Owning Bad Guys and Mafia with JavaScript Botnets 5: Tips to Maintain Online Privacy

The final part of Chema Alonso’s Defcon talk comprises a demo on infecting users through the rogue proxy server, and some general security tips to follow.

The control panel

The control panel

I wanted to do a real demo, but first I’d like to show you the control panel and what it looks like. Of course, we turned off the proxy server on the Internet, but for BlackHat and Defcon I created a new control panel (see image). I didn’t publish this proxy server on the Internet, but after delivering the talk at BlackHat – I don’t know why – someone published it online. So, we configured this proxy only for 10 parallel connections, and right now, this morning I’m going to show you the bots, the zombies; and as you can see, if we search for today’s date, we started to receive a lot of bots from different countries, a lot of them from the States, Brazil, elsewhere. And we got a lot of information collected from them. We didn’t want to do it, we didn’t publish the IP address, believe me.

Target website for the attack

Target website for the attack

The demo I would like to show you is more or less this. Let me show you the website, this is the California Credit Union League (see screenshot). As you can see, this website is perfect for a targeted attack, because it’s an HTTP website; there is a login form that is going to send the credentials to HTTPS web server, but we can inject a JavaScript file very easily in the HTTP website, hook the form, and collect the usernames and passwords from this website. So, the only thing we need to do in our control panel is analyze the target and select one file. In this example I selected members.ccul.org, scripts, gatag.js.

Embedded script for contamination

Embedded script for contamination

And then in our control panel we created some special payload. So, we go to the control panel, and you can see we got preset attacks in which you can configure what is of interest to you, and in case with the California Credit Union League the only thing that we needed to do is force to download this file (see image).

Payload implementation

Payload implementation

So, the guy who is using our proxy server, who is watching porn and is infected, will be downloading this file to the cache. He will be watching porn, hacking websites, whatever, but at the same time he will be downloading this JavaScript file for the targeted attacks. Then, when he will be disconnected, in this case by selecting not to be connected anymore, the JavaScript file which is in the cache will be infected with our payload, because we downloaded it before, and this file is not out of date, so their browser will be using it. In the end, after the guy connects to the website sending the information, that form will be hooked and we are going to be able to retrieve all this data in our control panel. It’s so simple, so easy to do, and very profitable.

Now, some thoughts about JavaScript botnets. In this example we didn’t worry at all about doing something special with the HTTPS connection; we didn’t worry about pre-cached objects using the E-tag or using special tricks to force the expiration of the objects that were previously in the cache; and we didn’t want to do anything with the HTTPS connection because we didn’t want to raise any alerts. And, of course, we didn’t have any Flame digital certificate, and Moxie was very busy tweeting, so we couldn’t contact him to create a special digital certificate.

And the whole point of it is that we did it only in one day. So, in one day we were able to configure the proxy server, configure the Apache, publish their IP address, create the JavaScript, and collect all this information.

In the end, using a proxy server on the Internet is a very bad idea.

We were able to do this in only one day; the problem is: how many of you think that government, intelligence services, the bad guys aren’t doing the same on the Internet? The question is how many of you think that only one of those proxy servers on the Internet is secure? No one? I mean the server that is not going to infect you or collect your data. It’s the one you run; it’s not an anonymous proxy server, it’s yours.

In the end, using a proxy server on the Internet is a very bad idea, but we got thousands and thousands of web pages on the Internet, same people: “If you want to be anonymous, use a proxy server on the Internet.” We are going to have this problem for a long time. So, don’t use it.

Some protection, of course. This is a man-in-the-middle schema, in which you decide to be hacked, because you configure your web browser to use that man-in-the-middle, that proxy server, so you have to think twice whether it’s worth it – to be using that proxy server.

And certainly, the problem is with TOR networks, but right now we’re getting more news about rogue TOR nodes on the Internet than about fake proxy servers on the Internet, and I don’t know why. And of course, after using this kind of services, if you have to do this for whatever reason you have, take care and clean all the information that you downloaded from the Internet. Take special care with that machine. If it’s possible, use a new virtual machine and burn it out after using, throw it to the trash, wherever you want. And, of course, VPNs are not a silver bullet, because in this case we were able to discover a lot of people connecting to our personal VPN to be outside of the network in which they were connecting, and then from the VPN connect to our proxy server, and in the end it’s possible to infect the client in any case. So, take care of it.

Thank you very much!

Read previous: Owning Bad Guys and Mafia with JavaScript Botnets 4: Bypassing Anonymity

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *

Comment via Facebook: