Abstract

Botnets are now the key platform for many Internet attacks, such as click frauds, email spams, distributed denial-of-service (DDoS), identity theft, and phishing. Most of the current botnet detection approaches work only on specific botnet command and control (C&C) protocols (e.g., IRC) and heuristics. These approaches can become ineffective as botnets change their infection techniques. I would be presenting a prevalent botnet infection technique at application+ layer and mitigation methodology for such infections. Most of the software vendors provide extension frameworks for modularity and community development. These extension frameworks work at application+ layer. Common examples of such frameworks are dynamically-linked SDK extension to Acrobat or Adobe Reader, XUL by Mozilla and Skype4COM framework for Skype internet telephony. The modularity features of these extensions are misused by bot to inflect legitimate software.The presence of such bots at presentation+ layer are independent of C&C protocol and heuristics. Thus, these bot are known to be technically invisible to both onboard antivirus and host/network based intrusion prevention and detection systems (IPS & IDS). Such bots uses piggybacking mechanism on legitimate programs, which perform legitimate transactions between the C&C and the infected machines.

The talk will be demonstrating the attack vector used by bots at Application+ layer.It would further bring about a working PoC of the attack vector on the firefox browser using Metasploit (Same applied for other browsers and apps like Skype, Adobe Reader etc..). Finally, would be emphasizing on the mitigation techniques for such an attack.