Q4 2014 Security Report | Botnet Profiling Technique | Presentation - PowerPoint PPT Presentation
Title:
Q4 2014 Security Report | Botnet Profiling Technique | Presentation
Description:
Using data from the Akamai Intelligent PlatformTM, Akamai has developed a new analysis technique for web application layer botnets. By locating WAF triggers related to both Remote File Inclusion attacks and OS Command Injection attacks, researchers used aggregated results to map multiple botnets operating in the studied time period. Viewing the data in this manner yielded additional insight into the botnets and their respective capabilities. This presentation offers a summary of this technique as excerpted from the State of the Internet Q4 2014 Security Report. Watch this show and then get more details at – PowerPoint PPT presentation
Number of Views:22
Title: Q4 2014 Security Report | Botnet Profiling Technique | Presentation
1
Q4 2014
2
botnet profiling technique
- New analysis technique using data from the
Akamai - Intelligent PlatformTM
- Automate discovery of web application
vulnerabilities for - Remote File Inclusion (RFI) and OS Command
Injection - attacks
- Botnets profiled by identifying malicious code
resource - URLs and seemingly identical payloads
- Analysis does not require inclusion in the
botnet or taking - over the botnets command and control (CC, C2)
server - Download the Q4 2014 Global DDoS Attack Report
for supporting data and analysis
2 / The State of the Internet / Security (Q4
2014)
3
Remote File Inclusion (RFI) attacks
- Used to exploit dynamic file include mechanisms
- in web applications
- Web application can be tricked into including
- remote files with malicious code
- RFI vulnerabilities are easily found and
exploited - by attackers
- dir _GET'module_name'
- include(dir . "/function.php")
- Figure 1 Code vulnerable to a Remote File
Inclusion attack
3 / The State of the Internet / Security (Q4
2014)
4
OS Command Injection
Used to execute unauthorized operating system
commands The result of mixing trusted code
with untrusted data Commands executed by the
attacker will run with the same privileges of
the commanding component Attackers can leverage
this ability to gain access and damage parts
that are not reachable
4 / The State of the Internet / Security (Q4
2014)
5
common payloads in botnets
- RFI and OS Command Injection are among the most
prevalent of vulnerabilities reported - Attacker can take full control over the victim
server - The most favorable attack vector
- In recent months, Akamai has observed massively
orchestrated attempts to find such
vulnerabilities - Botnet machines, even geographically disparate
machines belonging to different organizations,
try to inject the same remote piece of malicious
code - Code correlations enabled Akamai to map multiple
Internet botnets operating at the time of the
comparison
5 / The State of the Internet / Security (Q4
2014)
6
botnet findings
- RFI and OS Command Injection botnets targeted
more - than 850 web applications across several
top-level - domains over a seven-day period
- All of the botnet traffic appeared to originate
from - compromised servers, most from popular
Software-as- - a-Service (SaaS) and cloud hosting providers
- The botnet Akamai analyzed included a dedicated
- Python script that performed web crawling
disguised as - a Microsoft Bing bot
- In one instance, an observed botnet propagated
- through two WordPress TimThumb vulnerabilities
6 / The State of the Internet / Security (Q4
2014)
7
analysis of botnet capabilities
- Both RFI and OS Command Injection attacks used
the same malicious code involving - Remote shell command execution
- Remote file upload (see figure)
- SMS sending, controlled by IRC commands
- Local FTP server credentials brute force attack
- IRC-controlled UDP/TCP denial of service flood
Figure 2 Code for remote file upload
7 / The State of the Internet / Security (Q4
2014)
8
conclusion
- Novel approach to understanding web
application-layer botnets - Used attack payload as the common denominator to
aggregate data and map botnet information - Does not require the researcher to be a part of
the botnet or to take over the botnets C2 server - Can be used for mapping other types of malicious
activities that use a distinct payload
8 / The State of the Internet / Security (Q4
2014)
9
Q4 2014 global attack report
- Download the Q4 2014 State of the Internet
Security Report - The Q4 2014 report covers / Analysis of
DDoS attack trends / Breakdown of average
Gbps/Mbps statistics / Year-over-year and
quarter-by-quarter analysis / Types and
frequency of application-layer attacks / Types
and frequency of infrastructure attacks /
Trends in attack frequency, size and sources /
Where and when DDoSers launch attacks / Case
study and analysis
9 / The State of the Internet / Security (Q4
2014)
10
about Prolexic
- StateoftheInternet.com, brought to you by Akamai,
- serves as the home for content and information
intended to provide an informed view into online
connectivity and cybersecurity trends as well as
related metrics, including Internet connection
speeds, broadband adoption, mobile usage,
outages, and cyber-attacks and threats. - Visitors to www.stateoftheinternet.com can find
current and archived versions of Akamais State
of the Internet (Connectivity and Security)
reports, the companys data visualizations, and
other resources designed to put context around
the ever-changing Internet landscape.
10 / The State of the Internet / Security (Q4
2014)
Recommended
CrystalGraphics Presentations
