What actions did the botnet owners perform

Assignment Help Computer Network Security
Reference no: EM13983513

In 2009 a group of researchers from UCSB temporarily gained control of the Torpig botnet, gaining a unique perspective on how it worked and what it was used for.

They describe this experience in the paper Your Botnet is My Botnet: Analysis of a Botnet Takeover.

Use the information in the paper to answer the following questions.

i) Mebroot is responsible for collecting personal information about the victim from their web browser.
• True
• False

ii) Mebroot is loaded into memory before Windows boots.
• True
• False

iii) Torpig's domain generation algorithm deterministically generates domain names inside three different top-level domains.
• True
• False

iv)The researchers intercepted the botnet's traffic by registering all of the daily domains that would be generated by the domain generation algorithm for a week in the future.
• True
• False

v) The researchers safely deactivated Torpig clients that reported data to their C&C server.
• True
• False

vi) Data posted to HTML forms is collected by the malware and reported to the C&C server unless the communication is SSL-encrypted, in which case the malware is unable to intercept it.
• True
• False

vii) Torpig steals email account login details from mail software and reports them back to the C&C server.
• True
• False

viii) When a Torpig client phones home, the reported nid value for that client is generally stable over a long period of time.
• True
• False

ix) From the point of view of the researchers, Italy contained the greatest number of infected computers during the period in which the researchers controlled the botnet.
• True
• False

x)There is evidence to suggest that personal data collected by Torpig was being shared amongst a number of criminal organisations.
• True
• False

xi) The researchers refer to a man-in-the-browser attack that is performed automatically by Torpig. What are the features of this attack? Choose all that are applicable

• Torpig intercepts requests to websites on a list made by the botnet owners. This list is fixed, and cannot be updated after the computer has been infected.

• Torpig intercepts requests to websites on a list made by the botnet owners. This list can be modified by the botnet owners even after the computer has been infected.

• When the victim attempts to visit specific pages on one of these websites, Torpig performs its malicious activity.

• When the victim attempts to visit any page on one of these websites, Torpig performs its malicious activity.

• Torpig injects the same HTML into every website on the list. It prompts the victim to enter their credit card number and social security number.

• Torpig injects different HTML for each website on the list, allowing the botnet owners to tailor the injected content to the targeted website. It asks for a range of personal information.

• After the victim enters the requested data, it is sent back to the botnet owners via the Torpig C&C server.

• After the victim enters the requested data, it is sent back to the botnet owners via the server that sent the HTML to be injected into the page.

What actions did the botnet owners perform to regain control of the botnet from the researchers? Choose all that are applicable

• They seized control of the existing domains the researchers were using to communicate with the bots.

• They registered new domains that the bots would attempt to contact in future.

• They changed the domain generation algorithm used by the bots so they would no longer attempt to communicate with the researchers' C&C server.

• They sent anonymous threats to the researchers, causing the researchers to surrender control of the botnet earlier than planned.

Part b

Review the following PHP and JavaScript source code(At the end of the document), both of which contain vulnerabilities:

• search.php (line-numbered version) is a PHP script allowing users to search a file's contents via a web interface. It contains a single vulnerability.

• CryptoAPI.js (line-numbered version) is an (incomplete) JavaScript cryptography API. It contains three vulnerabilities that allow an attacker to execute arbitrary code when the CryptoAPI.sha1.hash() function is called.

After reviewing both pieces of code, answer the following questions.

i)
a) What is the number of the line in search.php that contains the vulnerability?

b) What type of vulnerability does this line contain?

• Cross-site scripting
• Cross-site request forgery
• SQL injection
• Shell injection
• File inclusion
• File upload

c) Which of these PHP functions would be helpful when attempting to mitigate this vulnerability?

• escapeshellarg()
• escapeshellcmd()
• exec()
• exec_shell()
• htmlentities()
• htmlspecialchars()
• mysqli_multi_query()
• mysql_query()
• mysqli_query()
• mysql_real_escape_string()
• mysqli_real_escape_string()
• mysqli_real_query()
• pg_escape_literal()
• pg_escape_string()
• pg_query()
• pg_query_params()
• preg_replace()
• shell_exec()
• str_replace()
• system()
• unlink()

ii)

a) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called. Assume that x is a value controlled by the attacker.

b) Exploit this vulnerability: define a variable x that causes CryptoAPI.sha1.hash(x) to execute the payload alert('1')

a. Write code

c) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called, provided that the attacker has the ability to load his own code beforeCryptoAPI.js is loaded.

d) Exploit this vulnerability: provide a piece of code that, when loaded beforeCryptoAPI.js, causes CryptoAPI.sha1.hash(x) to execute the payload alert('2').

a. Write code

e) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called without having to redefine CryptoAPI.sha1.hash itself, provided that the attacker has the ability to load his own code afterCryptoAPI.js is loaded.

f) Exploit this vulnerability: provide a piece of code that, when loaded afterCryptoAPI.js, causes CryptoAPI.sha1.hash(x) to execute the payload alert('3')without redefining CryptoAPI.sha1.hash itself.

a. Write code

The codes:

PHP :search.php (line-numbered version)

     1    <!DOCTYPE html>

     2    <html lang="en">

     3   

     4        <head>

     5             <meta charset="utf-8">

     6             <title>File search</title>

     7        </head>

     8   

     9        <body>

    10             <h1>File search</h1>

    11            

    12             <?php

    13             $db = new mysqli("127.0.0.1", "file_search", "s34rch1n", "file_search");

    14             ?>

    15            

    16             <form method="post" enctype="multipart/form-data">

    17                  Search <input type="file" name="haystack">

    18                  for <input type="text" name="needle">

    19                  <button type="submit">Search!</button>

    20             </form>

    21            

    22             <?php

    23             if ($_SERVER["REQUEST_METHOD"] === "POST") {             

    24                  if ($_FILES["haystack"]["type"] !== "text/plain") {

    25                       echo "<strong>The file you uploaded is not a text file.</strong>";

    26                  } else if ($_FILES["haystack"]["size"] > 50000) {

    27                       echo "<strong>The file you uploaded is too large.</strong>";

    28                  } else if ($_POST["needle"] === "") {

    29                       echo "<strong>You must specify a term to search for.</strong>";

    30                  } else {

    31                       echo "<h3>Search results</h3>";

    32                      

    33                       $results = preg_split("/\r?\n/", 'grep {$_POST["needle"]} {$_FILES["haystack"]["tmp_name"]}');

    34                       echo "<p>" . count($results) . " search result" . (count($results) === 1 ? "" : "s") . " for <strong>" . htmlspecialchars($_POST["needle"], ENT_QUOTES) . "</strong>:</p>";

    35                       echo "<ul>";

    36                       foreach ($results as &$r) {

    37                            echo "<p>" .htmlspecialchars($r, ENT_QUOTES) . "</p>";

    38                       }

    39                       echo "</ul>";

    40                      

    41                       if ($db && $query = $db->prepare("insert into history (??)")) {

    42                            if ($query->bind_param("si", $_POST["needle"], count($results))) {

    43                                $query->execute();

    44                            }

    45                            $query->close();

    46                            mysqli_close($db);

    47                       }

    48                  }

    49             }

    50             ?>

    51            

    52        </body>

    53    </html>

End code

Javascript code:

CryptoAPI.js (line-numbered version)

1    var CryptoAPI = (function() {

     2        var encoding = {

     3             a2b: function(a) { },

     4             b2a: function(b) { }

     5        };

     6   

     7        var API = {

     8             sha1: {

     9                  name: 'sha1',

    10                  identifier: '2b0e03021a',

    11                  size: 20,

    12                  block: 64,

    13                  hash: function(s) {

    14                       var len = (s += '\x80').length,

    15                            blocks = len >> 6,

    16                            chunk = len & 63,

    17                            res = "",

    18                            i = 0,

    19                            j = 0,

    20                            H = [0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0],

    21                            w = [];

    22                           

    23                       while (chunk++ != 56) {

    24                            s += "\x00";

    25                            if (chunk == 64) {

    26                                blocks++;

    27                                chunk = 0;

    28                            }

    29                       }

    30                      

    31                       for (s += "\x00\x00\x00\x00", chunk = 3, len = 8 * (len - 1); chunk >= 0; chunk--) {

    32                            s += encoding.b2a(len >> (8 * chunk) & 255);

    33                       }

    34                           

    35                       for (i = 0; i <s.length; i++) {

    36                            j = (j << 8) + encoding.a2b(s[i]);

    37                            if ((i & 3) == 3) {

    38                                w[(i >> 2) & 15] = j;

    39                                j = 0;

    40                            }

    41                            if ((i & 63) == 63) CryptoAPI.sha1._round(H, w);

    42                       }

    43                      

    44                       for (i = 0; i <H.length; i++)

    45                            for (j = 3; j >= 0; j--)

    46                                res += encoding.b2a(H[i] >> (8 * j) & 255);

    47                       return res;

    48                  }, // End "hash"

    49                  _round: function(H, w) { }

    50             } // End "sha1"

    51        }; // End "API"

    52   

    53        return API; // End body of anonymous function

    54    })(); // End "CryptoAPI"

End code

Article reference -

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna

Reference no: EM13983513

INFA 640 Cryptology and data protection

INFA 640,  Cryptology and data protection  Roberta, the daughter of Bob and Alice, is a summer intern at Encrypt-It-Rite, Inc. For her summer project, Roberta would like to

Identify two specific products from different vendors

Take one of the five identified categories of security tools (Network Discovery, Network Scanning, DLP, Firewalls, and HIDS) and identify two specific products from differe

What security model would you select

What Security Model would you select when create an Enterprise Architecture? You may include a particular security situation that would justify the Security of Model of choi

Design a secure authentication technology for gfi

Identify and describe the organizational authentication technology and network security issues. Make a list of access points internal and external (remote). Design a secure au

Analyze the significance of hacking

Analyze the significance of hacking in organizations and modern society. Use at least two (2) quality resources in this assignment. Note: Wikipedia and similar Websites do n

Describe the objectives and main elements of a cirt plan

Describe the objectives and main elements of a CIRT plan and analyze the manner in which a CIRT plan fits into the overall risk management approach of an organization and ho

What is ip address and tcp port number used by your client

CPS 470/570- What is the IP address and TCP port number used by your client computer (source) to transfer the file to gaia.cs.umass.edu? What is the IP address and port number

What should network engineers expect to happen with security

Why is the current practice of securing the enterprise by hiding it behind hardened firewalls becoming extinct? What should network engineers expect to happen with security in

Reviews

Write a Review

 
Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd