HiveMind – JavaScript Botnet!

HiveMind – JavaScript Botnet!

Henry Dalziel | General Hacking Posts, Hacker Hotshots | August 24, 2013

Tuesday, August 27th, come and join us and watch Sean Malone present: “HiveMind: Distributed File Storage Using JavaScript Botnets”.

Sean is the author of a botnet system called “HiveMind” which uses HTML5 WebSockets (or a variation thereof). HiveMind is able to build a botnet by getting users browsers to execute a JavaScript script and storing data on their computers without their permission.

The HiveMind JavaScript script can be spread to users via the traditional routes, i.e. compromised web sites or via Trojans. Interestingly, since a lot of advertising platforms require JavaScript (Google AdSense is one example) HiveMind could also be placed within the advertising iframe.

Whilst creating HiveMind Sean set up an anonymous web server and every time someone hit the platform the HiveMind JavaScript was injected into their browser. The figures that Sean states in his research are staggering: at one stage he was receiving over 20 thousand unique IP addresses every ten minutes so the viral replication rate of his botnet beggars belief!

Every botnet needs a command and control (C&C) center!
HiveMind, like every other botnet out there, needs to be told what to do next, or better still, to report back to the mothership and HiveMind is no different. HiveMind’s C&C is a web server that uses a SQL database to keep tables of all files and the acquired nodes that are running the script. Each time a file is uploaded to the C&C it is encrypted and is unique since every file can have a different password.

The history of botnets
Botnets are created and exploited for a variety of reasons, generally for denial-of-service attacks, spamming (by misappropriating SMTP mail relays), advertising click fraud, bitcoin mining and harvesting all kinds of data. The harvesting of data is easily explained because search engines become very suspicious of any IP address that hits their servers requesting multiple information within a very short amount of time. However, having rotating IP’s (also referred to as ‘proxies’) or better still (faster and more efficient) is to have a legion of computers harvesting on your behalf. Login ID’s, email addresses, bitcoins, etc etc is all useful and commercial data that cyber criminals can use.

Types of botnet attacks
Botnet’s can launch dozens of cyber attacks. Typical examples include: distributed denial-of-service attacks, spamming, click fraud (to gain a ‘Pay Per Click’ advertising benefit), FTP/ SSH brute forcing, scareware and more! If you can think of any other ways botnets can cause harm please leave your comments below.

In summary
The really interesting thing about Sean’s HiveMind is that it can be used to store data without any correlation to the owner (again, we might need to be corrected on this, hence why we are looking forward to Sean’s talk this Tuesday!). The reason for this is because when a file is uploaded to the botnet it is encrypted and distributed to the nodes. The file is no longer kept on the server. To reverse engineer the data flow and seek the publishers by, for example, extracting data from the server would fail. The block replication process would fail because the nodes would start to go offline thus making file recovery (virtually) impossible. Indeed, from our reading into Sean’s research, the only way to extract the data would be to seize a significant amount of nodes within the botnet whilst it is operating and obtain the necessary passwords from the owners.

In any event, we hope to have given some justice to Sean’s research, but to fully appreciate it and hear it direct from the horse’s mouth, come and join us Tuesday! If you are reading this post August 27th 2013 then you will be able to watch the recorded version, with questions, on the same URL.

Don’t forget to comment regarding your thoughts towards HiveMind (especially if you feel we have not been 100% accurate). We’d also be very interested to hear of creative botnet uses you might have come across.

Leave a comment or reply below...thanks!