0wning the koobface botnet. intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc.

Slides:

Advertisements

Similar presentations

Network Vulnerabilities and Attacks Dr. John Abraham UTPA.

Advertisements

Let's say we want to access domain - reliablescribe.com First we need to buy a computer We need to subscribe to an Internet Service Provider (ISP) The.

Chapter 17: WEB COMPONENTS

By Hiranmayi Pai Neeraj Jain

Investigating Malicious Software Steve Romig The Ohio State University April 2002.

Exploits Dalia Solomon. Categories Trojan Horse Attacks Trojan Horse Attacks Smurf Attack Smurf Attack Port Scan Port Scan Buffer Overflow Buffer Overflow.

Information Networking Security and Assurance Lab National Chung Cheng University 1 A Real World Attack: wu-ftp.

EMU/ICT Incident Response Team Firewall Access Session Presenter: IRT TEAM Member.

Browser Exploitation Framework (BeEF) Lab

Internet Information Server (IIS)

100% Security “ The only system which is truly secure is one which is switched off and unplugged, locked in a titanium lined safe, buried in a concrete.

1 Advanced Application and Web Filtering. 2 Common security attacks Finding a way into the network Exploiting software bugs, buffer overflows Denial of.

Microsoft October 2004 Security Bulletins Briefing for Senior IT Managers updated October 20, 2004 Marcus H. Sachs, P.E. The SANS Institute October 12,

Module 1: Installing Internet Information Services 5.0.

China Science & Technology Network Computer Emergency Response Team Botnet Detection and Network Security Alert Tao JING CSTCERT,CNIC.

Presentation by Kathleen Stoeckle All Your iFRAMEs Point to Us 17th USENIX Security Symposium (Security'08), San Jose, CA, 2008 Google Technical Report.

MSIT 458 – The Chinchillas. Offense Overview Botnet taxonomies need to be updated constantly in order to remain “complete” and are only as good as their.

資安新聞簡報報告者：劉旭哲、曾家雄. Spam down, but malware up 報告者：劉旭哲.

Niels Provos and Panayiotis Mavrommatis Google Google Inc. Moheeb Abu Rajab and Fabian Monrose Johns Hopkins University 17 th USENIX Security Symposium.

1 All Your iFRAMEs Point to Us Mike Burry. 2 Drive-by downloads Malicious code (typically Javascript) Downloaded without user interaction (automatic),

Jonell Baltazar, A Trend Micro Research Paper (Retrieved May 2010).

W HAT DOES EXPLOIT MEAN ? A ND THE S ASSER WORM Seminar on Software Engineering, Short Presentation Christian Gruber.

Honeypot and Intrusion Detection System

Module 7: Firewalls and Port Forwarding 1. Overview Firewall configuration for Web Application Hosting Forwarding necessary ports for Web Application.

Click to edit Master title style Click to edit Master text styles Second level Third level Fourth level Fifth level June 10 th, 2009Event details (title,

ITIS 1210 Introduction to Web-Based Information Systems Chapter 45 How Hackers can Cripple the Internet and Attack Your PC How Hackers can Cripple the.

Topics to be covered 1. What are bots,botnet ? 2.How does it work? 4.Prevention of botnet. 3.Types of botnets.

Vulnerabilities in peer to peer communications Web Security Sravan Kunnuri.

The Microsoft Baseline Security Analyzer A practical look….

Final Introduction ---- Web Security, DDoS, others

2012 4th International Conference on Cyber Conflict C. Czosseck, R. Ottis, K. Ziolkowski (Eds.) 2012 © NATO CCD COE Publications, Tallinn 朱祐呈.

1 Internet Browsing Vulnerabilities and Security ECE4112 Final Lab Ye Yan Frank Park Scott Kim Neil Joshi.

MyDoom By: Philippe Bissohong. Background ► MyDoom  Novarg, Mimail.R and Shimgapi ► Computer worm, unlike a virus it attacks a network.

Firewalls. Intro to Firewalls Basically a firewall is a __________to keep destructive forces away from your ________ ____________.

11 CONFIGURING TCP/IP ADDRESSING AND SECURITY Chapter 11.

Directory and File transfer Services By Jothi. Two key resources Lightweight Directory Access Protocol (LDAP) File Transfer protocol Secure file transfer.

1 Firewalls G53ACC Chris Greenhalgh. 2 Contents l Attacks l Principles l Simple filters l Full firewall l Books: Comer ch

Client-based Application Attacks Adli Abdul Wahid Dept. of Comp. Science, IIUM

Week 10-11c Attacks and Malware III. Remote Control Facility distinguishes a bot from a worm distinguishes a bot from a worm worm propagates itself and.

Distributed Denial of Service Attacks Shankar Saxena Veer Vivek Kaushik.

1 Figure 4-1: Targeted System Penetration (Break-In Attacks) Host Scanning  Ping often is blocked by firewalls  Send TCP SYN/ACK to generate RST segments.

I3Live Security Paul Wisniewski UW-Madison August, 2010.

Copyright © The OWASP Foundation Permission is granted to copy, distribute and/or modify this document under the terms of the OWASP License. The OWASP.

The Module Road Map Assignment 1 Road Map We will look at… Internet / World Wide Web Aspects of their operation The role of clients and servers ASPX.

4061 Session 26 (4/19). Today Network security Sockets: building a server.

CERN - European Organization for Nuclear Research Beyond ACB – VPN’s FOCUS June 13 th, 2002 Frédéric Hemmer & Denise Heagerty- IT Division.

The Koobface Botnet and the Rise of Social Malware Kurt Thomas David M. Nicol

CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

NetTech Solutions Protecting the Computer Lesson 10.

Firewalls. Intro to Firewalls Basically a firewall is a barrier to keep destructive forces away from your computer network.

Slammer Worm By : Varsha Gupta.P 08QR1A1216.

Lecture 14 Page 1 CS 236 Online Worms Programs that seek to move from system to system –Making use of various vulnerabilities Other performs other malicious.

© ITT Educational Services, Inc. All rights reserved. IS3220 Information Technology Infrastructure Security Unit 3 Network Security Threats Chapter 4.

2012 Malnet Report: Breaking the Vicious Cycle Grant Asplund Senior Technology Evangelist.

Testing Exploits and Malware in an isolated environment Luca Allodi – Fabio Massacci – Vadim Kotov

Cases Study: Code Red. ©2002, Jedidiah R. Crandall, Susan L. Gerhart, Jan G. Hogle. Case Study: Code Red Author: Jedidiah.

Chapter 7: Using Network Clients The Complete Guide To Linux System Administration.

Common System Exploits Tom Chothia Computer Security, Lecture 17.

Microsoft OS Vulnerabilities April 1, 2010 MIS 4600 – MBA © Abdou Illia.

Web Technology Seminar

Installing TMG & Choosing a Client Type

Microsoft Windows NT 4.0 Authentication Protocols

ما هي خدمة بروتوكول نقل الملفات؟

A Distributed DoS in Action

IS 4506 Server Configuration (HTTP Server)

Case Study: Code Red Author: Jedidiah R. Crandall,

Lecture 3: Secure Network Architecture

Crisis and Aftermath Morris worm.

IS 4506 Configuring the FTP Service

Presentation transcript:

0wning the koobface botnet

intro web 2.0 botnet spreads through social networks –facebook –myspace –twitter, etc.

koobface loader Social network (Facebook, Myspace, Twitter, etc.) spreader Personal information and credentials stealer Google accounts creator Facebook auto-registration module Search hijacker Fake AV module Web server component

web server component makes every koobface zombie a web server –serves the fake YouTube/Facebook pages –serves the koobface loader

what about it? installed on all koobface zombies as a system service ( webserver service) adds exemption in Windows Firewall for TCP port 80 (HTTP) reachable from the Internet

which means… further exposes koobface zombies to attacks from the Internet exposes the koobface botnet itself to attacks from the internet

what kind of attack? security holes in the web server component –buffer overflow –auto-update

buffer overflow

very long string in HTTP request

control of eip

auto-update can be used to remotely update the koobface web server binary triggered by the following web request mydomain.com/new_version.exe

how it auto-updates when triggered –download the new web server binary –drop and execute a batch file stop the webserver service replace the existing web server binary restart the webserver service

exploiting auto-update koobface blindly downloads “updated” binaries trigger auto-update to download arbitrary binaries new binary should cooperate nicely with the NT Service Controller

where are the targets?

revisiting the infection chain

koobface sites

koobface zombies create simple scripts to harvest all of the IP addresses 79,000+ zombies

zombie distribution

checklist web server vulnerabilities exploits list of targets  take over?

questions?