And the idea is that with this server we were going to infect all JavaScript files with one small piece of code – two lines only.

Configuring SQUID proxy for the test

Configuring SQUID proxy for the test

So, when the user connects to our proxy server we go to the website, we go to the response page, and the response page has a JavaScript file (see scheme). Then we retrieve the original JavaScript. Then we add only two lines to load the new payload. We didn’t want to use a payload that is very well known on the Internet, like BeEF, so we just coded two lines and installed those two lines in all JavaScript files that were across our proxy server.

So, in the end all you need to do is this: first of all, we created a rewrite program to add those lines of code, we need to configure this option in SQUID proxy; and then we added the ‘no expiration’ policy in Apache, because once we infected a JavaScript file in a web browser, we wanted to be there forever.

Sending infected JavaScript to a client

Sending infected JavaScript to a client

Then, the code that we needed to create is just this (see image): it’s PerlScript, as you can see, and the only thing that we are doing is retrieve the file using Wget; we copied it to our file system, and then we added the pasarela.js file to the JavaScript. And then, of course, we sent the new JavaScript to a client using Print. It’s a very small piece of code, it’s full of common injection vulnerabilities, but it works.

Running payload to infect JavaScript files

Running payload to infect JavaScript files

The JavaScript is just this: it’s a small piece of code, and we’re just connecting to the control panel, and the only check that we do is just whether we are running only one instance of the payload in every tab – so simple. And of course, we didn’t want to do anything bad to the good people, so we created a special advice advert on the webpage of our server saying the following: “This proxy server is being used for a security research. All JavaScript files will be infected and all your data will be collected. If you want to be safe, don’t use this proxy server. If you do that, don’t send sensitive information. If after all you continue, do it at your own risk.” So, if you don’t want to lose your passwords, if you don’t want to be infected – don’t use our proxy. That’s quite simple; it’s a good security policy. Actually, in the army you get the same security policy: “Warning! The following unsecured FTP site is for temporary uploading and downloading of files for official government use only. Any other use is unauthorized. Use of this unsecured FTP site is at your own risk.” This is a web page from Army.mil; it’s basically the same security policy, so it’s legal.

Adding proxy to the database

Adding proxy to the database

So, the next thing we needed to do is just make our proxy server public, so we copied our IP address and published the IP address on a proxy server list – as you can see, XPROXY – and then just let the Internet do its magic, and in a few days we had 1110 different results about our IP address, because all proxy server lists copy themselves. So, if you publish your IP address in one proxy server list, they are copying the same IP address to all proxy server lists, which is funny, because in one day you can have a lot of bots.

Cookie stealing

Cookie stealing

The next thing we do is just create a small piece of payload. The first one is cookie stealing – we were running our JavaScript inside, we didn’t want to deal with HTTPS connection, we didn’t want to deal with secure cookies, we didn’t want to deal with HttpOnly cookies, so we just copied the normal cookies, the unsecured cookies, and sent the cookies to our control panel just using a GET.

Stealing all form fields

Stealing all form fields

Then we created a small payload to grab all form fields (see image). The idea is that we hook the Submit function and copy all information in the fields, and send the fields’ value to our control panel – and that’s all, just enjoy. Doing this in just one single day, we were able to get 5000 bots, which is not bad – no pay-per-install, not creating any special polymorphic malware – just publishing one IP address on the Internet. We are from Spain, you know.

Read previous: Owning Bad Guys and Mafia with JavaScript Botnets

Read next: Owning Bad Guys and Mafia with JavaScript Botnets 3: Scammers Exposed

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: