TUM Logo

Infrastructures of Browser-based Botnets

Browser-based botnets are a new approach to get in control of many computers with malware. After the infection the software allows the attacker to control the behavior of the victims browser. Control is limited to the browser window which shows the affected website, but due to powerful technologies integrated in modern browsers browser-based botnets can arise to a new threat. As in normal or classic botnets, the infrastructure of a botnet plays a decisive role. It is crucial for functionality, speed, danger and defense of the botnet. The question is, which infrastructures of browser-based botnets are possible, which protocols can be used, which attack vectors are realizable, how the botnet can be propagated, how can it be implemented, what are the dangers and what are possible countermeasures. Centralized botnets with a main command and control server are possible. More dangerous, peer-to-peer-based botnets, make a central server redundant. Communication is based on the known P2P distributed hash table technology called Kademlia, which allows to store values in the network which contains information about the desired attack by the botmaster. Every peer can access these pieces of information and execute them. Thus, it is achievable to store information about single bots to enable distributed computing. This is made possible by a new technology called WebRTC, which provides connections between single browsers. Thus, a browser-based botnet is implemented in Javascript which can execute distributed denial of service attacks and bruteforce attacks on MD5 hashes. P2P browser-based botnets are possible and are likely to become a threat in the future. To look ahead, more advanced implementations could be thought of. A non-persistent XSS worm could be possible. At the moment it is not possible to connect to already existing hash tables, in order to use their infrastructure to make the botnet more reliable. With future technology this could be done and a realistic scenario. However, the optimization of the attacks for more efficiency will be a main topic, too. At the moment, the execution time is slower than the execution time of normal botnets.

Infrastructures of Browser-based Botnets

Supervisor(s): Sebastian Vogl
Status: finished
Topic: Monitoring (VMI etc.)
Author: Ulrich Gallersdörfer
Submission: 2014-10-15
Type of Thesis: Bachelorthesis
Proof of Concept No

Astract:

Browser-based botnets are a new approach to get in control of many computers with malware. After the infection the software allows the attacker to control the behavior of the victims browser. Control is limited to the browser window which shows the affected website, but due to powerful technologies integrated in modern browsers browser-based botnets can arise to a new threat. As in normal or classic botnets, the infrastructure of a botnet plays a decisive role. It is crucial for functionality, speed, danger and defense of the botnet. The question is, which infrastructures of browser-based botnets are possible, which protocols can be used, which attack vectors are realizable, how the botnet can be propagated, how can it be implemented, what are the dangers and what are possible countermeasures. Centralized botnets with a main command and control server are possible. More dangerous, peer-to-peer-based botnets, make a central server redundant. Communication is based on the known P2P distributed hash table technology called Kademlia, which allows to store values in the network which contains information about the desired attack by the botmaster. Every peer can access these pieces of information and execute them. Thus, it is achievable to store information about single bots to enable distributed computing. This is made possible by a new technology called WebRTC, which provides connections between single browsers. Thus, a browser-based botnet is implemented in Javascript which can execute distributed denial of service attacks and bruteforce attacks on MD5 hashes. P2P browser-based botnets are possible and are likely to become a threat in the future. To look ahead, more advanced implementations could be thought of. A non-persistent XSS worm could be possible. At the moment it is not possible to connect to already existing hash tables, in order to use their infrastructure to make the botnet more reliable. With future technology this could be done and a realistic scenario. However, the optimization of the attacks for more efficiency will be a main topic, too. At the moment, the execution time is slower than the execution time of normal botnets.