Copyright 2013 Sean T. Malone
HiveMindDistributed File Storage Using JavaScript Botnets
Copyright 2013 Sean T. Malone
Sean T. MalonePrincipal Security Consultant
(We’re Hiring!)
www.seantmalone.com
Copyright 2013 Sean T. Malone
The Problem
http://www.wired.com/threatlevel/2013/06/decryption-deadline-looms/
Encryption is not
Enough!
Copyright 2013 Sean T. Malone
The Solution
Store the files on someone else’s system
Isn’t that illegal?
… usually.
Let’s do this with standard functionality
No exploits – but there are a few tricks we can use
Copyright 2013 Sean T. Malone
It’s a Feature!
All of these techniques are used for “real” web apps
There’s nothing here to patch – removing these features breaks legitimate web apps
Copyright 2013 Sean T. Malone
Disclaimer
This is a research project, not production software. I am not responsible if you lose critical data through the use of this software.
Also, I am not a lawyer. Nothing in this presentation constitutes legal advice, and I do not recommend using these concepts or this software for anything illegal.
Copyright 2013 Sean T. Malone
Web Browser Technology Evolution
Cookies
JavaScript
AJAX
Web Storage
Web Workers
Web Sockets
Copyright 2013 Sean T. Malone
So, a web browser is a computer program that will:
Communicate with my server
Execute arbitrary code
Store arbitrary data
Sounds like a Botnet Node
to me!
Copyright 2013 Sean T. Malone
Sandboxing
“But I thought browser sandboxing made it almost impossible to access system data and execute code?”
Yes, but I don’t care about that. I only need to run code and access data inside the sandbox, and inside the same origin.
Copyright 2013 Sean T. Malone
Building the Botnet
Copyright 2013 Sean T. Malone
Node Infestation Techniques
Sites you own (or at least control)
Compromised sites (i.e., persistent XSS)
URL Shorteners
Ad Distribution Networks
Anonymous proxy servers
Copyright 2013 Sean T. Malone
Command & Control
HTML5 Web Sockets
“To enable Web applications to maintain
bidirectional communications with server-side
processes”
http://www.whatwg.org/specs/web-apps/current-work/multipage/network.html
Copyright 2013 Sean T. Malone
[When that doesn’t work, just fall back to AJAX]
Copyright 2013 Sean T. Malone
Data Storage
HTML5 Web Storage
“[localStorage] is designed for storage that spans multiple
windows, and lasts beyond the current session. In
particular, Web applications may wish to store megabytes
of user data, such as entire user-authored documents or
a user's mailbox, on the client side for performance
reasons.” (emphasis added)
http://www.whatwg.org/specs/web-apps/current-work/multipage/webstorage.html
Copyright 2013 Sean T. Malone
Back End
MySQL (ActiveRecord) & Redis
ActiveRecord is easy to use, but slow (disk database IO)
Redis provides in-memory key/value storage, and let’s you
expire keys after a set amount of time
Copyright 2013 Sean T. Malone
Network Scanning
DDoS Attacks
Data Processing (Web Workers)
Other botnet uses:
Copyright 2013 Sean T. Malone
Building the File System
Copyright 2013 Sean T. Malone
Definitions
File Block: A piece of an uploaded file with a set maximum size
Node: A web browser that is a member of the botnet
Server: The central command and control system used to manage nodes, uploads, downloads, and block directories
Copyright 2013 Sean T. Malone
Storing a File
File
DataName MIME Type
Block 1 Block 2 Block 3 Block 4 Block 5
Encrypted Data
Copyright 2013 Sean T. Malone
Storing a BlockServer
B1
B1 B1 B1 B1 B1 B1 B1 B1
Copyright 2013 Sean T. Malone
Retrieving a BlockServer
B1 B1 B1 B1 B1 B1 B1 B1
B1
Copyright 2013 Sean T. Malone
Retrieving a File
File
Block 1 Block 2 Block 3 Block 4 Block 5
Name MIME Type
Encrypted Data
Data
Copyright 2013 Sean T. Malone
When the $#!7 Hits the Fan
Copyright 2013 Sean T. Malone
The [_ _ _] Seizes the Server
Nodes go offline
Block replication fails
Blocks are lost
Files are unrecoverable
Copyright 2013 Sean T. Malone
Unanswered Legal Questions
Can a website store significant amounts of data that is unnecessary for the operation of the site? Or does this constitute Unauthorized Use of a Computer?
What about bandwidth? Processing power?
Is an individual responsible for illegal content placed on his or her computer through cookies, Web Storage, and similar technologies?
Copyright 2013 Sean T. Malone
Demo!
Copyright 2013 Sean T. Malone
Code Release
Code and slides are available at
www.seantmalone.com
Copyright 2013 Sean T. Malone
Top Related