Botconf 2014
3rd - 5th December 2014, Nancy
Schedule
Wednesday 3rd December 2014
Laura Guevara 🗣 | Daniel Plohmann 🗣
Abstract (click to view)
Attacks with malicious software are an imminent risk. Malware developers not only unveil constantly new artistries in response to current detection schemes but also manifest a tendency to re-code and modify existing malware versions with regard to their behaviour and functionality. These malware variants may have similar functionality but pose substantial syntactic representation differences. In this regard, the use of calls to the Windows Application Programming Interface (API) can be used as guidance to determine the specimen’s functionality and its interaction with the operating system.
This work proposes an approach to automate the exploration of malicious Windows binaries. A set of semantics is used to match against a program’s control flow graph in order to derive the presence of malicious functionality and behaviour patterns, represented by typically employed Windows API call sequences. The publication is accompanied with the release of an IDA Pro plugin.
Martijn Grooten 🗣 | João Gouveia 🗣
Abstract (click to view)
Mevade (also known as Sefnit) is a botnet that engages in click-fraud and cryptocurrency mining. Mevade is noticeable for two reasons. Firstly, it is huge: at some point, several millions of computers had been infected. And secondly, when it hosted its C&C servers on Tor hidden services, it almost took down the Tor network. In this presentation we will give an overview of what is known about Mevade and how the botnet has evolved over time. A large part of the presentation will focus on the research performed on the non-Tor C&C communication and the somewhat unusual choice of domain names for C&C communication. We will also discuss about links between Mevade and other kinds of adware and malware. We are actively following this botnet and the developments around it and will of course present any developments taking place in the months prior to the conference.
Outline of presentation:
- History of Mevade
- Overview of the malware
- Click-fraud
- Cryptocurrency mining and the Stratum mining protocol used by Mevade
- Network communication Using Tor for C&C
- Links to other kinds of botnet and malware
- New developments
Nick Sullivan 🗣
Abstract (click to view)
This presentation will discuss the various types of distributed denial of service attacks launched by botnets in 2014, worldwide. From DNS to Layer7 attacks, attendees will hear expert analysis of botnet breakdowns by-the-numbers including where the majority of botnets came from regionally, what attack trends were most popular, and when these attacks occurred. Join Nick Sullivan, Software Engineer and Security Architect at CloudFlare, to learn about his team’s findings after examining botnet activity in 2014. Nick will present this year’s major findings–and surprises–and his predictions for 2015.
Karine e Silva 🗣
Abstract (click to view)
Security experts have accomplished significant knowledge on how the most impenetrable botnets operate. While botnet intelligence gathering and disruptive tools are fast evolving, the legal mechanisms that enable investigation and prosecution of cyber crime are not progressing at the same pace. This has frustrated security experts, who show lack of confidence on the work done by law enforcement. There are many reasons why law enforcement is lagging behind in the fight against cyber crime. Despite insufficient qualified staff, other structural issues are pronounceable. Problems often unknown to experts fighting cyber crime. Part of these obstacles is related to insufficient legal provisions that would enable the work of law enforcement, as many have figured out. Others are connected to the need to rethink fundamental legal concepts such as jurisdiction and authorship. But then again rethinking established legal concepts in a cyber crime context is a long process that is showing slow signs of progress.
In spite of everything, the past year has struck our attention with international efforts led by industry and law enforcement. A closer look into the ZeroAccess (Dec/2013) and Gameover Zeus & Cryptolocker (Jun/2014) disruptions reveals that law enforcement has found creative ways to investigate and go after botmasters, despite the structural barriers above mentioned.
Thursday 4th December 2014
Oleksandr Tsvyashchenko 🗣 | Sebastian Millius 🗣 | Douglas de Jager
Abstract (click to view)
In recent years ad fraud botnets have proven to be a significant threat to the online advertising industry, with their cost to advertisers being increasingly discussed in the press.
In this talk we will give an overview of the online advertising industry, and we will describe how today’s advertisers inadvertently fund the online fraud ecosystem. We will introduce the common types of ad fraud being committed today. We will then explain both the technical details of ad fraud botnet operations and what ad networks and exchanges can do to protect advertisers. Several ad fraud botnet families will be considered to illustrate.
Łukasz Siewierski 🗣
Abstract (click to view)
In the past year we have closely observed a new malware family attacking Polish online banking users. It utilized a simple observation: users tend not to check whether the text they copied is the one they pasted. Especially when that text is a 26-digit bank account number. This malware started as a simple Visual Basic 6 application and then evolved to a more complex banking malware. While it still has a long way to go to become next ZeuS or Citadel, it does impact users and we are still getting signals that this is a problem.
This novel way to infect users was also attractive for copycats – aspiring malware authors, which were building small applications based on the same idea. These applications were at first not detected by any of the antivirus solutions according to the VirusTotal service. It can be attributed to the absence of network traffic or registry presence.
While these examples may not be a mainstream banking malware, they provide some insight to what new and upcoming low-end banking trojans may do. What is also interesting is how this malware authors evolve – what are they tactics and what are they looking for. It also sheds some light on what can still be done using a small (or even none) budget.
Paul Jung 🗣
Abstract (click to view)
Nowadays malware sandboxes are commonly used by malware researchers. Sandboxes have also find they place commercially as a new security device. Not surprisingly, As was firewall in the 90’, IPS in early 2K and Web applications firewall recently, they are presented as a new silver bullet security device in the threat detection arsenal of vendors.
Even if it could be very helpful in some cases. It’s not as perfect as vendors claims. Unfortunately, since all protections are subject to countermeasures, bypassing sandbox detection is now a feature commonly seen in malwares and droppers samples. Many sandboxes are nowadays available; Malwr based on open source Cuckoo, other sandboxes rely on closed source; Anubis, Xandora, Commodo or ThreatExpert and finally some commercials ones appears also ; Fireeyes and recently also announced with BlueCoat devices.
We will see common sandboxes detection tricks used in the wild by malware’s dropper. As personal hobby I had studied how malware try to bypass them and I have also found other tricks to bypass some of them. I will details some working tricks. We will finally review some good practices to harden your sandboxes against theses detection.
Dennis Schwarz 🗣
Abstract (click to view)
The Russian DDoS One or RD1 is an informal grouping of threat actors that focus on providing DDoS booter services on Russian language underground forums.
Besides the advertising, contact information, and the occasional drama, most of the business of Russian DDoS booters is done in private and difficult to attribute. This includes the back-end infrastructure that performs the DDoS attacks. To shed some light on the latter, this presentation will take a closer look at some of these RD1 threat actors, their booters, and their supporting DDoS botnets.
Peter Kálnai 🗣 | Jaromír Hořejší 🗣
Abstract (click to view)
One of capabilities of a malicious botnet is to perform a distributed denial of service (DDoS) attack. Attacks can be performed by various methods like volumetric flooding, slow HTTP attacks or TCP protocol misuse. A DNS amplification is an example of volumetric flooding that became popular recently. It is well known that Trojans for the Windows platform with resources containing Chinese locale have a long tradition of interest in this type of attacks and lack other spying features that Trojans usually possess.
We present a survey of current trends in usage of standalone grey area tools performing DDoS for multiple platforms. The focus is put especially on Linux and FreeBSD versions. These tools are later trojanized by adding persistence using executable droppers or scripts editing crontab. The infection vector starts with automated brute-forcing of the SSH protocol, the malicious flooding tools are then deployed in the compromised system and executed. The competition for resources, such as ports and CPU time, is manifested as the initial attempt to kill and to remove other, possibly flooding, processes. Variants for Windows x86/x64 are co-distributed already with persistence and possess a debug string ‘Chicken’ appearing in the title.
The technical part of this analysis covers versions designed for several platforms and architectures. This involves behavioral aspects of initial droppers, the installation of components performing DDoS, the description of internet communication and the collection of various system and performance statistics. For a better insight, we will demonstrate several bot builders and C&C panels which have been acquired. Screenshots of publicly available advertisements promoting the charged customizability of Linux variants will be displayed.
During our analysis, we connected to the botnets and monitored several C&C servers for a certain period of time which gave us a chance to collect some statistics. Therefore we are able to present particular examples of websites and services which were flooded. We shortly discuss the motivation behind the selection of these attack preferences.
Lightning talks
Friday 5th December 2014
Hendrik Adrian 🗣 | Dhia Mahjoub 🗣
Abstract (click to view)
Botnets that run on proxy service networks are not a new topic. We (and other researchers) have discussed this topic at various talks in years past, and it was also one of the main points in last year’s BotConf 2013 where we discussed the Kelihos network.
Generally, a proxy network bridges the connectivity and shields the identity location of malware CnCs to their nodes. It can take the form of a fast flux service network that redirects CnC connection attempts to a set of proxy nodes that are constantly shifting, or the static type of proxy. In this talk, we will begin by presenting some points on why fast flux is still the most efficient way to distribute the malicious payloads.
We are going to discuss the most recent progress of the analysis of current fast flux proxy networks that we’ve observed since January 2014. By definition, a fast-flux service network is created by setting up a selection of domains whose resolution “fluxes” through the IP addresses of a subset of available proxy nodes (bots). There are a lot of DNS aspects involved, multi-layer networking, and remote control (encrypted) methods that drive a fast flux botnet the way the herder wants it. For mitigation and detection, the methods to utilize are sticky DNS record, TTL monitoring, passive DNS, and domain reputation for detecting an emerging hostile flux (etc). These methods will be introduced in the talk.
This constitutes an extra layer of evasion and protection for the actual malware infection sources where the communication between the infected host always goes through the fast flux proxy network to reach the malware back-end CnCs.
For example, we picked a research study conducted over several months of one such active fast flux proxy network that was used to distribute the “zbot”. This fast flux network consists of several tens of thousands of infected machines and has hosted close to a thousand CnC domains. It has hosted CnCs for various malware families: Zeus variants, Asprox, and most recetly the new Zeus GameOver variant which has also served Cryptolocker payloads. We will go over details of the usage of this proxy network and discuss various cases of CnC domains.
The point of this discussion is not to get into the malware infection details but to share the know-how to detect, monitor and mitigate the trend of growth, management and development of the recent fast flux infrastructure itself. With this shared know-how we hope to enrich the knowledge of researchers who fight malware infections.
Evgeny Sidorov 🗣 | Andrey Kovalev 🗣 | Konstantin Otrashkevich | Asya Posadskaya
Abstract (click to view)
In the last several years malware writers have clearly understood that getting access to web servers can bring more benefits than infecting users’ PCs. Nowadays there are millions of completely unprotected web-sites and web servers with different kinds of vulnerabilities, so it is easy for attackers to upload web shells and even get access to these web servers with root privileges. All these circumstances certainly made botnets of infected servers and web sites a modern trend in malware development.
We researched and disclosed the following malware families:
- Darkleech
- Trololo_mod
- Ebury and Cdorked
- Effusion
- Mayhem
- Mindupper shells
David Sancho 🗣
Abstract (click to view)
Like Swiss Emmental cheese, your online banking protections might be full of holes. Banks have been trying to prevent crooks from accessing
your online accounts for ages. They have invented all sorts of methods to protect the user’s ability to do online banking safely. This research paper describes an ongoing attack that targets a number of countries worldwide. The attack is designed to bypass a certain two-factor authentication scheme used by banks. In particular, it bypasses session tokens, which are frequently sent to users via Short Message Service (SMS) on their mobile device. Users are expected to enter a session token to activate banking sessions so they could authenticate their identities. Since this token is sent through a separate channel, this method is generally considered secure.
Some of the banks we looked into do not exclusively use this system. They usually complement it with other ways to ensure the security of their customers’ banking sessions such as PhotoTAN or issuing a physical card reader. However, the fact remains that banks let most of their customers use session tokens with the aid of SMS and leave more secure methods for premium clients or as an alternative option, possibly due to increased operating costs and ease of use. The attackers in this case set up a system that could defeat session token protection. This particular attack actively targeted users in Austria, Switzerland, Sweden, and Japan.
Maciej Kotowicz 🗣
Abstract (click to view)
At the beginning of the year we observed shift of malware chosen by criminals. Old Citadel starts losing market pushed out by new versions of KINS. The threat was important enough to be added to ZeusTracker. After this the game changed, new encryption schema came to play, confusing researches.
Following this, some AV companies rediscover other, rather stealth branches of KINS and start giving them fancy names confusing us even more. But who can blame them when there are so many mutations floating around?
We’ll demonstrate methods how to distinguish variants of ZeuS-like malware, how to determine their version and show some other juicy stuff that they have in common that we can take advantage of. We start this journey with digging into ZeuS internals showing how important parts evolved and that there are things that survive all mutations. Along the way we show how to deal with most recent mutations to extract configurations details. At the end we show that we don’t really need to know what mutation/version we are dealing with to get most the important pieces.
The talk will be accompanied with release of tools to parse and print BinStruct, yara signatures to distinguish mutations that we use, tricks that make analysis faster and last but not least service that can crack most zeus-like malware (zdump).