Making Web Users Botnet-Resistant

  /     /     /  
Publicated : 22/11/2024   Category : security


Making Web Users Botnet-Resistant


HackMiami researchers create botnet-resistant code to thwart botnets from stealing valuable data



WASHINGTON, D.C. -- OWASP AppSec DC 2010 -- What if you could outfit visitors to your website with a coat of anti-botnet armor? A pair of researchers has come up with coding techniques they say ultimately renders infected user machines useless to botnet operators harvesting data.
Peter Greko and Fabian Rothschild, both members of the HackMiami hackerspace, here today showed how they studied samples of the Zeus and SpyEye Trojans, as well as just how the cybercrime underground uses this code for botnets. They then used that intelligence to write code for Web servers that mitigates these botnets. Their premise is that most client machines are infected, anyway. What weve done is make it really hard for botmasters to use any information they collect from client machines, Rothschild said.
Their hope is to convert these methods into software modules for the OWASP
Enterprise Security API (ESAPI)
, an open-source Web app security control library aimed at making secure code simpler to write. We want to talk to the ESAPI project and see if we can come up with modules for them, Greko said.
The techniques they developed dont prevent a bot infection, but rather stymie the botmaster from ultimately gathering any useful information from the victim. Zeus, for instance, collects logins, passwords, cookies, VIEWSTATE parameters, and any other information passed via a POST request in HTTP. There are four different options, which range from obfuscating data to encrypting it. What weve done is come up with ways to make it really hard for botmasters to use any information they collect from client machines, Rothschild says.
Zeus uses HTTP POST-logging to glean valuable data from Web sessions from the machines it infects, and then transports the information it grabs to its command and control servers. Greko and Rothschild devised ways to make that data either too unwieldy or unrecognizable to the botnet. Each has its trade-offs on the Web server back-end load, they said. It all depends on how heavy you want it on your Web server. The more load on your Web server equals more money [invested], Greko said.
In what they dubbed basic mitigation, their method basically bloats the code so the botnet either cant find it or cant use it because its too large of a string. We obfuscate variable names and add extraneous hidden POST parameters that tend to bloat code, for example, Greko said. The botnet is looking for easily recognizable logs of information and we put hidden junk values [in it].
In the medium mitigation, they mangle the data such that its unreadable to the botnet. We are prefixing data for POSTs via client-side JavaScript, Greko said. In the hard mitigation approach, they used Base64 encoding to hide valuable data coming from the client.
They offered up another method dubbed Nightmare, where they deployed RC4 symmetrical encryption on the server side. RC4 has had a bad rap because it can be brute-forced. But if you rotate the encryption key every session, for example, the botmaster isnt going to know the key, Greko said.
The researchers said they tested all of the techniques against Zeus, and they worked. But there is still no cure-all for bot infections. These methods do not prevent [identity theft]. If someone wants your data, you can make a plug-in for SpyEye or Zeus and ... make it harder for them to get the data, Greko said. This will mitigate most of the script kiddies and botmasters from harvesting your data.
Have a comment on this story? Please click Discuss below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Debunking Machine Learning in Security. ◂
Discovered: 23/12/2024
Category: security

▸ Researchers create BlackForest to gather, link threat data. ◂
Discovered: 23/12/2024
Category: security

▸ Travel agency fined £150,000 for breaking Data Protection Act. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
Making Web Users Botnet-Resistant