In 2009 a group of researchers from UCSB temporarily gained control of the Torpig botnet, gaining a unique perspective on how it worked and what it was used for.
They describe this experience in the paper Your Botnet is My Botnet: Analysis of a Botnet Takeover.
Use the information in the paper to answer the following questions.
i) Mebroot is responsible for collecting personal information about the victim from their web browser.
• True
• False
ii) Mebroot is loaded into memory before Windows boots.
• True
• False
iii) Torpig's domain generation algorithm deterministically generates domain names inside three different top-level domains.
• True
• False
iv)The researchers intercepted the botnet's traffic by registering all of the daily domains that would be generated by the domain generation algorithm for a week in the future.
• True
• False
v) The researchers safely deactivated Torpig clients that reported data to their C&C server.
• True
• False
vi) Data posted to HTML forms is collected by the malware and reported to the C&C server unless the communication is SSL-encrypted, in which case the malware is unable to intercept it.
• True
• False
vii) Torpig steals email account login details from mail software and reports them back to the C&C server.
• True
• False
viii) When a Torpig client phones home, the reported nid value for that client is generally stable over a long period of time.
• True
• False
ix) From the point of view of the researchers, Italy contained the greatest number of infected computers during the period in which the researchers controlled the botnet.
• True
• False
x)There is evidence to suggest that personal data collected by Torpig was being shared amongst a number of criminal organisations.
• True
• False
xi) The researchers refer to a man-in-the-browser attack that is performed automatically by Torpig. What are the features of this attack? Choose all that are applicable
• Torpig intercepts requests to websites on a list made by the botnet owners. This list is fixed, and cannot be updated after the computer has been infected.
• Torpig intercepts requests to websites on a list made by the botnet owners. This list can be modified by the botnet owners even after the computer has been infected.
• When the victim attempts to visit specific pages on one of these websites, Torpig performs its malicious activity.
• When the victim attempts to visit any page on one of these websites, Torpig performs its malicious activity.
• Torpig injects the same HTML into every website on the list. It prompts the victim to enter their credit card number and social security number.
• Torpig injects different HTML for each website on the list, allowing the botnet owners to tailor the injected content to the targeted website. It asks for a range of personal information.
• After the victim enters the requested data, it is sent back to the botnet owners via the Torpig C&C server.
• After the victim enters the requested data, it is sent back to the botnet owners via the server that sent the HTML to be injected into the page.
What actions did the botnet owners perform to regain control of the botnet from the researchers? Choose all that are applicable
• They seized control of the existing domains the researchers were using to communicate with the bots.
• They registered new domains that the bots would attempt to contact in future.
• They changed the domain generation algorithm used by the bots so they would no longer attempt to communicate with the researchers' C&C server.
• They sent anonymous threats to the researchers, causing the researchers to surrender control of the botnet earlier than planned.
Part b
Review the following PHP and JavaScript source code(At the end of the document), both of which contain vulnerabilities:
• search.php (line-numbered version) is a PHP script allowing users to search a file's contents via a web interface. It contains a single vulnerability.
• CryptoAPI.js (line-numbered version) is an (incomplete) JavaScript cryptography API. It contains three vulnerabilities that allow an attacker to execute arbitrary code when the CryptoAPI.sha1.hash() function is called.
After reviewing both pieces of code, answer the following questions.
i)
a) What is the number of the line in search.php that contains the vulnerability?
b) What type of vulnerability does this line contain?
• Cross-site scripting
• Cross-site request forgery
• SQL injection
• Shell injection
• File inclusion
• File upload
c) Which of these PHP functions would be helpful when attempting to mitigate this vulnerability?
• escapeshellarg()
• escapeshellcmd()
• exec()
• exec_shell()
• htmlentities()
• htmlspecialchars()
• mysqli_multi_query()
• mysql_query()
• mysqli_query()
• mysql_real_escape_string()
• mysqli_real_escape_string()
• mysqli_real_query()
• pg_escape_literal()
• pg_escape_string()
• pg_query()
• pg_query_params()
• preg_replace()
• shell_exec()
• str_replace()
• system()
• unlink()
ii)
a) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called. Assume that x is a value controlled by the attacker.
b) Exploit this vulnerability: define a variable x that causes CryptoAPI.sha1.hash(x) to execute the payload alert('1')
a. Write code
c) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called, provided that the attacker has the ability to load his own code beforeCryptoAPI.js is loaded.
d) Exploit this vulnerability: provide a piece of code that, when loaded beforeCryptoAPI.js, causes CryptoAPI.sha1.hash(x) to execute the payload alert('2').
a. Write code
e) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called without having to redefine CryptoAPI.sha1.hash itself, provided that the attacker has the ability to load his own code afterCryptoAPI.js is loaded.
f) Exploit this vulnerability: provide a piece of code that, when loaded afterCryptoAPI.js, causes CryptoAPI.sha1.hash(x) to execute the payload alert('3')without redefining CryptoAPI.sha1.hash itself.
a. Write code
The codes:
PHP :search.php (line-numbered version)
1 <!DOCTYPE html>
2 <html lang="en">
3
4 <head>
5 <meta charset="utf-8">
6 <title>File search</title>
7 </head>
8
9 <body>
10 <h1>File search</h1>
11
12 <?php
13 $db = new mysqli("127.0.0.1", "file_search", "s34rch1n", "file_search");
14 ?>
15
16 <form method="post" enctype="multipart/form-data">
17 Search <input type="file" name="haystack">
18 for <input type="text" name="needle">
19 <button type="submit">Search!</button>
20 </form>
21
22 <?php
23 if ($_SERVER["REQUEST_METHOD"] === "POST") {
24 if ($_FILES["haystack"]["type"] !== "text/plain") {
25 echo "<strong>The file you uploaded is not a text file.</strong>";
26 } else if ($_FILES["haystack"]["size"] > 50000) {
27 echo "<strong>The file you uploaded is too large.</strong>";
28 } else if ($_POST["needle"] === "") {
29 echo "<strong>You must specify a term to search for.</strong>";
30 } else {
31 echo "<h3>Search results</h3>";
32
33 $results = preg_split("/\r?\n/", 'grep {$_POST["needle"]} {$_FILES["haystack"]["tmp_name"]}');
34 echo "<p>" . count($results) . " search result" . (count($results) === 1 ? "" : "s") . " for <strong>" . htmlspecialchars($_POST["needle"], ENT_QUOTES) . "</strong>:</p>";
35 echo "<ul>";
36 foreach ($results as &$r) {
37 echo "<p>" .htmlspecialchars($r, ENT_QUOTES) . "</p>";
38 }
39 echo "</ul>";
40
41 if ($db && $query = $db->prepare("insert into history (??)")) {
42 if ($query->bind_param("si", $_POST["needle"], count($results))) {
43 $query->execute();
44 }
45 $query->close();
46 mysqli_close($db);
47 }
48 }
49 }
50 ?>
51
52 </body>
53 </html>
End code
Javascript code:
CryptoAPI.js (line-numbered version)
1 var CryptoAPI = (function() {
2 var encoding = {
3 a2b: function(a) { },
4 b2a: function(b) { }
5 };
6
7 var API = {
8 sha1: {
9 name: 'sha1',
10 identifier: '2b0e03021a',
11 size: 20,
12 block: 64,
13 hash: function(s) {
14 var len = (s += '\x80').length,
15 blocks = len >> 6,
16 chunk = len & 63,
17 res = "",
18 i = 0,
19 j = 0,
20 H = [0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0],
21 w = [];
22
23 while (chunk++ != 56) {
24 s += "\x00";
25 if (chunk == 64) {
26 blocks++;
27 chunk = 0;
28 }
29 }
30
31 for (s += "\x00\x00\x00\x00", chunk = 3, len = 8 * (len - 1); chunk >= 0; chunk--) {
32 s += encoding.b2a(len >> (8 * chunk) & 255);
33 }
34
35 for (i = 0; i <s.length; i++) {
36 j = (j << 8) + encoding.a2b(s[i]);
37 if ((i & 3) == 3) {
38 w[(i >> 2) & 15] = j;
39 j = 0;
40 }
41 if ((i & 63) == 63) CryptoAPI.sha1._round(H, w);
42 }
43
44 for (i = 0; i <H.length; i++)
45 for (j = 3; j >= 0; j--)
46 res += encoding.b2a(H[i] >> (8 * j) & 255);
47 return res;
48 }, // End "hash"
49 _round: function(H, w) { }
50 } // End "sha1"
51 }; // End "API"
52
53 return API; // End body of anonymous function
54 })(); // End "CryptoAPI"
End code
Article reference -
Your Botnet is My Botnet: Analysis of a Botnet Takeover
Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna