Article

Puppetnets: misusing web browsers as a distributed attack infrastructure

Authors:
V. T. Lam

Institute for Infocomm Research, Singapore

Institute for Infocomm Research, Singapore
View Profile

,
S. Antonatos

FORTH-ICS and University of Crete, Greece

FORTH-ICS and University of Crete, Greece
View Profile

,
P. Akritidis

FORTH-ICS, Greece

FORTH-ICS, Greece
View Profile

,
K. G. Anagnostakis

Institute for Infocomm Research, Singapore

Institute for Infocomm Research, Singapore
View Profile

CCS '06: Proceedings of the 13th ACM conference on Computer and communications securityOctober 2006Pages 221–234https://doi.org/10.1145/1180405.1180434

Published:30 October 2006Publication History

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

Pages 221–234

ABSTRACT

Most of the recent work on Web security focuses on preventing attacks that directly harm the browser's host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation and reconnaissance scans. We show that, depending mostly on the popularity of a malicious Web site and user browsing patterns, attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.

References

Mozilla Port Blocking. http://www.mozilla.org/projects/netlib/PortBanning.html December 2004.]]Google Scholar
PuppetNet Project Web Site. http://s3g.i2r.a-star.edu.sg/proj/puppetnets, September 2005.]]Google Scholar
ABC Electronic.ABCE Database.http://www.abce.org.uk/cgi-bin/gen5?runprog=abce/abce&noc=y 2006.]]Google Scholar
W. Alcorn. The cross-site scripting virus. http://www.bindshell.net/papers/xssv/xssv.html Published: 27th September, 2005. Last Edited: 16th October 2005.]]Google Scholar
Alexa Internet Inc. Global top 500. http://www.alexa.com/site/ds/top_500 2006.]]Google Scholar
S. Andersen and V. Abella. Changes to Functionality in Microsoft Windows XP Service Pack 2,Part 2:Network Protection Technologies. Microsoft TechNet, http://www.microsoft.com/technet/prodtechnol/winxppro/maintain/sp2netwk%.mspx November 2004.]]Google Scholar
Anonymous. About the Alexa Toolbar and traffic monitoring service: How accurate is Alexa? http://www.mediacollege.com/internet/utilities/alexa/2004.]]Google Scholar
B. L. Barrett. Home of the webalizer. http://www.mrunix.net/webalizer August 2005.]]Google Scholar
V. Berk, G. Bakos, and R. Morris. Designing a framework for active worm detection on global networks. In Proceedings of the IEEE International Workshop on Information Assurance, March 2003.]] Google ScholarDigital Library
T. Berners-Lee, L. Masinter, and M. McCahill. Uniform Resource Locators (URL). RFC 1738, Dec.1994.]] Google ScholarDigital Library
CERT. Advisory CA-2000-02:Malicious HTML Tags Embedded in Client Web Requests. http://www.cert.org/advisories/CA-2000-02.html February 2000.]]Google Scholar
CERT. Advisory CA-2001-19:'Code Red 'Worm Exploiting Buffer Over flow in IIS Indexing Service DLL. http://www.cert.org/advisories/CA-2001-19.html July 2001.]]Google Scholar
CERT. Vulnerability Note VU#476267:Standard HTML form implementation contains vulnerability allowing malicious user to access SMTP,NNTP,POP3,and other services via crafted HTML page. http://www.kb.cert.org/vuls/id/476267 August 2001.]]Google Scholar
R. Chinchani and E. V. D. Berg. A fast static analysis approach to detect exploit code inside network flows. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.]] Google ScholarDigital Library
N. Chou, R. Ledesma, Y. Teraguchi, and J. Mitchell. Client-side defense against web-based identity theft. In Proceedings of the 11th Annual Network and Distributed System Security Symposium (NDSS '04),February 2004.]]Google Scholar
J. Claessens, B. Preneel, and J. Vandewalle. A tangled world wide web of security issues. First Monday ,7(3), March 2002.]]Google Scholar
E. Cooke, F. Jahanian, and D. McPherson. The Zombie Roundup: Understanding, Detecting,and Disrupting Botnets. In Proceedings of the 1st USENIX Workshop on Steps to Reducing Unwanted Traffic on the Internet (SRUTI 2005), July 2005.]] Google ScholarDigital Library
E. W. Felten, D. Balfanz, D. Dean, and D. S. Wallach. Web Spoofing: An Internet Con Game.In Proceedings of the 20th National Information Systems Security Conference, pages 95--103, October 1997.]]Google Scholar
E. W. Felten and M. A. Schneider. Timing attacks on Web privacy. In Proceedings of the 7th ACM Conference on Computer and Communications Security (CCS '00),pages 25--32, New York, NY, USA, 2000. ACM Press.]] Google ScholarDigital Library
J. J. Garrett. Ajax: A New Approach to Web Applications. http://www.adaptivepath.com/publications/essays/archi-ves/000385.php February 2005.]]Google Scholar
P. Gladychev, A. Patel, and D. O 'Mahony. Cracking RC5 with Java applets.Concurrency:Practice and Experience, 10(11-13):1165--1171, 1998.]]Google ScholarCross Ref
J. Grossman and T. Niedzialkowski. Hacking intranet websites from the outside -javascript malware just got a lot more dangerous. Blackhat USA, August 2006.]]Google Scholar
M. Healan. Referer spam. http://www.spywareinfo.com/articles/referer_spam/ Sept. 2003.]]Google Scholar
W. Inc. Webtrends web analytics and web statistics. http://www.webtrends.com 2006.]]Google Scholar
S. Ioannidis and S.M. Bellovin.Building a Secure Browser. In Proceedings of the Annual USENIX Technical Conference, Freenix Track, June 2001.]] Google ScholarDigital Library
C. Jackson, A. Bortz, D. Boneh, and J. C. Mitchell. Protecting browser state from Web privacy attacks.In Proceedings of the WWW Conference, 2006.]] Google ScholarDigital Library
G. Keizer. Dutch botnet bigger than expected. http://informationweek.com/story/showArticle.jhtml?articleID=172303265 October 2005.]]Google Scholar
J. O. Kephart and S. R. White. Directed-graph epidemiological models of computer viruses. In Proceedings of the 1991 IEEE Computer Society Symposium on Research in Security and Privacy, May 1991.]]Google ScholarCross Ref
R. Kohavi, C. Brodley, B. Frasca, L. Mason, and Z. Zheng. KDD-Cup 2000 organizers 'report:Peeling the onion. SIGKDD Explorations, 2(2):86--98, 2000.]] Google ScholarDigital Library
E. Korpela, D. Werthimer, D. Anderson, J. Cobb, and M. Lebofsky. SETI@home -- Massively Distributed Computing for SETI.Computing in Science & Enginering, 3(1):78--83, 2001.]] Google ScholarDigital Library
C. Kruegel, E. Kirda, D. Mutz, W. Robertson,and G. Vigna. Polymorphic worm detection using structural information of executables. In Proceedings of the International Symposium on Recent Advances in Intrusion Detection (RAID), Sept. 2005.]] Google ScholarDigital Library
C. Kruegel and G. Vigna. Anomaly detection of Web-based attacks. In Proceedings of the 10th ACM Conference on Computer and Communications Security (CCS '03), pages 251--261, New York, NY, USA, 2003. ACM Press.]] Google ScholarDigital Library
V. T. Lam, S. Antonatos, P. Akritidis,and K. G. Anagnostakis. Puppetnets:Misusing web browsers as a distributed attack infrastructure (extended version). Technical Report, http://s3g.i2r.a-star.edu.sg/proj/puppetnets,August 2006.]]Google Scholar
J. Li, T. Ehrenkranz, G. Kuenning, and P. Reiher. Simulation and analysis on the resiliency and efficiency of malnets. In Proceedings of the 19th Workshop on Principles of Advanced and Distributed Simulation (PADS '05),pages 262--269, Washington, DC, USA, 2005. IEEE Computer Society.]] Google ScholarDigital Library
J. D. C. Little. A Proof of the Queueing Formula L =λW. Operations Research,(9):383--387, 1961.]]Google Scholar
G. Maone. Firefox add-ons:Noscript. https://addons.mozilla.org/firefox/722/May 2006.]]Google Scholar
D. Moniz and H. Moore. Six degrees of xssploitation. Blackhat USA, August 2006.]]Google Scholar
Mozilla.org. End User Guide: Automatic Proxy Configuration (PAC). http://www.mozilla.org/catalog/end-user/customizing/enduserPAC.html August 2004.]]Google Scholar
C. Nachenberg. Computer virus-antivirus coevolution. Commun. ACM, 40(1): 46--51, 1997.]] Google ScholarDigital Library
V. Paxson. An analysis of using reflectors for distributed denial-of-service attacks.ACM Computer Communication Review, 31(3): 38--47, 2001.]] Google ScholarDigital Library
Philippine Honeynet Project. Philippine Internet Security Monitor - First Quarter of 2006. http://www.philippinehoneynet.org/docs/PISM20061Q.pdf.]]Google Scholar
M. Polychronakis, K. G. Anagnostakis, and E. P. Markatos. Network-level polymorphic shellcode detection using emulation. In Proceedings of the GI/IEEE SIG SIDAR Conference on Detection of Intrusions and Malware and Vulnerability Assessment (DIMVA),July 2006.]] Google ScholarDigital Library
L. Rizzo. Dummynet: a simple approach to the evaluation of network protocols.ACM Computer Communication Review, 27(1): 31--41, 1997.]] Google ScholarDigital Library
B. Ross, C. Jackson, N. Miyake, D. Boneh, and J. C. Mitchell. Stronger password authentication using browser extensions. In Proceedings of the 14th Usenix Security Symposium, 2005.]] Google ScholarDigital Library
A. D. Rubin and D. E. G. Jr. A Survey of Web Security. IEEE Computer, 31(9): 34--41, 1998.]] Google ScholarDigital Library
J.Ruderman.The Same Origin Policy. http://www.mozilla.org/projects/security/components/same-origin.html August 2001.]]Google Scholar
S. Saroiu, P. Gummadi, and S. Gribble. A measurement study of peer-to-peer file sharing systems.In Proceedings of Multimedia Computing and Networking (MMCN), 2002.]]Google Scholar
B. Schneier. Attack trends 2004 and 2005. ACM Queue, 3(5), June 2005.]] Google ScholarDigital Library
F. Smith, J. Aikat, J. Kapur, and K. Jeffay. Variability in TCP round-trip times.In Proceedings of the 3rd ACM SIGCOMM Conference on Internet measurement, 2003.]] Google ScholarDigital Library
S. Staniford, D. Moore, V. Paxson,and N. Weaver. The top speed of flash worms. In Proc. ACM WORM, Oct.2004.]] Google ScholarDigital Library
Stunnix. Stunnix javascript obfuscator -obfuscate javascript source code. http://www.stunnix.com/prod/jo/overview.shtml 2006.]]Google Scholar
Symantec. Internet Threat Report: Trends for January 05-June 05.Volume VIII.Available from www.symantec.com, September 2005.]]Google Scholar
TechWeb.com.Lycos strikes back at spammers with dos screensaver. http://www.techweb.com/wire/security/54201269 2004.]]Google Scholar
The Honeynet Project.Know your enemy:Tracking botnets.http://www.honeynet.org/papers/bots/March 2005.]]Google Scholar
J. Topf. HTML Form Protocol Attack. http://www.remote.org/jochen/sec/hfpa/August 2001.]]Google Scholar
VNExpress Electronic Newspaper. Website of largest Vietnamese hacker group attacked by DDoS. http://vnexpress.net/Vietnam/Vi-tinh/2005/12/3B9E4A6D/December 2005.]]Google Scholar
D. Wang. HOWTO: ISAPI Filter which rejects requests from SF NOTIFY PREPROC HEADERS based on HTTP Referer. http://blogs.msdn.com/david.wang July 2005.]]Google Scholar
Y.-M. Wang, D. Beck, X. Jiang, R. Roussev, C. Verbowski, S. Chen, and S. Kin. Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities.In Proceedings of the 13th Annual Network and Distributed System Security Symposium (NDSS '06), February 2006.]]Google Scholar
N. Weaver, S. Staniford, and V. Paxson. Very Fast Containment of Scanning Worms.In Proceedings of the 13th USENIX Security Symposium, pages 29--44, August 2004.]] Google ScholarDigital Library
A. T. Williams and J. Heiser. Protect your PCs and Servers From the Bothet Threat.Gartner Research, ID Number: G00124737, December 2004.]]Google Scholar
zone-h.Digital attacks archive. http://www.zone-h.org/en/defacements/2006.]]Google Scholar
C.C. Zou, W. Gong, and D. Towsley. Code Red Worm Propagation Modeling and Analysis. In Proceedings of the 9th ACM Conference on Computer and Communications Security (CCS), pages 138--147, November 2002.]] Google ScholarDigital Library

Index Terms

Puppetnets: misusing web browsers as a distributed attack infrastructure
1. Security and privacy
  1. Intrusion/anomaly detection and malware mitigation
  2. Systems security
    1. Operating systems security

Recommendations

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure

Most of the recent work on Web security focuses on preventing attacks that directly harm the browser’s host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, ...
Read More
Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection
Financial Cryptography and Data Security

A cross site request forgery (CSRF) attack occurs when a user's web browser is instructed by a malicious webpage to send a request to a vulnerable web site, resulting in the vulnerable web site performing actions not intended by the user. CSRF ...
Read More
Client-side cross-site scripting protection

Web applications are becoming the dominant way to provide access to online services. At the same time, web application vulnerabilities are being discovered and disclosed at an alarming rate. Web applications often make use of JavaScript code that is ...
Read More

Comments

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Published in
CCS '06: Proceedings of the 13th ACM conference on Computer and communications security
October 2006
434 pages
ISBN:1595935185
DOI:10.1145/1180405
General Chair:
Ari Juels
RSA Laboratories
,
Program Chairs:
Rebecca Wright
Stevens Institute of Technology
,
Sabrina De Capitani di Vimercati
University of Milan, Italy
Copyright © 2006 ACM
Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than ACM must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected]
Sponsors
In-Cooperation
Publisher
Association for Computing Machinery
New York, NY, United States
Publication History
- Published: 30 October 2006
Permissions
Request permissions about this article.
Request Permissions

Check for updates
Author Tags
distributed attacks
malicious software
web security
Qualifiers
- Article
Conference

Acceptance Rates
Overall Acceptance Rate1,261of6,999submissions,18%
Upcoming Conference
CCS '24

Sponsor:

sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA
Funding Sources
Other Metrics
View Article Metrics

Article Metrics
- 43
  Total Citations
  View Citations
- 1,889
  Total Downloads
- Downloads (Last 12 months)7
- Downloads (Last 6 weeks)1
Other Metrics
View Author Metrics
Cited By
View all

PDF Format

View or Download as a PDF file.

PDF

eReader

View online with eReader.

eReader

Puppetnets: misusing web browsers as a distributed attack infrastructure

CCS '06: Proceedings of the 13th ACM conference on Computer and communications security

ABSTRACT

References

Cited By

Index Terms

Recommendations

Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure

Defeating Cross-Site Request Forgery Attacks with Browser-Enforced Authenticity Protection

Client-side cross-site scripting protection