Puppetnets: misusing web browsers as a distributed attack infrastructure

Most of the recent work on Web security focuses on preventing attacks that directly harm the browser's host machine and user. In this paper we attempt to quantify the threat of browsers being indirectly misused for attacking third parties. Specifically, we look at how the existing Web infrastructure (e.g., the languages, protocols, and security policies) can be exploited by malicious Web sites to remotely instruct browsers to orchestrate actions including denial of service attacks, worm propagation and reconnaissance scans. We show that, depending mostly on the popularity of a malicious Web site and user browsing patterns, attackers are able to create powerful botnet-like infrastructures that can cause significant damage. We explore the effectiveness of countermeasures including anomaly detection and more fine-grained browser security policies.

[1]  Jun Li,et al.  Simulation and analysis on the resiliency and efficiency of malnets , 2005, Workshop on Principles of Advanced and Distributed Simulation (PADS'05).

[2]  Christopher Krügel,et al.  Anomaly detection of web-based attacks , 2003, CCS '03.

[3]  Dan Boneh,et al.  Protecting browser state from web privacy attacks , 2006, WWW '06.

[4]  J. Little A Proof for the Queuing Formula: L = λW , 1961 .

[5]  Carey Nachenberg,et al.  Computer virus-antivirus coevolution , 1997, Commun. ACM.

[6]  Dan Boneh,et al.  Exposing private information by timing web applications , 2007, WWW '07.

[7]  Tim Berners-Lee,et al.  Uniform Resource Locators (URL) , 1994, RFC.

[8]  Joos Vandewalle,et al.  A Tangled World Wide Web of Security Issues , 2002, First Monday.

[9]  Carla E. Brodley,et al.  KDD-Cup 2000 organizers' report: peeling the onion , 2000, SKDD.

[10]  Xuxian Jiang,et al.  Automated Web Patrol with Strider HoneyMonkeys: Finding Web Sites That Exploit Browser Vulnerabilities , 2006, NDSS.

[11]  Vern Paxson,et al.  An analysis of using reflectors for distributed denial-of-service attacks , 2001, CCRV.

[12]  Kevin Jeffay,et al.  Variability in TCP round-trip times , 2003, IMC '03.

[13]  Luigi Rizzo,et al.  Dummynet: a simple approach to the evaluation of network protocols , 1997, CCRV.

[14]  Donald F. Towsley,et al.  Code red worm propagation modeling and analysis , 2002, CCS '02.

[15]  Daniel E. Geer,et al.  A survey of Web security , 1998, Computer.

[16]  Vern Paxson,et al.  How to Own the Internet in Your Spare Time , 2002, USENIX Security Symposium.

[17]  Helen J. Wang,et al.  BrowserShield: vulnerability-driven filtering of dynamic HTML , 2006, OSDI '06.

[18]  Shang Zhi,et al.  A proof of the queueing formula: L=λW , 2001 .

[19]  Stefan Saroiu,et al.  A Measurement Study of Peer-to-Peer File Sharing Systems , 2001 .

[20]  Jochen Topf,et al.  The HTML Form Protocol Attack , 2001 .

[21]  Dan Boneh,et al.  Stronger Password Authentication Using Browser Extensions , 2005, USENIX Security Symposium.

[22]  Edward W. Felten,et al.  Timing attacks on Web privacy , 2000, CCS.

[23]  Christopher Krügel,et al.  Cross Site Scripting Prevention with Dynamic Data Tainting and Static Analysis , 2007, NDSS.

[24]  Christopher Krügel,et al.  Polymorphic Worm Detection Using Structural Information of Executables , 2005, RAID.

[25]  Jesse James Garrett Ajax: A New Approach to Web Applications , 2007 .

[26]  Jeffrey O. Kephart,et al.  Directed-graph epidemiological models of computer viruses , 1991, Proceedings. 1991 IEEE Computer Society Symposium on Research in Security and Privacy.

[27]  David P. Anderson,et al.  SETI@home-massively distributed computing for SETI , 2001, Comput. Sci. Eng..

[28]  Robert Morris,et al.  Designing a framework for active worm detection on global networks , 2003, First IEEE International Workshop on Information Assurance, 2003. IWIAS 2003. Proceedings..

[29]  Bruce Schneier,et al.  Attack Trends: 2004 and 2005 , 2005, ACM Queue.

[30]  Eric van den Berg,et al.  A Fast Static Analysis Approach to Detect Exploit Code Inside Network Flows , 2005, RAID.

[31]  Markus Jakobsson,et al.  Drive-By Pharming , 2007, ICICS.

[32]  Periklis Akritidis,et al.  Puppetnets: Misusing Web Browsers as a Distributed Attack Infrastructure , 2008, TSEC.

[33]  Sotiris Ioannidis,et al.  Building a Secure Web Browser , 2001, USENIX Annual Technical Conference, FREENIX Track.

[34]  Evangelos P. Markatos,et al.  Network-level polymorphic shellcode detection using emulation , 2006, Journal in Computer Virology.

[35]  Ahmed Patel,et al.  Cracking RC5 with Java applets , 1998 .

[36]  Dan S. Wallach,et al.  Web Spoofing: An Internet Con Game , 1997 .

[37]  Farnam Jahanian,et al.  The Zombie Roundup: Understanding, Detecting, and Disrupting Botnets , 2005, SRUTI.

[38]  John C. Mitchell,et al.  Client-Side Defense Against Web-Based Identity Theft , 2004, NDSS.

[39]  Vern Paxson,et al.  The top speed of flash worms , 2004, WORM '04.

[40]  Vern Paxson,et al.  Proceedings of the 13th USENIX Security Symposium , 2022 .