Owning Bad Guys and Mafia with JavaScript Botnets 4: Bypassing Anonymity

In this entry Chema Alonso continues exposing the weird, perverted, maleficent, and simply naive people whose personal data got retrieved under the research.

Weird keywords looked up

Weird keywords looked up

Of course, we discovered psychotics. This is what the control panel looks like (see image), and as you can see, this guy was searching xnxx.com for “Mother”, “Rape sister”, “Violent rape”, “Violence”. We were about to send this IP address to the police, because this guy is not normal.

Also, a lot of people are trying to be anonymous, and the first thing they were doing was just test if they were anonymous. The problem is that if you are using a proxy server, you are anonymous to the end page, but not to the proxy server, so the proxy server can track you anytime, it’s quite simple. So, okay, you are ‘anonymous’: we know what country you are from, and we know your real IP address – so, it’s quite simple. There are lots of cases when people are doing the same, trying to be anonymous.

Not the best business model imaginable

Not the best business model imaginable

This is the worst case we discovered (see image). It’s a guy trying to make money by reading blog posts. It’s supposed to be a business: you read a blog post of anyone around the world and you will be paid for it. And after one month he was able to earn 24 bucks, so I’m not sure it’s such a good business right now.

Of course, we discovered a lot of people hacking, doing defacing, and so on. And this is one of our favorites: in the control panel we could see the local files and the website that had been hacked. We connected to the website that had been defaced, and we could now see the email address of the hacker, so it was anonymous, but we got the email address. But the problem is that this hacker was using our web cell, and the web cell was hacked with JavaScript. You probably know there are lots of web cells on the Internet with small pieces of JavaScript that are copying your web cell, and you are Trojanized by this web cell. This web cell was Trojanized by a JavaScript file, so when the JavaScript file went through our proxy server, we infected that JavaScript and then we owned the web cell of the hacker. In the end, the hacker who was hacking was hacked.

Intranets are vulnerable too

Intranets are vulnerable too

Also, one of our favorite things is that once you are using a proxy server, if you disconnect from the proxy server but you don’t erase your cache, you will be infected for the rest of the time, because the JavaScript is in your cache. So, the idea is that we discovered that some intranet applications were using JavaScript from the intranet, so we were able to infect that JavaScript, and then we infected the intranet application (see image).

In this case, this is a guy from Mexico, he wanted to browse for some porn on the Internet, and then he disconnected from the proxy server, but he was infected. And, as you can see, this is an internal server; we weren’t able to connect to it, but there is an ARP application with data and, of course, a lot of information on the user, such as the password and so on. But we couldn’t connect to that intranet because it’s not published on the Internet.

The medieval monk 'art'

The medieval monk ‘art’

And, of course, porn, a lot of porn; people searching for porn. Porn is the business, believe me. Not hacking – porn, porn, porn. We discovered this (see left-hand image), this is a very nice story, where in a Catholic church they discovered this painting from monks, about 7 centuries old – they were painting penises. It’s true.

So, we were collecting URLs and we discovered a lot of URLs of porn. Also, a lot of usernames and passwords (see image below); we’ve been selling them on the Internet, of course…

Retrieved credentials for accessing content on adult websites

Retrieved credentials for accessing content on adult websites

In the end, once we got the bots infected with JavaScript, we can create a special payload. And, of course, if you are connecting through a proxy server, probably you won’t connect to your banking system, or you are not going to connect to your social profile, or you are not going to connect to your intranet or your personal website, or whatever. But if you don’t clean your cache, you are infected. If someone forced you to load a JavaScript file which is on the web page you are going to visit after you’ve been using a proxy server, then you will be hacked.

As part of the study, we analyzed LinkedIn and saw there were some scripts loaded in LinkedIn website. So, if you are using our proxy server, then we can create a special payload forcing you to download these JavaScript files. Then this JavaScript file will be infected. Once you disconnect and connect to LinkedIn, our payload will be executed – it’s so simple. So, we can create special targeted attacks to several websites, collecting passwords of people who were using our proxy server before on the Internet, it’s quite simple.

So, you only need to select the target – whatever: a bank, a social network, intranet – analyze the files that are going to be loaded by this website, and force this file to load when the guy, the victim, is connected to the proxy server. It’s pretty simple.

Read previous: Owning Bad Guys and Mafia with JavaScript Botnets 3: Scammers Exposed

Read next: Owning Bad Guys and Mafia with JavaScript Botnets 5: Tips to Maintain Online Privacy

Like This Article? Let Others Know!
Related Articles:

One comment

  1. patriot says:

    great article.

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: