+1-415-670-9189
info@expertsmind.com
What actions did the botnet owners perform
Course:- Computer Network Security
Reference No.:- EM13983513




Assignment Help
Expertsmind Rated 4.9 / 5 based on 47215 reviews.
Review Site
Assignment Help >> Computer Network Security

In 2009 a group of researchers from UCSB temporarily gained control of the Torpig botnet, gaining a unique perspective on how it worked and what it was used for.

They describe this experience in the paper Your Botnet is My Botnet: Analysis of a Botnet Takeover.

Use the information in the paper to answer the following questions.

i) Mebroot is responsible for collecting personal information about the victim from their web browser.
• True
• False

ii) Mebroot is loaded into memory before Windows boots.
• True
• False

iii) Torpig's domain generation algorithm deterministically generates domain names inside three different top-level domains.
• True
• False

iv)The researchers intercepted the botnet's traffic by registering all of the daily domains that would be generated by the domain generation algorithm for a week in the future.
• True
• False

v) The researchers safely deactivated Torpig clients that reported data to their C&C server.
• True
• False

vi) Data posted to HTML forms is collected by the malware and reported to the C&C server unless the communication is SSL-encrypted, in which case the malware is unable to intercept it.
• True
• False

vii) Torpig steals email account login details from mail software and reports them back to the C&C server.
• True
• False

viii) When a Torpig client phones home, the reported nid value for that client is generally stable over a long period of time.
• True
• False

ix) From the point of view of the researchers, Italy contained the greatest number of infected computers during the period in which the researchers controlled the botnet.
• True
• False

x)There is evidence to suggest that personal data collected by Torpig was being shared amongst a number of criminal organisations.
• True
• False

xi) The researchers refer to a man-in-the-browser attack that is performed automatically by Torpig. What are the features of this attack? Choose all that are applicable

• Torpig intercepts requests to websites on a list made by the botnet owners. This list is fixed, and cannot be updated after the computer has been infected.

• Torpig intercepts requests to websites on a list made by the botnet owners. This list can be modified by the botnet owners even after the computer has been infected.

• When the victim attempts to visit specific pages on one of these websites, Torpig performs its malicious activity.

• When the victim attempts to visit any page on one of these websites, Torpig performs its malicious activity.

• Torpig injects the same HTML into every website on the list. It prompts the victim to enter their credit card number and social security number.

• Torpig injects different HTML for each website on the list, allowing the botnet owners to tailor the injected content to the targeted website. It asks for a range of personal information.

• After the victim enters the requested data, it is sent back to the botnet owners via the Torpig C&C server.

• After the victim enters the requested data, it is sent back to the botnet owners via the server that sent the HTML to be injected into the page.

What actions did the botnet owners perform to regain control of the botnet from the researchers? Choose all that are applicable

• They seized control of the existing domains the researchers were using to communicate with the bots.

• They registered new domains that the bots would attempt to contact in future.

• They changed the domain generation algorithm used by the bots so they would no longer attempt to communicate with the researchers' C&C server.

• They sent anonymous threats to the researchers, causing the researchers to surrender control of the botnet earlier than planned.

Part b

Review the following PHP and JavaScript source code(At the end of the document), both of which contain vulnerabilities:

• search.php (line-numbered version) is a PHP script allowing users to search a file's contents via a web interface. It contains a single vulnerability.

• CryptoAPI.js (line-numbered version) is an (incomplete) JavaScript cryptography API. It contains three vulnerabilities that allow an attacker to execute arbitrary code when the CryptoAPI.sha1.hash() function is called.

After reviewing both pieces of code, answer the following questions.

i)
a) What is the number of the line in search.php that contains the vulnerability?

b) What type of vulnerability does this line contain?

• Cross-site scripting
• Cross-site request forgery
• SQL injection
• Shell injection
• File inclusion
• File upload

c) Which of these PHP functions would be helpful when attempting to mitigate this vulnerability?

• escapeshellarg()
• escapeshellcmd()
• exec()
• exec_shell()
• htmlentities()
• htmlspecialchars()
• mysqli_multi_query()
• mysql_query()
• mysqli_query()
• mysql_real_escape_string()
• mysqli_real_escape_string()
• mysqli_real_query()
• pg_escape_literal()
• pg_escape_string()
• pg_query()
• pg_query_params()
• preg_replace()
• shell_exec()
• str_replace()
• system()
• unlink()

ii)

a) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called. Assume that x is a value controlled by the attacker.

b) Exploit this vulnerability: define a variable x that causes CryptoAPI.sha1.hash(x) to execute the payload alert('1')

a. Write code

c) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called, provided that the attacker has the ability to load his own code beforeCryptoAPI.js is loaded.

d) Exploit this vulnerability: provide a piece of code that, when loaded beforeCryptoAPI.js, causes CryptoAPI.sha1.hash(x) to execute the payload alert('2').

a. Write code

e) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called without having to redefine CryptoAPI.sha1.hash itself, provided that the attacker has the ability to load his own code afterCryptoAPI.js is loaded.

f) Exploit this vulnerability: provide a piece of code that, when loaded afterCryptoAPI.js, causes CryptoAPI.sha1.hash(x) to execute the payload alert('3')without redefining CryptoAPI.sha1.hash itself.

a. Write code

The codes:

PHP :search.php (line-numbered version)

     1    <!DOCTYPE html>

     2    <html lang="en">

     3   

     4        <head>

     5             <meta charset="utf-8">

     6             <title>File search</title>

     7        </head>

     8   

     9        <body>

    10             <h1>File search</h1>

    11            

    12             <?php

    13             $db = new mysqli("127.0.0.1", "file_search", "s34rch1n", "file_search");

    14             ?>

    15            

    16             <form method="post" enctype="multipart/form-data">

    17                  Search <input type="file" name="haystack">

    18                  for <input type="text" name="needle">

    19                  <button type="submit">Search!</button>

    20             </form>

    21            

    22             <?php

    23             if ($_SERVER["REQUEST_METHOD"] === "POST") {             

    24                  if ($_FILES["haystack"]["type"] !== "text/plain") {

    25                       echo "<strong>The file you uploaded is not a text file.</strong>";

    26                  } else if ($_FILES["haystack"]["size"] > 50000) {

    27                       echo "<strong>The file you uploaded is too large.</strong>";

    28                  } else if ($_POST["needle"] === "") {

    29                       echo "<strong>You must specify a term to search for.</strong>";

    30                  } else {

    31                       echo "<h3>Search results</h3>";

    32                      

    33                       $results = preg_split("/\r?\n/", 'grep {$_POST["needle"]} {$_FILES["haystack"]["tmp_name"]}');

    34                       echo "<p>" . count($results) . " search result" . (count($results) === 1 ? "" : "s") . " for <strong>" . htmlspecialchars($_POST["needle"], ENT_QUOTES) . "</strong>:</p>";

    35                       echo "<ul>";

    36                       foreach ($results as &$r) {

    37                            echo "<p>" .htmlspecialchars($r, ENT_QUOTES) . "</p>";

    38                       }

    39                       echo "</ul>";

    40                      

    41                       if ($db && $query = $db->prepare("insert into history (??)")) {

    42                            if ($query->bind_param("si", $_POST["needle"], count($results))) {

    43                                $query->execute();

    44                            }

    45                            $query->close();

    46                            mysqli_close($db);

    47                       }

    48                  }

    49             }

    50             ?>

    51            

    52        </body>

    53    </html>

End code

Javascript code:

CryptoAPI.js (line-numbered version)

1    var CryptoAPI = (function() {

     2        var encoding = {

     3             a2b: function(a) { },

     4             b2a: function(b) { }

     5        };

     6   

     7        var API = {

     8             sha1: {

     9                  name: 'sha1',

    10                  identifier: '2b0e03021a',

    11                  size: 20,

    12                  block: 64,

    13                  hash: function(s) {

    14                       var len = (s += '\x80').length,

    15                            blocks = len >> 6,

    16                            chunk = len & 63,

    17                            res = "",

    18                            i = 0,

    19                            j = 0,

    20                            H = [0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0],

    21                            w = [];

    22                           

    23                       while (chunk++ != 56) {

    24                            s += "\x00";

    25                            if (chunk == 64) {

    26                                blocks++;

    27                                chunk = 0;

    28                            }

    29                       }

    30                      

    31                       for (s += "\x00\x00\x00\x00", chunk = 3, len = 8 * (len - 1); chunk >= 0; chunk--) {

    32                            s += encoding.b2a(len >> (8 * chunk) & 255);

    33                       }

    34                           

    35                       for (i = 0; i <s.length; i++) {

    36                            j = (j << 8) + encoding.a2b(s[i]);

    37                            if ((i & 3) == 3) {

    38                                w[(i >> 2) & 15] = j;

    39                                j = 0;

    40                            }

    41                            if ((i & 63) == 63) CryptoAPI.sha1._round(H, w);

    42                       }

    43                      

    44                       for (i = 0; i <H.length; i++)

    45                            for (j = 3; j >= 0; j--)

    46                                res += encoding.b2a(H[i] >> (8 * j) & 255);

    47                       return res;

    48                  }, // End "hash"

    49                  _round: function(H, w) { }

    50             } // End "sha1"

    51        }; // End "API"

    52   

    53        return API; // End body of anonymous function

    54    })(); // End "CryptoAPI"

End code

Article reference -

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna




Put your comment
 
Minimize


Ask Question & Get Answers from Experts
Browse some more (Computer Network Security) Materials
Business Continuity (BC) planning and Disaster Recovery (DR) planning are main elements in organizational security architectures. Write down the difference between them.
A determination of the legal and ethical issues of seizure, handling, and investigating electronic evidence such as data and information contained on smartphones, flash driv
Describe your experience working with your chosen security-related tools. Analyse which aspects of the tools will be useful for security purposes for experts and for normal
Discuss the requirements for remote administration, resource management, SLA management and billing management of your chosen provider. It may be useful to
Write a report discussing security vulnerabilities that can lead to the loss of confidentiality, integrity, availability, authenticity, or accountability using leading netwo
What type of OS to use along with the file system and why is this architecture is better than others? Will you use the same OS for servers and Desktops? Will your file syste
What are the benefits if personnel in security management develop skills as educators for their organization's security? Analyze and explain your point of view. Why are secu
We assume that Oscar is able to observe all messages sent from Alice to Bob and vice versa. Oscar has no knowledge of any keys but the public one in case of DS - Will Bob de