We identify and explore a new type of malicious script attacks: the persistent parasite attack. Persistent parasites are stealthy scripts, which persist for a long time in the browser's cache. We show how to use the parasites to build a botnet that runs entirely in the browser and controlled by a remote attacker. Our attack does not require the victim to install software on the victim's host. We implement a prototypical attacker that injects parasites into victim clients' caches via TCP injection (when the attacker is connected to the same WiFi network as the victim) as well remotely by redirecting traffic to its hosts via DNS cache poisoning. Once the cache is infected, the parasites propagate to other popular websites on the victim client. We show how to design the parasites so that they stay long time in the victim's cache under the attacker's control, not restricted to the duration of the user's visit to the web site. We then demonstrate how to leverage the parasites to perform sophisticated attacks against a range of applications. We devise covert channels for communication between the attacker and the parasites, which allows the attacker to control which scripts are executed and when, and to exfiltrate private information to the attacker, such as cookies and passwords. Finally we provide recommendations for countermeasures.
To use the demo you have to set the DNS server of your system to the IP address provided by us. You also need to add the CA certificate provided on the website to your trust store. After that you can open a browser of your choice and start using the internet. As soon as you visit a website from the target list, your browser will start cross infection of the other domains in the target list. Domains that are not in the target list will not be attacked. To disable the MitM attack, and by this simulate a secure network, simply reset your DNS server to the default value. You will notice that the infection in the browser still persists. To clean it up, you will need to clear your browser cache and the stored cookies. Finally, you must delete the CA certificate from your trust store.
IP of the DNS Server: 22.214.171.124
Targets of the attack: amazon.de, heise.de, google.com, mail.gogole.com, dkb.de, facebook.com
Fake CA certs that must be installed: ca_pub.pem ca.crt