Definition of Browser's parasite A browser parasite, also referred to as a browser hijacker or browser redirect virus, is a type of malicious software that targets web browsers on a user
Trang 1UNIVERSITY OF ECONOMICS AND LAW FACULTY OF BUSINESS ADMINISTRATOR
E-commerce Security and Payment Systems
Malicious Code: Bots/Botnets
Potentially Unwanted Programs: Browser parasites
Lecturer: Mr Nguyén Thé Dai Nghia
Course: E-Commerce — Course ID: 232182110
HO CHI MINH, 2024
Trang 21 Browser's parasite
1.1 Definition of Browser's parasite
A browser parasite, also referred to as a browser hijacker or browser redirect virus, is a type
of malicious software that targets web browsers on a user's device It typically gets installed without the user's explicit permission and takes control of the browser's settings and behavior This control extends to altering settings like the homepage, default search engine, and new tab page to promote specific websites or display unwanted advertisements
These parasites are usually installed on a user's computer without their knowledge They come in various forms, each with its own set of functions Some may track a user's browsing habits and transmit this data to marketing companies over the internet (referred to as spyware), while others may modify browser settings to direct users to specific sites They can even manipulate search engine results to push related products or services and occasionally activate premium services without the user's consent
Removing parasites can be difficult as they frequently lack an uninstall function and may go undetected However, there are anti-parasite programs available to detect and eliminate these unwanted software entities
1.2 Types of Browser's parasite and how they function
Browser Hijackers: These parasites modify browser settings such as the homepage, default search engine, and new tab page without the user's consent When users open their browser, they are redirected to a different homepage or search engine These hyackers often promote specific websites or display unwanted ads They can also be difficult to remove as they may reinstall themselves if not completely eradicated
Adware: Adware is a type of parasite that bombards users with advertisements These ads can appear as pop-ups, banners, or injected into search results Adware often tracks user behavior
to display targeted ads While some adware is relatively harmless, others can be intrusive and even harmful, leading to potential privacy breaches
Pop-up Ads: This type of parasite generates an excessive number of pop-up advertisements, often making it difficult to navigate websites These pop-ups can sometimes contain malicious links or lead to further installations of unwanted software
Trang 3
Search Engine Redirects: Some parasites redirect search engine queries to a specific search engine or website, usually with the intention of promoting certain products or services Users may find themselves directed to unfamiliar or untrustworthy sites when trying to search for information
Spyware: Spyware is a more malicious type of parasite that stealthily monitors user activity, such as keystrokes, browsing history, and personal information This data is then sent to third parties without the user's consent Spyware can be used for identity theft, fraud, or other nefarious purposes
Toolbars and Extensions: While not always malicious, some browser toolbars and extensions can function as parasites if they modify browser settings, track user data without permission, or bombard users with unwanted ads Users may unknowingly install these toolbars and extensions when downloading other software
1.3 Prevention and Protection
Browser security is crucial to safeguard your online experience Let’s address the aspect of protecting against browser-based threats
Protecting Against Browser-Based Threats:
1 Keep Your Browser Updated: Regularly update your browser to patch security vulnerabilities Newer versions often include security enhancements
2 Use Reputable Antivirus Software: Install reliable antivirus software to detect and prevent malware
3 Visit Trusted Websites: Be cautious when visiting websites Stick to reputable sources
to avoid malicious content
Trang 44 Look for HTTPS Encryption: Ensure websites use HTTPS (secure connection) to protect your data during transmission
5 Beware of Pop-ups and Suspicious Downloads: Avoid clicking on pop-ups or downloading files from untrusted sources
6 Use Strong, Unique Passwords: Secure your accounts with robust passwords
7 Enable Two-Factor Authentication (2FA): Add an extra layer of security to your accounts
8 Use a VPN on Public Wi-Fi: When using public Wi-Fi, a virtual private network (VPN) encrypts your internet traffic
2 Bot
2.1 Definition of Bot
A bot is a computer program that’s designed to imitate or replace the actions of a human by performing automated or repetitive tasks Short for “robot,” a bot can carry out tasks with much greater speed and accuracy than a human user There are many types of bots, performing many kinds of tasks, and bots are an ever-increasing portion of internet traffic Bots play a large variety of roles on the internet, and more than half of all web traffic is generated by bots Some bots are extremely useful — search engine bots, or shopping bots, for example The bots to worry about are the bad bots, typically part of botnets; they are often used to perform dangerous and costly attacks like hoarding inventory, stealing data og) VNETWORK
— _— = — ame
Bot Herder Command & Control
Attack traffic
Victim
Bots network
credit: VNETWORK
Trang 52.2 Types of Bots and how they function
Chatbots: These bots are designed to engage in conversations with users, typically through text or voice interfaces They use technologies such as natural language processing (NLP) and artificial intelligence (AJ) to understand user queries and provide relevant responses Task Automation Bots: These bots are focused on automating repetitive tasks, data processing, and other mundane activities that would otherwise be time-consuming for humans
Spyware: malware that can be used to gain information from its target or targets, from passwords and credit card information to the physical data contained within files A bot herder can sell this data on the black market and if a bot herder gains control of a corporate network, they may be able to sell the “rights” to their bank accounts and intellectual property Web Crawlers: Also known as spiders, these are search engine bots that scan and index web pages on the internet They help search engines to produce a better search experience by extracting data to understand the structure and relevance of web content
Shopping Bots: These bots scan product prices on multiple websites to help customers find the best deals
Monitoring Bots: These bots limit your exposure to security incidents by constantly scanning your systems for bugs and malicious software
2.3 How to prevent malicious bots
2.3.1 Invest in a bot mitigation solution
The most important step in stopping and preventing bot attacks on your website is to get proper bot detection to protect your site
Here are a few points of good bot protection solutions to consider:
- Time to protection
- Detection quality
- Non-intrusive design
- Easy-to-use dashboard
Trang 62.3.2 Monitor your traffic
Monitor your site traffic at least for the following important metrics:
- Traffic spikes: if you see any spikes in traffic for a relatively short time frame (i.e under a week), it can be a sign of bot activities There are few exceptions for this, but they should be obvious, for example when there’s a new product launch on your site then traffic spikes can be expected
- Suspicious sources: bot traffic commonly comes from direct traffic (.e not from Google search or people clicking your ads) with new user agents and sessions Repeated requests from a single IP address are a clear sign
- Bounce rate: a spike in bounce rate can be a major sign of bot traffic that is only looking to perform a single task repeatedly before leaving your site
- Overall site performance: when there’s a significant slowdown on your site, it might
be a sign that your servers are stressed out due to abnormal bot traffic
2.3.3 Block data center IPs
Although the majority of highly skilled attackers have shifted to more complex networks and servers, many less skilled cyber criminals can still rely on hosting and proxy servers, which are readily stopped and have been used in many different types of assaults in the past Get a list of known data center IP addresses, then use those IP addresses to block or Captcha requests Though less effective and more likely to result in false positives—actual people being blocked—than an actual bot control system, it may be worth a go as a temporary workaround
2.3.4 Block older user agents and browsers
The user-agent lists in many readily available bot scripts and tools are out-of-date Once more, this won't thwart skilled attackers or sophisticated bots, but it is a recommended practice to prevent less experienced bots from targeting your website
It is advisable to disable or prohibit outdated browser versions Browser versions that are more than three years old should generally be blocked; ones up to two years old can be Captchaed
Trang 73.Botnet
3.1 Definitions of Botnet
The term "botnet" is derived from the combination of "robot" and "network" In this context,
a cybercriminal assumes the role of a "botmaster," utilizing Trojan viruses - a type of malicious software capable of causing destruction, rendering computers inoperable to compromise the security of multiple machines and connect them to a network for nefarious purposes Each computer on the network acts as a "bot," manipulated by the malefactor to disseminate malware - malicious software, spam, or harmful content aimed at instigating attacks Botnets are also known as zombie armies since the involved computers are controlled
by someone other than their rightful owners Botnets represent exceedingly harmful software for computers, with the majority of machines today being infected with some form of botnet, often without the users’ awareness of the infection's inception
3.2 Type of Botnet
a.Centralized Botnet:
Centralized botnets are controlled by a single Command and Control (C&C) server The C&C serves as the central point from which the attacker manages all infected machines within the botnet network
Example: Upon installing malware on the victim's machine, it establishes communication with the C&C server for guidance A centralized botnet may comprise tens of thousands of bots within a network Such botnets can be disrupted if the C&C server is successfully removed
b.Decentralized Botnet:
Decentralized botnets operate without a central C&C server Instead, they distribute the same code across all machines within the botnet network If one machine is compromised, others can still function While these networks typically consist of hundreds of bots, they are considerably harder to track due to their decentralized nature Decentralized malware is becoming increasingly prevalent as it's challenging to dismantle such networks by
eliminating their control servers or computer systems
Trang 8
Botrniastef Botmaste:
C&CServer - “
Z\mw
Bot / / \ / \ Bot
/ \ / \ / m
= V \ / Bot
|
Bot Bot =
Bot (a| Centralized IRC/HTTP Botnet (b) decentralized P2P Botnet
3.3 Type of attacks
a.Distributed Denial of Service (DDoS)
A botnet can be employed to execute Distributed Denial of Service (DDoS) assaults, aiming
to disrupt network connectivity and services by overwhelming computational resources or consuming the target's bandwidth
Commonly utilized attack methods include TCP SYN and UDP flood attacks, which are not confined to web servers but can target any Internet-connected service Employing HTTP flood attacks on the victim's website, known as spidering, is a technique to escalate the severity of the assault effectively
One of the most significant DDoS botnet attacks involving IoT devices utilized the Mirai botnet virus, which commandeered numerous inadequately protected Internet devices, transforming them into bots to initiate DDoS attacks The ongoing expansion of Mirai has led
to increasingly sophisticated attacks
Trang 9Distributed Denial of Operations Service
Master Control
Computer(s)
b.Spamming and Traffic Monitoring
Botnets may be deployed for traffic monitoring to identify sensitive data within compromised machines or rival botnets if installed on the same system Certain bots are capable of opening SOCKS v4/V5 proxies, enabling various activities such as spamming Packet sniffers are utilized by bots to monitor transmitted data, potentially accessing sensitive information like usernames and passwords
Grum, a type of spam, presents challenges in detection as it infects Autorun registry files Despite its relatively modest size, Grum is responsible for a substantial volume of spam emails daily
Trang 1010
Spamming
Attacker Control Server
c.Keylogging
By utilizing keylogger software, botmasters can easily capture sensitive information, including keystrokes entered into platforms like PayPal and Yahoo Notably, OSX/XSLCmd spyware 1s capable of transitioning between Windows and OS X environments, incorporating keylogging and screen capture functionalities
d.Mass Identity Theft
Combining various bot types facilitates large-scale identity theft, increasingly prevalent in cybercrime Bots disseminate email spam to direct traffic to phishing websites impersonating legitimate companies, soliciting personal information such as bank account details and credit card information Mass identity theft often occurs through email phishing attempts, deceiving victims into divulging login credentials on platforms like eBay and Amazon
e.Pay-Per-Click Abuse
Bot-infected machines are exploited to artificially inflate click counts on advertisements, leveraging Google's AdSense program Such abuse results in financial gain for website owners based on the volume of clicks received on displayed ads
f.Botnet Propagation
Botnets are utilized to propagate other botnets, typically via email distribution For instance, the "Star Wars" botnet discovered on Twitter underscores the potential of bots to spread rapidly, generating trending topics, unwanted spam, and network attacks