[Q4 2014]

akamai.com

= botnet profiling technique

New analysis technique using data from the Akamai

Intelligent PlatformTM
Automate discovery of web application vulnerabilities for
Remote File Inclusion (RFI) and OS Command Injection
attacks
Botnets profiled by identifying malicious code resource
URLs and seemingly identical payloads
Analysis does not require inclusion in the botnet or taking
over the botnets command and control (C&C, C2) server
[Download the Q4 2014 Global DDoS Attack Report for supporting data and
analysis]

2 / [The State of the Internet] / Security (Q4 2014)

= Remote File Inclusion (RFI) attacks

Used to exploit dynamic file include mechanisms

in web applications
Web application can be tricked into including
remote files with malicious code
RFI vulnerabilities are easily found and exploited
by attackers
$dir = $_GET['module_name'];
include($dir . "/function.php");
Figure 1: Code vulnerable to a Remote File Inclusion attack

3 / [The State of the Internet] / Security (Q4 2014)

= OS Command Injection

Used to execute unauthorized operating system

commands
The result of mixing trusted code with untrusted data
Commands executed by the attacker will run with the
same privileges of the commanding component
Attackers can leverage this ability to gain access
and damage parts that are not reachable

4 / [The State of the Internet] / Security (Q4 2014)

= common payloads in botnets

RFI and OS Command Injection are among the most

prevalent of vulnerabilities reported
Attacker can take full control over the victim server
The most favorable attack vector

In recent months, Akamai has observed massively

orchestrated attempts to find such vulnerabilities
Botnet machines, even geographically disparate machines belonging to
different organizations, try to inject the same remote piece of malicious
code
Code correlations enabled Akamai to map multiple Internet botnets
operating at the time of the comparison

5 / [The State of the Internet] / Security (Q4 2014)

= botnet findings

RFI and OS Command Injection botnets targeted more

than 850 web applications across several top-level
domains over a seven-day period
All of the botnet traffic appeared to originate from
compromised servers, most from popular Software-asa-Service (SaaS) and cloud hosting providers
The botnet Akamai analyzed included a dedicated
Python script that performed web crawling disguised as
a Microsoft Bing bot
In one instance, an observed botnet propagated
through two WordPress TimThumb vulnerabilities

6 / [The State of the Internet] / Security (Q4 2014)

= analysis of botnet capabilities

Both RFI and OS Command Injection attacks used the same

malicious code involving:

Remote shell command execution

Remote file upload (see figure)
SMS sending, controlled by IRC commands
Local FTP server credentials brute force attack
IRC-controlled UDP/TCP denial of service flood

Figure 2: Code for remote file upload

7 / [The State of the Internet] / Security (Q4 2014)

= conclusion

Novel approach to understanding web application-layer

botnets
Used attack payload as the common denominator to
aggregate data and map botnet information
Does not require the researcher to be a part of the botnet or
to take over the botnets C2 server
Can be used for mapping other types of malicious activities
that use a distinct payload

8 / [The State of the Internet] / Security (Q4 2014)

= Q 4 2014 global attack report

Download the Q4 2014 State of the Internet Security Report
The Q4 2014 report covers:
/ Analysis of DDoS attack trends
/ Breakdown of average Gbps/Mbps statistics
/ Year-over-year and quarter-by-quarter analysis
/ Types and frequency of application-layer attacks
/ Types and frequency of infrastructure attacks
/ Trends in attack frequency, size and sources
/ Where and when DDoSers launch attacks
/ Case study and analysis

9 / [The State of the Internet] / Security (Q4 2014)

= about Prolexic

StateoftheInternet.com, brought to you by Akamai,

serves as the home for content and information intended to
provide an informed view into online connectivity and
cybersecurity trends as well as related metrics, including
Internet connection speeds, broadband adoption, mobile
usage, outages, and cyber-attacks and threats.

Visitors to www.stateoftheinternet.com can find current and

archived versions of Akamais State of the Internet
(Connectivity and Security) reports, the companys data
visualizations, and other resources designed to put context
around the ever-changing Internet landscape.

10 / [The State of the Internet] / Security (Q4 2014)