Owning bad guys (and mafia) with JavaScript botnets

Speakers: Chema Alonso | Manu “THE SUR”

Man in the middle attacks are still one of the most powerful techniques for owning machines. In this talk MITM schemas in anonymous services are going to be discussed.

Then attendees will see how easily a botnet using JavaScript can be created to analyze that kind of connections and some of the actions people behind those services are doing… in real.

Watch this video on YouTube

Views

Likes

DEFCON Conference

Source: DEFCON Conference

TED Talks

Source: Christiaan008

Hacking

Main category

Hacking
Botnet

Subcategory

Botnet

Knowledge is the life of the mind

Javascript
Article

Creating a JavaScript botnet

A JavaScript botnet would include thousands of systems that have the attacker controlled page open on their browsers for an extended duration allowing continued execution of the attacker’s JavaScript.

Learn more about creating a JavaScript botnet

Article

There are no malicious exploits being used, so there is nothing that can be patched

Building the botnet by getting other people’s browsers to load a piece of JavaScript code and storing data on their computers falls into a legally gray area, Malone said. Read more

Article

Proxy Rewrite = JavaScript Botnet

After watching Chema Alonso at DEF CON 20 I started wondering how hard it could be to build a Javascript botnet. Chema said it took him a day, when I tried it I beat that record by 22 hours and 15minutes and that’s from creating a new Digital Ocean droplet to getting my first victim. Read more

Whitepaper

An analysis of the Asprox botnet

Botherders automate the SQL attack vector to search potential SQL servers through Google search engine and then try to infect the server by inserting a malicious JavaScript file.

Learn more about the Asprox botnet

Presentation

HiveMind: Distributed file storage using JavaScript botnets

Sean Malone gave a presentation at DEF CON 21 about the methodology and tools required to create a distributed file store built on top of a JavaScript botnet.

article_96_96_blue

How a website flaw turned 22,000 visitors into a botnet of DDoS zombies
Date: 07-04-2014
Source: Arstechnica

Black Hat: How to create a massive DDoS botnet using cheap online ads
Date: 01-08-2013
Source: Networkworld

Buy An Ad, Own a Browser Botnet
Date: 31-07-2013
Source: Threatpost

Malicious JavaScript flips ad network into rentable botnet
Date: 31-07-2013
Source: The Register

Discovered: Botnet costing display advertisers over six million dollars per month
Date: 19-03-2013
Source: Spider.io

Owning bad guys and mafia with JavaScript botnets
Date: 18-12-2012
Source: PrivacyPC

JavaScript botnet sheds light on criminal activity
Date: 27-07-2012
Source: DARKReading

JavaScript botnet code leaked to Internet
Date: 02-04-2007
Source: InfoWorld

presentation_128_96_blue

Owning “bad” guys {and mafia} with Javascript botnets
Source: BlackHat

HiveMind: Distributed file storage using JavaScript botnets
Source: Irongeek

Phishing and malicious JavaScript
Source: Stanford University

whitepaper_96_96_blue

Owning Bad Guys {& Mafia} with JavaScript Botnets
Source: BlackHat

Attacking with HTML5
Date: 18-10-2010
Source: BlackHat

Change your thoughts and you change your world

SOURCE Barcelona 2010: Carders.cc, the rise and fall of an underground forum

SOURCE Barcelona 2010: Carders.cc, the rise and fall of an underground forum

Attacking SMS. It’s no longer your BFF

Attacking SMS. It’s no longer your BFF

DeepSec 2010: Debugging GSM

DeepSec 2010: Debugging GSM

DEF CON 16: Forensics is ONLY for Private Investigators

DEF CON 16: Forensics is ONLY for Private Investigators

DeepSec 2011: The security of non-executable files

DeepSec 2011: The security of non-executable files

29C3: Russia’s surveillance state

29C3: Russia’s surveillance state

ICS Cybersecurity Advanced Training Day 4

ICS Cybersecurity Advanced Training Day 4

24C3: Mifare (Little security, despite obscurity)

24C3: Mifare (Little security, despite obscurity)

OWASP AppSecUSA 2012: Bug bounty programs

OWASP AppSecUSA 2012: Bug bounty programs

24C3: Cybercrime 2.0

24C3: Cybercrime 2.0

Introduction to Trusted Computing

Introduction to Trusted Computing

25C3: Hacking the iPhone

25C3: Hacking the iPhone

OHM2013: Should law enforcement have hacking powers?

OHM2013: Should law enforcement have hacking powers?

DeepSec 2010: Circumventing common Pitfalls when auditing sourcecode for security vulnerabilities

DeepSec 2010: Circumventing common Pitfalls when auditing sourcecode for security vulnerabilities

24C3: Why Silicon-Based Security is still that hard: Deconstructing Xbox 360 Security

24C3: Why Silicon-Based Security is still that hard: Deconstructing Xbox 360 Security

DeepSec 2013: Cracking and analysing Apple iCloud protocols

DeepSec 2013: Cracking and analysing Apple iCloud protocols

DEF CON 18: Your ISP and the Government: Best Friends Forever 1/3

DEF CON 18: Your ISP and the Government: Best Friends Forever 1/3

DEF CON 17: Making fun of your malware

DEF CON 17: Making fun of your malware

The Honey project and CIC News Engine

The Honey project and CIC News Engine

Testing SQL injection with sqlmap

Testing SQL injection with sqlmap

Battery firmware hacking

Battery firmware hacking

Owning bad guys (and mafia) with JavaScript botnets

Owning bad guys (and mafia) with JavaScript botnets

Believe you can and you’re halfway there

Video wall
Video wall
Videos by category
Videos by category