What actions did the botnet owners perform

Assignment Help Computer Network Security

Reference no: EM13983513

In 2009 a group of researchers from UCSB temporarily gained control of the Torpig botnet, gaining a unique perspective on how it worked and what it was used for.

They describe this experience in the paper Your Botnet is My Botnet: Analysis of a Botnet Takeover.

Use the information in the paper to answer the following questions.

i) Mebroot is responsible for collecting personal information about the victim from their web browser.
• True
• False

ii) Mebroot is loaded into memory before Windows boots.
• True
• False

iii) Torpig's domain generation algorithm deterministically generates domain names inside three different top-level domains.
• True
• False

iv)The researchers intercepted the botnet's traffic by registering all of the daily domains that would be generated by the domain generation algorithm for a week in the future.
• True
• False

v) The researchers safely deactivated Torpig clients that reported data to their C&C server.
• True
• False

vi) Data posted to HTML forms is collected by the malware and reported to the C&C server unless the communication is SSL-encrypted, in which case the malware is unable to intercept it.
• True
• False

vii) Torpig steals email account login details from mail software and reports them back to the C&C server.
• True
• False

viii) When a Torpig client phones home, the reported nid value for that client is generally stable over a long period of time.
• True
• False

ix) From the point of view of the researchers, Italy contained the greatest number of infected computers during the period in which the researchers controlled the botnet.
• True
• False

x)There is evidence to suggest that personal data collected by Torpig was being shared amongst a number of criminal organisations.
• True
• False

xi) The researchers refer to a man-in-the-browser attack that is performed automatically by Torpig. What are the features of this attack? Choose all that are applicable

• Torpig intercepts requests to websites on a list made by the botnet owners. This list is fixed, and cannot be updated after the computer has been infected.

• Torpig intercepts requests to websites on a list made by the botnet owners. This list can be modified by the botnet owners even after the computer has been infected.

• When the victim attempts to visit specific pages on one of these websites, Torpig performs its malicious activity.

• When the victim attempts to visit any page on one of these websites, Torpig performs its malicious activity.

• Torpig injects the same HTML into every website on the list. It prompts the victim to enter their credit card number and social security number.

• Torpig injects different HTML for each website on the list, allowing the botnet owners to tailor the injected content to the targeted website. It asks for a range of personal information.

• After the victim enters the requested data, it is sent back to the botnet owners via the Torpig C&C server.

• After the victim enters the requested data, it is sent back to the botnet owners via the server that sent the HTML to be injected into the page.

What actions did the botnet owners perform to regain control of the botnet from the researchers? Choose all that are applicable

• They seized control of the existing domains the researchers were using to communicate with the bots.

• They registered new domains that the bots would attempt to contact in future.

• They changed the domain generation algorithm used by the bots so they would no longer attempt to communicate with the researchers' C&C server.

• They sent anonymous threats to the researchers, causing the researchers to surrender control of the botnet earlier than planned.

Part b

Review the following PHP and JavaScript source code(At the end of the document), both of which contain vulnerabilities:

• search.php (line-numbered version) is a PHP script allowing users to search a file's contents via a web interface. It contains a single vulnerability.

• CryptoAPI.js (line-numbered version) is an (incomplete) JavaScript cryptography API. It contains three vulnerabilities that allow an attacker to execute arbitrary code when the CryptoAPI.sha1.hash() function is called.

After reviewing both pieces of code, answer the following questions.

i)
a) What is the number of the line in search.php that contains the vulnerability?

b) What type of vulnerability does this line contain?

• Cross-site scripting
• Cross-site request forgery
• SQL injection
• Shell injection
• File inclusion
• File upload

c) Which of these PHP functions would be helpful when attempting to mitigate this vulnerability?

• escapeshellarg()
• escapeshellcmd()
• exec()
• exec_shell()
• htmlentities()
• htmlspecialchars()
• mysqli_multi_query()
• mysql_query()
• mysqli_query()
• mysql_real_escape_string()
• mysqli_real_escape_string()
• mysqli_real_query()
• pg_escape_literal()
• pg_escape_string()
• pg_query()
• pg_query_params()
• preg_replace()
• shell_exec()
• str_replace()
• system()
• unlink()

ii)

a) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called. Assume that x is a value controlled by the attacker.

b) Exploit this vulnerability: define a variable x that causes CryptoAPI.sha1.hash(x) to execute the payload alert('1')

a. Write code

c) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called, provided that the attacker has the ability to load his own code beforeCryptoAPI.js is loaded.

d) Exploit this vulnerability: provide a piece of code that, when loaded beforeCryptoAPI.js, causes CryptoAPI.sha1.hash(x) to execute the payload alert('2').

a. Write code

e) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called without having to redefine CryptoAPI.sha1.hash itself, provided that the attacker has the ability to load his own code afterCryptoAPI.js is loaded.

f) Exploit this vulnerability: provide a piece of code that, when loaded afterCryptoAPI.js, causes CryptoAPI.sha1.hash(x) to execute the payload alert('3')without redefining CryptoAPI.sha1.hash itself.

a. Write code

The codes:

PHP :search.php (line-numbered version)

1 <!DOCTYPE html>

2 <html lang="en">

4 <head>

5 <meta charset="utf-8">

6 <title>File search</title>

7 </head>

9 <body>

10 <h1>File search</h1>

12 <?php

13 $db = new mysqli("127.0.0.1", "file_search", "s34rch1n", "file_search");

14 ?>

16 <form method="post" enctype="multipart/form-data">

17 Search <input type="file" name="haystack">

18 for <input type="text" name="needle">

19 <button type="submit">Search!</button>

20 </form>

22 <?php

23 if ($_SERVER["REQUEST_METHOD"] === "POST") {

24 if ($_FILES["haystack"]["type"] !== "text/plain") {

25 echo "<strong>The file you uploaded is not a text file.</strong>";

26 } else if ($_FILES["haystack"]["size"] > 50000) {

27 echo "<strong>The file you uploaded is too large.</strong>";

28 } else if ($_POST["needle"] === "") {

29 echo "<strong>You must specify a term to search for.</strong>";

30 } else {

31 echo "<h3>Search results</h3>";

33 $results = preg_split("/\r?\n/", 'grep {$_POST["needle"]} {$_FILES["haystack"]["tmp_name"]}');

34 echo "<p>" . count($results) . " search result" . (count($results) === 1 ? "" : "s") . " for <strong>" . htmlspecialchars($_POST["needle"], ENT_QUOTES) . "</strong>:</p>";

35 echo "<ul>";

36 foreach ($results as &$r) {

37 echo "<p>" .htmlspecialchars($r, ENT_QUOTES) . "</p>";

38 }

39 echo "</ul>";

41 if ($db && $query = $db->prepare("insert into history (??)")) {

42 if ($query->bind_param("si", $_POST["needle"], count($results))) {

43 $query->execute();

44 }

45 $query->close();

46 mysqli_close($db);

47 }

48 }

49 }

50 ?>

52 </body>

53 </html>

End code

Javascript code:

CryptoAPI.js (line-numbered version)

1 var CryptoAPI = (function() {

2 var encoding = {

3 a2b: function(a) { },

4 b2a: function(b) { }

5 };

7 var API = {

8 sha1: {

9 name: 'sha1',

10 identifier: '2b0e03021a',

11 size: 20,

12 block: 64,

13 hash: function(s) {

14 var len = (s += '\x80').length,

15 blocks = len >> 6,

16 chunk = len & 63,

17 res = "",

18 i = 0,

19 j = 0,

20 H = [0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0],

21 w = [];

23 while (chunk++ != 56) {

24 s += "\x00";

25 if (chunk == 64) {

26 blocks++;

27 chunk = 0;

28 }

29 }

31 for (s += "\x00\x00\x00\x00", chunk = 3, len = 8 * (len - 1); chunk >= 0; chunk--) {

32 s += encoding.b2a(len >> (8 * chunk) & 255);

33 }

35 for (i = 0; i <s.length; i++) {

36 j = (j << 8) + encoding.a2b(s[i]);

37 if ((i & 3) == 3) {

38 w[(i >> 2) & 15] = j;

39 j = 0;

40 }

41 if ((i & 63) == 63) CryptoAPI.sha1._round(H, w);

42 }

44 for (i = 0; i <H.length; i++)

45 for (j = 3; j >= 0; j--)

46 res += encoding.b2a(H[i] >> (8 * j) & 255);

47 return res;

48 }, // End "hash"

49 _round: function(H, w) { }

50 } // End "sha1"

51 }; // End "API"

53 return API; // End body of anonymous function

54 })(); // End "CryptoAPI"

End code

Article reference -

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna

Reference no: EM13983513

Questions Cloud

If lewis enterprises spends an additional dollar 1000 on : If Lewis Enterprises can reduce fixed expenses by 525,000, how will break even sales in units be affected. If Lewies Enterprises spends an additional dollar 1,000 on advertising, sales volumes should increase by 1,000 units. What effect will this hav..

Provide a description of the complaint : Write a paper of approximately 750 words that summarizes the NLRB's role in the case you selected above. Include the following in your paper: Provide a description of the complaint, the issues involved, and the resolution

What is the force acting on the flowerpot as it falls : A man accidentally knocks a flowerpot off a high window ledge. The flowerpot drops straight down under the influence of gravity. What is velocity of flowerpot as it falls? What is the distance the flowerpot falls?

Create a privacy policy document : Your fictitious company must create a privacy policy document between three and five total pages. The document shall include an introductory section, such as an "Executive Summary," a "Preamble," or an "Introduction.

What actions did the botnet owners perform : What is the number of the line in search.php that contains the vulnerability - what type of vulnerability does this line contain - What actions did the botnet owners perform to regain control of the botnet from the researchers?

What is the rms current to the inductor : What is the inductive reactance? What is the rms current to the inductor? If both the inductance and the frequency were doubled, what would be the rms current

Find the values for the acceleration : What is the acceleration at an altitude equal to half the planetary radius for Mars and Saturn.

What is the mechanical energy for this system : As shown in the diagram, a block with a mass of m slides on a frictionless, horizontal surface with a constant velocity of vi. It then collides with a spring that has a spring constant of k. The block fully compresses the spring, comes to rest bri..

What is the frequency of the lowest playable note : If the player's hand keeps the large end open, what is the frequency of the lowest playable note? If the player now closes the large end with his hand, what is the frequency of the lowest playable note?

User Account

All Pages