We Helped With This Engineering Homework: Have A Similar One?

Ad Replacement Attack

1.     Background:

In ad replacement fraud, an attacker is typically a malicious publisher website registered with a genuine ad network. In this fraud, DNS changer malware and rogue DNS resolver are used to replace a legitimate advertisement on a genuine publisher website with a substituted advertisement hosted by a malicious publisher. As a result this will trigger a fraudulent payment to malicious publisher. For example, when the user of infected computer visited the ESPN website (genuine publisher), an advertisement of Dr. Pepper Ten (legitimate advertisement) on ESPN website had been fraudulently replaced with an ad for a timeshare business (substituted advertisement) [1].

As part of this lab exercise students will simulate ad replacement fraud. The lab will use UBUNTU Linux image provided by SEEDS Lab [2] as underlying infrastructure.  The lab exercise will implement the attack flow shown in figure 1 (for more details see attached power point and paper titled “Dissecting ghost clicks: ad fraud via misdirected human clicks [3]”). It will require three UBUNTU images for representing victim machine, malicious publisher and malicious DNS resolver. All three UBUNTU images will be connected on a NAT (network address translation) network.

Figure 1: Ad replacement attack flow for lab exercise

Four website namely a) www.ncatgadget.com b) www.ncatcamera.com c) www.ncatmalicious.com and d) www.ncatmobile.com will be created. Table 1 shows roles of these websites.

Table 1:  Roles of different websites created as part for lab exercise

Following describes steps shown in figure 1

Step 1: First the victim machine will try to access website www.ncatgadget.com. Then the browser will ask to resolve the IP address of this website from the DNS resolver

Step 2: The DNS resolver will resolve this correctly and provide 10.0.0.4

Step 3a: In this page there will contain an Ad from www.ncatcamera.com inside an iframe. The browser will again ask the DNS Resolver to resolve IP address of www.ncatcamera.com

Step 3b: The DNS Resolver will give an incorrect resolution 10.0.2.5 of this Ad website in order to redirect the victim to malicious machine which will further redirect victim to malicious webpage.

Step 4a: The victim machine will then visit this malicious machine.

Step 4b: This malicious machine will then provide an iframe www.ncatmalicious.com of exactly same size as the iframe on the webpage www.ncatgadget.com in order to look legitimate.

Step 5a: The victim machine will the request the DNS Resolver to provide IP address of www.ncatmalicious.com

Step 5b: The malicious resolver will resolve this correctly 10.0.2.5, in order to take user to malicious page and serve an Ad with which they are linked to, and make money.

Step 6a:  The victim machine will then load www.ncatmalicious.com

Step 6b:  This webpage contains an iframe of www.ncatmobile.com. This is the Ad website with which www.ncatmalicious.com is linked to. Hence, www.ncatmobile.com iframe is served by www.ncatmalicious.com.    

Step 7a: The victim machine will ask the DNS Resolver for the IP Address of www.ncatmobile.com

Step 7b: The malicious resolver will resolve this correct and provide the IP Address 10.0.2.4 to the victim

Hence, finally victim machine will load the Ad by www.ncatmobile.com. So the Ad from www.ncatcamera.com is replaced with Ad from www.ncatmobile.com. Hence, the genuine publisher www.ncatgadget.com and the corresponding Ad network will lose their revenue and the malicious publisher website www.ncatmalicious.com and the corresponding Ad network will earn revenue. The www.ncatmalicious.com will earn revenue from Advertiser www.ncatmobile.com.

2.     Ad replacement Example

Figure 2: Ad replacement attack high-level view

                        Figure 3: Example of Ad replacement attack

3.     Ad Replacement Attack Lab

From this lab students will learn:

•       Ad Replacement Attack Flow in detail

•       Configuring DNS server

•       Configuring Web Server

•       DNS cache poisoning

•       NAT Network configuration

Section 1: STEPS FOR SETTING UP VIRTUAL MACHINES (3 VMs) FOR THIS LAB:

1.      First you need to download the Virtual machine from Seed Lab.

          Visit seed lab using this link: http://www.cis.syr.edu/~wedu/seed/labs.html  à click on Lab Setup tab à Download the latest version of SEEDUbuntu (the one listed on the top). The login password for virtual machine is dees

2.      Make three copies of the Virtual Machine you downloaded, because we need to run 3 VMs for this lab. Create three folders and unzip one copy in each folder. It will be easier to follow the lab if you name the folders as VM1, VM2 and VM3. So after this step VM1, VM2 and VM3 each will have extracted copy of VMs.

3.      Download and install VirtualBox to run the virtual machine images. In order to download Virtual Box visit this link: https://www.virtualbox.org/wiki/Downloads Select appropriate VirtualBox for your machine. 

4.      Now you need to start the three images of Virtual machine for this lab.

To do this, create a new VM in VirtualBox. Start the VirtualBox à Click on “Machine” à Click on “New”. See screenshot below.

Screenshot 1. Showing how to add VM image with the VirtualBox

Provide a name to the operating system for e.g. VM1VICTIM. Select Type à Linux. Select Version à Ubuntu. Click on “Continue” button.  See screenshot below.

Screenshot 2: Adding the VM image to the VirtualBox

Now, set the memory size for this VM.

Screenshot 3: Allocating memory space to the VM image

Click on Next button and then you can see the Create Virtual Machine. Select the

 Radio button “Use an existing virtual hard drive file” and then go to the folder where you extracted VM image (e.g. VM1) and select “SEEDUbuntu12.04.vmdk” file as shown in the figure below.

Screenshot 4: Selecting the downloaded VM file to create virtual machine

Screenshot 5: Selecting the vmdk file

5.      Click on “create” button to create the virtual machine.

6.      In the same way you need to add two more VM images (using the two copy of VM image you created and add it in similar way explained above).  However, since all the 3 VMs are using copy of same vmdk image file you may encounter some problems, such as errors like “Failed to open a session for the virtual machine SeedUbuntu2” Please follow the following link to resolve these errors: http://www.cis.syr.edu/~wedu/seed/Documentation/VirtualBox/LoadingMultiVMs.pdf

7.      Now you need to put all the 3 VMs in same network, so that they can (a) reach out the Internet (b) communicate with each other. In order to achieve these goals, you have to use a new network adaptor introduced by VirtualBox called “NAT Network”.  This Network Address Translation (NAT Network) works in a very similar way to LAN. It enables VMs communication within same local network as well as the communication to the Internet.

In order to do the NAT Network configuration:

If you are using windows machine, open VirtualBox and select the VM you want to connect with the NAT Network and click the “File” on the top left of the VirtualBox main UI à Choose “Preferences” option à click on “Network” tab on left panel

If you are using Mac machine, open VirtualBox and select the VM (For e.g. VM1) you want to connect with the NAT Network, then click on “VirtualBox“ on the top left corner à choose “Preferences” à select “Network” tab

See the screenshot below.

Screenshot 6: Showing NAT Network configuration

As shown in the above figure, click on the “+” button to create a new NAT Network. Double click on the NAT Network and look at its specifications. Set the specifications same as the above figure.

8.      Now you need to power off (if you have started the VM) the VM in order to make the following changes. In order to power off the VM, select the VM and right click on it à select “close” à Select “Power Off” as shown in the figure below:

Screenshot 7: Showing how to power off the VM

Now click on “Setting” à click “Network”

Screenshot 8: NAT Network configuration

As shown in the above figure, select the following options:  

Attached to: Select “NAT Network”

Name: Select the NAT Network you built in step 5.

Promiscuous Mode: “Allow VMs”

Refresh the MAC ADDRESS

Note: The interface shown above is MAC interface; this can be little different in Windows interface.

9.      Repeat the step 7 and 8 for other two VMs (for e.g. VM2, VM3) you have added.

10.  If you have done all the above steps correct, you can Power On the VM, and check that VMs are communicating. To do that, open a terminal and type “ifconfig”; it will give the IP address of that VM. Now Power On other VM and open a terminal on that. Then type “ping  <IP address of first VM>”, you should see packets coming from first VM.

Screenshot 9: Packets coming from VM1 to VM3

 We have now 3 virtual machines, which we will configure as:

VM1: Victim machine

VM2: Malicious machine

VM3: DNS Server

Now you need to configure first machine as the Victim machine (which will also contain the Publisher websites and the Advertisement websites: we are using this same machine in order to reduce the number of VMs), second machine as the Malicious machine (which will contain the malicious publisher website) and third machine as the DNS Server (this will work as a DNS server of the first machine i.e. Victim Machine).

In the first VM (VM1: Victim machine) following websites will be hosted:

1.      Genuine publisher website: for e.g. www.ncatgadget.com This website is the genuine publisher website which the victim machine will try to load.

2.      Genuine advertising website (linked with genuine publisher website): for e.g. www.ncatcamera.com This website is from a advertising website for e.g. camera advertiser company who wants to display their ad on the publisher website www.ncatgadget.com

3.      Genuine advertising website (linked with the malicious publisher website): for e.g. www.ncatmobile.com This website is also a genuine mobile advertiser but this is linked with the malicious publisher website for e.g. www.ncatmalicious.com

In the second VM (VM2: Malicious machine) following website will be hosted:

1.       Malicious publisher website:  for e.g. www.ncatmalicious.com This is the malicious webpage maintained by the attacker who is using this webpage to display ads from various advertisers (www.ncatmobile.com in our case) in order to generate fraudulent revenue.

Section 2: CONFIGURATION OF DNS SERVER IN THIRD VM (VM3):

1.      DNS Server: For this lab we will use BIND9 as the DNS server. This DNS server is already installed in the pre built VM you downloaded.

       We need to configure the VM3 as DNS Server

2.      Creating named.conf.options file:  The DNS server needs to read /etc/bind/named.conf configuration file to start. This configuration file usually includes an option file called /etc/bind/named.conf.options. Please add the following to option file

options {

                        dump-file    “/var/cache/bind/dump.db”;

            };

(Take screenshot of this step)

Screenshot 10: showing addition of dump file code for DNS cache

NOTE: The file /var/cache/bind/dump.db is used to dump DNS server’s cache.

3.      Create zones: Now you need to create zone that contains the location of the actual mapping of the websites and their IP addresses.  In order to create zone, go to the file /etc/bind/named.conf and add the following code to the file:

zone “ ncatgadget.com” {

type master;

file “/var/cache/bind/ncatgadget.com.db”;

};

Since we are using four websites for this lab as mentioned above we need to create zone for all 4 of them. Therefore, similarly add code for ncatcamera.com, ncatmobile.com and ncatmalicious.com

Also include the following code: Note: The IP address shown below in red color is an example IP address. If you use different IP address, you need to change /etc/bind/named.conf accordingly. (Take screenshot of this step)

Screenshot 11: Showing the addition of code for zone file in /etc/bind/named.conf file

4.      Setup ZONE files: The file name after the file keyword in the above zones is called zone file. The actual DNS resolution is kept in the zone file.

In order to setup the zone file go to this folder /var/cache/bind/ and create a file named websitename.db, here “websitename” is the name of the website for which you are creating the zone file. For e.g. ncatgadget.com.db file will be created for www.ncatgadget.com website.  Similarly create file for other 3 websites mention above (ncatcamera.com, ncatmobile.com and ncatmalicious.com). (Take screenshot of this step)

In the four files you created above we need to write the code (shown in screenshot below) which contain mapping of websites with the IP address of the machine where these websites are stored.

To avoid typing error, sample zone file can be downloaded from this URL:

http://www.cis.syr.edu/~wedu/seed/Labs_12.04/Networking/DNS_Local/

In this page locate Zone file for domain example.com: /var/cache/bind/example.com.db

Screenshot 12: Showing code added in ncatgadget.com.db

Note: The above screenshot is showing the code we added in the ncatgadget.com.db file we just created. Similarly you need to add code to the other 3 files you created (i.e. ncatcamera.com.db, ncatmobile.com.db, ncatmalicious.com.db)

Also note that the IP address in the above screenshot (10.0.2.4) is the IP address of the machine where these websites are actually located.  As mentioned above in LAB SETUP section we are running www.ncatgadget.com, www.ncatmobile.com, and www.ncatcamera.com in first VM (VM1), so you need to add the IP address of your first VM (VM1) there. Similarly we are running www.ncatmalicious.com in second VM (VM2), so you need to add the IP address of your second VM there. 

After performing the above steps, you have stored all the mapping of websites to their IP addresses. Now you can use this machine as a DNS Server (which has the mapping of 4 websites) of any machine and you can access those 4 websites you just created.

COMMAND TO START/ STOP A DNS SERVER:

To start DNS Server:     sudo service bind9 restart

To stop DNS Server:      sudo service bind9 stop

Sudo gives you privilege of super user. The password of this is dees

SECTION 2.1 Setting up third VM (VM3: which we configured as DNS Server) as DNS Server for first VM (VM1: Victim Machine)

1.      Start first VM (VM1: Victim VM)

2.      Go to “System Setting” à click “Network”

3.      Select “Wired” tab à click “options” button

4.      Select “IPv4 Settings” tab à “Method” à “Automatic (DHCP) Addresses only”

and update the “DNS servers”: “IP ADDRESS of the VM3 which you configured as DNS server”            

Screenshot 13:  Showing configuration of VM3 as DNS Server of VM1

SECTION 3: CONFIGURATION OF WEB SERVER IN VM1 (Victim machine) AND VM2 (Malicious machine):

1.      Apache web server: For this lab we will use Apache as the web server. This Web server is already installed in the pre built VM you downloaded. We need to configure the VM1 (Victim machine) and VM2 (Malicious   machine) as Web Server.

2.      Firefox web browser: Firefox is already installed in the pre built VM you downloaded.

3.      We need to create four websites for this lab exercise as mentioned in previous sections, namely www.ncatgadget.com, www.ncatmobile.com, www.ncatcamera.com, www.ncatmalicious.com  

4.      Go to “/var/www/” directory, and create directories for your websites which will contains all your html files (Html codes to create web pages will be given to you separately).  For e.g. Use command: mkdir ncatgadget, mkdir ncatmobile, mkdir ncatcamera. mkdir is UNIX command to make directory. (Take screenshot showing these directories are created under /var/www/)

5.      Add the source file (zip folder will be given separately. e.g. ncatgadget.zip will have source files of ncatgaget website. Go to directory /var/www/ncatgadget and put the content of zipped folder there) given to you in their corresponding folders.

6.      Similarly for the VM2 (Malicious machine), which is hosting malicious.com, go to “var/www/” and create directory ncatmalicious using command “mkdir ncatmalicious”. Add the code provided to you in ncatmalicious zip folder (Take screenshot showing these directories are created under /var/www/)

7.      Replace index.html (it will be provided to you. Check the project folder to locate this file) file that has been given to you in VM2 (malicious machine) /var/www/ directory. Note: This file is used to redirect the Victim to malicious webpage. One index.html file would be there in /var/www/, but you need to replace that with the one provided to you in project folder.

8.       Now you need to let the web server know about the new websites you just created. Hence, to create a new entry for your websites in the apache server, go to the file “/etc/apache2/sites-available/default” and add following code:

Similarly you need to add the code for other websites ncatcamera and ncatmobile as shown in the screenshot below.

9.  Similarly in VM2 (malicious machine), go to the file “/etc/apache2/sites-available/default” and add the code by changing it for www.ncatmalicious.com which will be hosted in that machine. Take screenshot of this step

Note: There will be three websites (ncatgadget, ncatcamera and ncatmobile) in VM1 (Victim machine). You need to perform the above steps for web server configuration in VM2 (Malicious machine) which will run the malicious website i.e. www.ncatmalicious.com

Screenshot 14: Showing addition of new websites in the apache webserver on VM1

COMMAND TO START/ STOP WEB SERVER:

To start Web Server:     sudo service apache2 restart

To stop Web Server:     sudo service apache2 stop

After performing all the above steps successfully when you try to load the page www.ncatgadget.com from VM1 (victim machine), you should see an AD of camera (iframe) on the top of the page, which will be served by www.ncatcamera.com. Next in the Lab Exercise you will perform the steps to replace the Ad from ncatcamera to ncatmobile (who is linked with www.ncatmalicious.com) 

LAB EXERCISE:

You need to submit a word document with all the screenshots mentioned below and give a brief description about what is going on in that screenshot.

1.          Provide the screenshots of steps performed in Section 2.

Screenshot should include Section 2- step 2(dump file creation), step 3(zone creation) and step 4(for this step sample code for ncatgadget.com is given to you in screenshot 12, you need to change the IP Addresses and write code for your websites. This step should have four screenshots for all the 4 websites for e.g. ncatgadget.com, ncatcamera.com, ncatmobile.com and ncatmalicious.com) 

2.          Provide screenshot similar to screenshot 13 (configuring VM3 as a DNS Server for VM1) from your lab work.

3.          Provide all screenshots of steps performed in Section 3- step 4 (directories created in /var/www of VM1), step 6 (directories created in /var/www of VM2), step 9 (adding the site in VM2)

4.          Now try to load the webpage www.ncatgadget.com from VM1 (Victim Machine), you will see an ad of camera (iframe on top of the webpage) served by www.ncatcamera.com, which is what we were supposed to see. 

Provide screenshot of this step.

(Refer to the PowerPoint slides provided to you for understanding the workflow. Also, study the code provided for better understanding)

5.          Now, in order to perform the Ad replacement, follow the steps:

a.      Go to “/var/cache/bind” folder of the VM3 (DNS server).

b.      Go to file “ncatcamera.com.db” and change the IP addresses (which you stored before i.e. IP Address of VM1, victim machine, where this www.ncatcamera.com webpage is actually located) with the IP Address of VM2 (Malicious machine).

The logic behind performing this step is to take the Victim to malicious machine who will redirect the user to the malicious webpage that will serve a different ad (which is different from the ad which victim was suppose to see) with whom this malicious website is linked, in order to generate revenue. (Refer to the PowerPoint slides provided to you for understanding the workflow. Also, study the code provided for better understanding). NOTE: Here we are changing the IP address manually for simplicity, attacker uses techniques such as DNS Cache poisoning to achieve this.

c.       Restart the VMs (command: sudo reboot), Restart the Web Server (command: sudo service apache2 restart) and DNS Server (sudo service bind9 restart). sudo gives you root privilege. The password for sudo is dees

d.      Try to load the page www.ncatgadget.com in VM1 (Victim machine) again. Now you should see an ad from mobile (which will served by www.ncatmobile.com) which is shown after Ad replacement Attack.

e.      Provide screenshots for above steps 5.b (Changing the IP address), 5.d (Ad replaced)

References:

[1] https://www.fbi.gov/newyork/press-releases/2011/manhattan-u.s.-attorney-charges-seven-individuals-for-engineering-sophisticated-internet-fraud-scheme-that-infected-millions-of-computers-worldwide-and-manipulated-internet-advertising-business

[2] SEEDS Lab:  http://www.cis.syr.edu/~wedu/seed/

[3] Alrwais, Sumayah, Gerber, Alexandre, Dunn, Christopher, Spatscheck, Oliver, Gupta, Minaxi, Osterweil, Eric, ‘Dissecting ghost clicks: ad fraud via misdirected human clicks’, 28th Annual Computer Security Applications Conference (ACSAC '12).