Anonymous Control of Zombies via Google An Observation by Rik Sagar Abstract I was lead to a theory (by some bizarre site-log entries on my server) that malware authors might successfully utilize Googles excellent search capabilities to create an anonymous and highly redundant 'bot control network. A simple experiement was sufficient to prove that web-site guest books (particularly seldom-monitored and poorly thought-out ones) provide just the capability that phishers and DDoS launchers would need to send and receive messages that are hard to trace back to a central point, hard to intercept and very hard to quickly block. Scenario 1 You're a Mal-ware author. You have successfully deployed thousands of zombies, ready to launch your DDoS. However, how do you instruct your zombies to attack, without hard-coding some IP address into the Zombie that creates a trail back to your server and yourself? Scenario 2 You're a phisher. It's easy to send-out your official looking CitiBank e-mails, but what happens when someone kindly provides their personal details? If the data is posted back to your server it points the authorities straight to your door. You need a way to indirectly retrieve their data. Mechanism Controlling your zombie using the technique requires only a few simple steps.
Let's look at the steps in a little more detail. Deploy Your Zombies This is not a problem I need to solve, people are already doing that. One thing you need to do though is set-up the zombie so that it wakes up every day or so to look for it's commands. That's the cleaver part (covered in Zombies Find Their Instructions by Searching Google). Search Google to find potential guestbooks to relay your message Either automated or manual, you need to so a search of Google for a string such as “Sign Guest Book”. You should receive approximately 3million hits for that search. Some of those guest books will be more suitable than others, but basically any guestbook that allows a submission without needing a log-in will do. Hopefully the guestbook won't be moderated, which makes it a lot easy for your message to get through. Encrypt the message you need to send to your 'bot You probably just need to use a simple cipher with a secret shared key to provide a little protection and obfuscation to your message. Then you'll base64 encode it, to make it more palatable to the guestbook. Embed your message into a posting on the message board This is the under the radar part of the trick. Your posting will go unchallenged by the web-master/moderator if it looks like a f@%k-up! So create a posting that looks like it could be a legitimately posting that somehow got 'mangled' in transit over the internet. You and I know that things don't really get mangled in transit over the internet, but most people are generally forgiving of fuck-ups of the technology on the grounds that it's more complex then setting the timer on a VCR. Here's the trick: For every field in the submission form that is text (<input type=text name=xyz ...>) simple set the value to %20%3fxyz. People who think they know a bit about HTTP will immediately recognize %20%3f as the escape sequence for ' =' and deduce that there was a glitch in the Internet... For the field in the submission form that is the user comment i.e., (<textarea name=ccc ...>) do something similar to the above, i.e., prefix with %20%3fccc, then append your 'bot message. Next, you need a unique identifier somewhere in the submission. My technique was to do a little additional parsing of the text elements in the submission form to find the one whose name attribute was mail or email or address, etc. Then in that field make sure you put your memorable token (%20%3fdiveboy@hotmail.com) in my case! Note, that's not my real email address! I have more class than to use Hotmail :-) Finally, and this is important, repeat on four or five (or twenty) other guestbooks that you found in your Google search! This gives you the redundancy and robustness that prevents the authorities from easily blocking your message. Zombies find their instructions by searching Google The zombie needs to find it's instructions. To do so, it can search the internet using Google for the 'token' you defined in advance (%20%3fdiveboy@hotmail.com). We know that the guestbooks you used are indexed by Google, because you found them through Google. Therefore it's logical that your posts will get indexed next time Google scrapes the site. On average, it's going to take a week. But you're patient! The zombie can either search using a simple HTTP post (http://google.com/search?q=%20%3fdiveboy@hotmail.com ), then parsing the returned HTML for the %20%3f sequences and hence the control message. The zombie needs to take care of the base64 encoding and the descrambling and you're away! Reverse the Roles for Phishing For phishing the technique should be used in reverse, i.e., the zombies could collect data from the user, post it to the guestbooks and a week later you retrieve the bank account details by doing the Google search. Any Wi-Fi enabled coffee shop, library, etc., can be used to do the retrieval anonymously). Practical Experiment As a quick proof that the technique would work I manually walked through the process, trying to keep my actions compatible with any script that I might write to do the same ... i.e., no intelligence or complex logic to interpret the results I got back from Google or the pages I clicked throught. I hand crafted some random payload and ... More text needed here!! In the meantime, the experiment is detailed on my blog: http://blog.sagar.org/2004/07/botsperiment.html http://blog.sagar.org/2004/07/scumbot-channel-staggers-to-life.html | ||
Rik Sagar |
http://sagar.org/contact/ | Oct 2004 |