Quantcast

Owning Bad Guys and Mafia with JavaScript Botnets

Spanish computer security expert Chema Alonso gives a great talk at Defcon 20 about the ways to expose online scammers through the use of JavaScript botnets.

Chema Alonso The title of this session is “Owning bad guys and mafia with JavaScript botnets”. I hope you will enjoy the topic.

But before I start, I would like to introduce myself and my country. I am Chema Alonso, (@chemaalonso) I work in a small company called I64 (Informatica 64) in Spain, I’m also a Microsoft MVP in Enterprise Security, and I live in Spain.

Do you know Spain? Have you ever been to Spain? If not, you have to go and visit our country. This is Madrid (see left-hand image below), the city in which I live. As you can see, this is a city that is never asleep, but it is smaller than New York. And there are a lot of big places in Spain that you have to visit. This is the Sacred Family in Barcelona (image in the middle), one of the most beautiful churches in the world, as you can see.

Madrid

Madrid

Sacred Family Cathedral

Sacred Family Cathedral

Ibiza

Ibiza

Of course, there are other places that you might like to visit. This is Ibiza (right-hand image above), a small island to which I’m going tomorrow, so if you want to rest and discover a different Spain – it’s very close to you, it’s in Europe, just across the ocean.

Tomatina

Tomatina

Pamplona

Pamplona

And of course, if you’re a brave man you can visit all the cities with all the parties. This is Pamplona (see left-hand pic). How many of you have run from bulls any time of your life? There is only one rule: if you drink, don’t run. That’s the only rule. The rest is easy, you only need to run faster than the bull, it’s very easy to do.

And of course, if you’d like another party, we’ve got something special. This is the Tomatina (on right-hand image above); it’s a battlefield with tomatoes, one day long. I am not sure about the history of this party, but you only need to throw tomatoes – that’s all, it’s quite interesting. Well, we are Spaniards, you know.

Well, let’s start with today’s topic. Today’s topic is quite simple: let’s create a botnet – that’s all. But we’ve got a lot of problems with this from the start. I guess many of you have been thinking about creating a botnet any time in your life. How many of you have been thinking about creating a botnet? How many of you did it? I did it.

'Hi-end' swimming pool power supply

‘Hi-end’ swimming pool power supply

Well, the idea of creating a botnet is quite interesting, but of course, I assure you, I’m lazy. I’m from Spain, so it’s normal. So, we are lazy, and this is a nice picture (see image). I would like to show you this picture, because when Spanish people need power supplier, and they are using flip-flops to connect it through the swimming pool. It’s incredible! This is more or less like a thing we’re used to doing in Spain.

So, that’s the idea of creating a botnet. We wanted to create a botnet, but we were lazy; we have no money – you know it; we have no 0-days; we aren’t the FBI or the NSA, so we cannot intercept communication for free, and of course we are not Google, Apple or Microsoft that are running all their devices around the world. And, you know, we are Spaniards, so we need to do something different from the beginning.

As simple as ABC

As simple as ABC

The idea of creating a botnet was quite simple. We thought: okay, let them be infected; let’s do something that allows bots to be infected for themselves. So, the only thing that we wanted is so that they would want to be infected, quite simple.

In the end, if you think about this topic, it’s very useful and the malware industry had been using it for around the last 5 or 10 years; we’ve rolled antivirus and social engineering tricks. So, why not make our own botnet doing the same trick?

Man-in-the-browser attack in a nutshell

Man-in-the-browser attack in a nutshell

So, the idea of creating a botnet is just to create a man-in-the-middle attack. There are so many man-in-the-middle attacks that can be used in different scenarios. Of course, if we are in a network we can use something like ARP spoofing, or we can use rogue DHCP in IPv4 or IPv6 networks, man-in-the-middle attacks in IPv6 networks. We are going to publish a new tool, a new FOCA, which is the evil FOCA, to perform man-in-the-middle attacks in IPv6 networks: just point it and click, quite simple.

And of course, if you are able to manage the DNS, you can do the man-in-the-middle attack. But it is quite complicated in terms of the Internet because you have to deal with a lot of Internet service providers and networks, so it’s difficult to use on the Internet.

Man-in-the-browser attack in a nutshell

Man-in-the-browser attack in a nutshell

One of the most used practices on the Internet several years ago was the man-in-the-browser, in which things like Browser Helper Objects are installed in Internet Explorer, and lots of malware samples have been using this trick. We got a lot of malware this way, especially from Russians. You’ve seen this trick, this is very effective and it works so well that they need special files to configure the Trojan to attack different banks. This is how a banking Trojan uses an XML file to configure the man-in-the-browser to control all the different web pages from different banks. Quite simple, and yet it works very well.

But we needed to code something and deal with antivirus system, managing the detection program, so we decided that it was very complicated for us and we needed something easier.

What is JavaScript-in-the-middle?

What is JavaScript-in-the-middle?

So, we thought about man-in-the-”tab”, or JavaScript-in-the-middle. The idea is quite simple: if you are able to run JavaScript in one tab; you can do a lot of things. You can access the code, you can modify the HTML, you can access the form fields, you can manage even the cookies that are not supposed to be managed, like HttpOnly cookies, using different tricks, and so on (see image).

In fact, there is a very well known project, which is BeEF – the Browser Exploitation Framework project that allows you to do a lot of things by just installing a small piece of JavaScript code in a browser.

Read next: Owning Bad Guys and Mafia with JavaScript Botnets 2: Creating a JavaScript Botnet from Scratch

Like This Article? Let Others Know!
Related Articles:

Leave a comment:

Your email address will not be published. Required fields are marked *


6 + = 9

Comment via Facebook: