What actions did the botnet owners perform

Assignment Help Computer Network Security
Reference no: EM13983513

In 2009 a group of researchers from UCSB temporarily gained control of the Torpig botnet, gaining a unique perspective on how it worked and what it was used for.

They describe this experience in the paper Your Botnet is My Botnet: Analysis of a Botnet Takeover.

Use the information in the paper to answer the following questions.

i) Mebroot is responsible for collecting personal information about the victim from their web browser.
• True
• False

ii) Mebroot is loaded into memory before Windows boots.
• True
• False

iii) Torpig's domain generation algorithm deterministically generates domain names inside three different top-level domains.
• True
• False

iv)The researchers intercepted the botnet's traffic by registering all of the daily domains that would be generated by the domain generation algorithm for a week in the future.
• True
• False

v) The researchers safely deactivated Torpig clients that reported data to their C&C server.
• True
• False

vi) Data posted to HTML forms is collected by the malware and reported to the C&C server unless the communication is SSL-encrypted, in which case the malware is unable to intercept it.
• True
• False

vii) Torpig steals email account login details from mail software and reports them back to the C&C server.
• True
• False

viii) When a Torpig client phones home, the reported nid value for that client is generally stable over a long period of time.
• True
• False

ix) From the point of view of the researchers, Italy contained the greatest number of infected computers during the period in which the researchers controlled the botnet.
• True
• False

x)There is evidence to suggest that personal data collected by Torpig was being shared amongst a number of criminal organisations.
• True
• False

xi) The researchers refer to a man-in-the-browser attack that is performed automatically by Torpig. What are the features of this attack? Choose all that are applicable

• Torpig intercepts requests to websites on a list made by the botnet owners. This list is fixed, and cannot be updated after the computer has been infected.

• Torpig intercepts requests to websites on a list made by the botnet owners. This list can be modified by the botnet owners even after the computer has been infected.

• When the victim attempts to visit specific pages on one of these websites, Torpig performs its malicious activity.

• When the victim attempts to visit any page on one of these websites, Torpig performs its malicious activity.

• Torpig injects the same HTML into every website on the list. It prompts the victim to enter their credit card number and social security number.

• Torpig injects different HTML for each website on the list, allowing the botnet owners to tailor the injected content to the targeted website. It asks for a range of personal information.

• After the victim enters the requested data, it is sent back to the botnet owners via the Torpig C&C server.

• After the victim enters the requested data, it is sent back to the botnet owners via the server that sent the HTML to be injected into the page.

What actions did the botnet owners perform to regain control of the botnet from the researchers? Choose all that are applicable

• They seized control of the existing domains the researchers were using to communicate with the bots.

• They registered new domains that the bots would attempt to contact in future.

• They changed the domain generation algorithm used by the bots so they would no longer attempt to communicate with the researchers' C&C server.

• They sent anonymous threats to the researchers, causing the researchers to surrender control of the botnet earlier than planned.

Part b

Review the following PHP and JavaScript source code(At the end of the document), both of which contain vulnerabilities:

• search.php (line-numbered version) is a PHP script allowing users to search a file's contents via a web interface. It contains a single vulnerability.

• CryptoAPI.js (line-numbered version) is an (incomplete) JavaScript cryptography API. It contains three vulnerabilities that allow an attacker to execute arbitrary code when the CryptoAPI.sha1.hash() function is called.

After reviewing both pieces of code, answer the following questions.

i)
a) What is the number of the line in search.php that contains the vulnerability?

b) What type of vulnerability does this line contain?

• Cross-site scripting
• Cross-site request forgery
• SQL injection
• Shell injection
• File inclusion
• File upload

c) Which of these PHP functions would be helpful when attempting to mitigate this vulnerability?

• escapeshellarg()
• escapeshellcmd()
• exec()
• exec_shell()
• htmlentities()
• htmlspecialchars()
• mysqli_multi_query()
• mysql_query()
• mysqli_query()
• mysql_real_escape_string()
• mysqli_real_escape_string()
• mysqli_real_query()
• pg_escape_literal()
• pg_escape_string()
• pg_query()
• pg_query_params()
• preg_replace()
• shell_exec()
• str_replace()
• system()
• unlink()

ii)

a) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called. Assume that x is a value controlled by the attacker.

b) Exploit this vulnerability: define a variable x that causes CryptoAPI.sha1.hash(x) to execute the payload alert('1')

a. Write code

c) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called, provided that the attacker has the ability to load his own code beforeCryptoAPI.js is loaded.

d) Exploit this vulnerability: provide a piece of code that, when loaded beforeCryptoAPI.js, causes CryptoAPI.sha1.hash(x) to execute the payload alert('2').

a. Write code

e) Provide the number of a line in CryptoAPI.js containing a vulnerability that allows an attacker to execute arbitrary code when CryptoAPI.sha1.hash(x) is called without having to redefine CryptoAPI.sha1.hash itself, provided that the attacker has the ability to load his own code afterCryptoAPI.js is loaded.

f) Exploit this vulnerability: provide a piece of code that, when loaded afterCryptoAPI.js, causes CryptoAPI.sha1.hash(x) to execute the payload alert('3')without redefining CryptoAPI.sha1.hash itself.

a. Write code

The codes:

PHP :search.php (line-numbered version)

     1    <!DOCTYPE html>

     2    <html lang="en">

     3   

     4        <head>

     5             <meta charset="utf-8">

     6             <title>File search</title>

     7        </head>

     8   

     9        <body>

    10             <h1>File search</h1>

    11            

    12             <?php

    13             $db = new mysqli("127.0.0.1", "file_search", "s34rch1n", "file_search");

    14             ?>

    15            

    16             <form method="post" enctype="multipart/form-data">

    17                  Search <input type="file" name="haystack">

    18                  for <input type="text" name="needle">

    19                  <button type="submit">Search!</button>

    20             </form>

    21            

    22             <?php

    23             if ($_SERVER["REQUEST_METHOD"] === "POST") {             

    24                  if ($_FILES["haystack"]["type"] !== "text/plain") {

    25                       echo "<strong>The file you uploaded is not a text file.</strong>";

    26                  } else if ($_FILES["haystack"]["size"] > 50000) {

    27                       echo "<strong>The file you uploaded is too large.</strong>";

    28                  } else if ($_POST["needle"] === "") {

    29                       echo "<strong>You must specify a term to search for.</strong>";

    30                  } else {

    31                       echo "<h3>Search results</h3>";

    32                      

    33                       $results = preg_split("/\r?\n/", 'grep {$_POST["needle"]} {$_FILES["haystack"]["tmp_name"]}');

    34                       echo "<p>" . count($results) . " search result" . (count($results) === 1 ? "" : "s") . " for <strong>" . htmlspecialchars($_POST["needle"], ENT_QUOTES) . "</strong>:</p>";

    35                       echo "<ul>";

    36                       foreach ($results as &$r) {

    37                            echo "<p>" .htmlspecialchars($r, ENT_QUOTES) . "</p>";

    38                       }

    39                       echo "</ul>";

    40                      

    41                       if ($db && $query = $db->prepare("insert into history (??)")) {

    42                            if ($query->bind_param("si", $_POST["needle"], count($results))) {

    43                                $query->execute();

    44                            }

    45                            $query->close();

    46                            mysqli_close($db);

    47                       }

    48                  }

    49             }

    50             ?>

    51            

    52        </body>

    53    </html>

End code

Javascript code:

CryptoAPI.js (line-numbered version)

1    var CryptoAPI = (function() {

     2        var encoding = {

     3             a2b: function(a) { },

     4             b2a: function(b) { }

     5        };

     6   

     7        var API = {

     8             sha1: {

     9                  name: 'sha1',

    10                  identifier: '2b0e03021a',

    11                  size: 20,

    12                  block: 64,

    13                  hash: function(s) {

    14                       var len = (s += '\x80').length,

    15                            blocks = len >> 6,

    16                            chunk = len & 63,

    17                            res = "",

    18                            i = 0,

    19                            j = 0,

    20                            H = [0x67452301, 0xEFCDAB89, 0x98BADCFE, 0x10325476, 0xC3D2E1F0],

    21                            w = [];

    22                           

    23                       while (chunk++ != 56) {

    24                            s += "\x00";

    25                            if (chunk == 64) {

    26                                blocks++;

    27                                chunk = 0;

    28                            }

    29                       }

    30                      

    31                       for (s += "\x00\x00\x00\x00", chunk = 3, len = 8 * (len - 1); chunk >= 0; chunk--) {

    32                            s += encoding.b2a(len >> (8 * chunk) & 255);

    33                       }

    34                           

    35                       for (i = 0; i <s.length; i++) {

    36                            j = (j << 8) + encoding.a2b(s[i]);

    37                            if ((i & 3) == 3) {

    38                                w[(i >> 2) & 15] = j;

    39                                j = 0;

    40                            }

    41                            if ((i & 63) == 63) CryptoAPI.sha1._round(H, w);

    42                       }

    43                      

    44                       for (i = 0; i <H.length; i++)

    45                            for (j = 3; j >= 0; j--)

    46                                res += encoding.b2a(H[i] >> (8 * j) & 255);

    47                       return res;

    48                  }, // End "hash"

    49                  _round: function(H, w) { }

    50             } // End "sha1"

    51        }; // End "API"

    52   

    53        return API; // End body of anonymous function

    54    })(); // End "CryptoAPI"

End code

Article reference -

Your Botnet is My Botnet: Analysis of a Botnet Takeover

Brett Stone-Gross, Marco Cova, Lorenzo Cavallaro, Bob Gilbert, Martin Szydlowski, Richard Kemmerer, Christopher Kruegel, and Giovanni Vigna

Reference no: EM13983513

Describe possible liability issues

Describe regulatory requirements and describe possible liability issues that may be related to these cyberattacks. How should cyber policy controls be adjusted for each orga

Describe the function of a firewall

Describe the function of a firewall. (Minimum word count: 70) Which tunneling protocols are commonly used by VPNs? (Minimum word count: 25) Describe a differential backup.

Explain the nature of security assessments is changing

The motivation for security reviews and assessments is changing and, consequently, the nature of security assessments is changing. The practice of risk analysis is relativel

Wireless-hardware hacking

Research via the internet and find an article in the news regarding wireless hacking, hardware hacking, or other security breach. As security and IT change so rapidly, your

Give opinion of most important ways that believe encryption

Give your opinion of the two most important ways that you believe encryption could assist in addressing some of the current challenges facing organizations today, and explai

What advice does fbi provide in protecting computer fraud

What advice does the FBI provide in protecting against computer fraud. Do you feel that the Government is doing sufficient job in this area. Define COBIT and it's control ob

Encrypt block in block cipher using key

Suppose that there is block cipher ABC that always encrypts block of b=72 bits using key of k= 60 bits. Prove that XYZ doesn't give much stronger security than ABC.

Mobile wireless networks

3G Safekeeping model, safekeeping architecture standards ITU-T X.805 and ISO/IEC 18028-2, access points (AP), network admission controller (NAC) and authentication server (AS)

Reviews

Write a Review

 
Free Assignment Quote

Assured A++ Grade

Get guaranteed satisfaction & time on delivery in every assignment order you paid with us! We ensure premium quality solution document along with free turntin report!

All rights reserved! Copyrights ©2019-2020 ExpertsMind IT Educational Pvt Ltd