Botconf 2020
1st - 4th December 2020, online
Schedule
Tuesday 1st December 2020
Asaf Nadler 🗣 | Jordan Garzon 🗣
Abstract (click to view)
In this talk, we present a system to identify and track unsafe services that are hosted on bots. The system operates by identifying services whose hosting IP address was marked as a bot by an IP reputation threat intelligence due to engaging in cyber attacks (e.g., D-DoS), and that the hosting IP is not shared with other web services. The system was implemented using Akamai’s IP reputation system that interacts with over 1.3 billion devices on a daily basis, and identify bots if they issue cyber attacks against websites that are hosted on the Akamai CDN platform which serves up to 30% of the world’s entire web content. Among others we focus on machines involved in D-DoS attacks, SQL injections and account takeovers campaigns. After acquiring the IP address of the bots, we scan over 2.2 billion daily DNS queries that go through the Akamai platform to identify domains that are uniquely resolved to the bots’ IPs and mark these domains as unsafe for use. The system results in thousands of unsafe domains on a weekly basis that are constantly tracked for analysis and active protection.
Matthieu Kaczmarek 🗣
Abstract (click to view)
The first reference to Fluxxy is due to N. Summerlin and B. Porter in 2013 [1]. They describe a network of proxy dedicated to cybercrime operations. While this rogue hosting service has been running for nine years, its intelligence coverage remains low. Fluxxy is a notorious bulletproof hosting network that has been in operation for ten years. Notably, many high-end cyber-crime actors were or are still Fluxxy customers such as Nymaim, GandCrab, TheFreshstuff, or UncleSam. Rival to Avalanche, its design is more evolved and gained traction after the takedown of the Avalanche botnet. Fluxxy has been named Dark cloud, SandiFlux, or Furtim in different research. However, detailed intel on its inner workings remains sparse. The present research improves the understanding of this threat through several contributions.
Jordan Garzon 🗣 | Asaf Nadler 🗣
Abstract (click to view)
The source code of botnets is often leaked online and re-used by new botnets. The re-use of source code assists bot-owners in quickly setting up their botnets, but it also inherits similarities to known botnets that can assist in detection. Most specifically, the URL paths that a bot uses to communicate with their C&C are often re-used.
In this talk, we present a system to identify patterns in URL paths that serve known botnets in order to block them if they are ever re-used by new botnets. The results of the systems are intended for use in an inline, high-performing HTTP proxy and accordingly, existing solutions that target malicious URL detection such as neural networks are inconsiderable. Instead, we construct an offline language model using the Smith-Waterman algorithm, cluster it and use a known set of genetic algorithms to propose regular expressions that match on sets of bot C&C URLs without matching any benign URL. Our experimental setup includes 1.4M URLs, both bot C&C and benign, and our initial results yielded 1.3k new bot C&C URLs, and a 96.3% accuracy for patterns that appeared at least twelve times within the training data. Moreover, the system is currently being deployed on a large-scale HTTP traffic to report results over time.
Leon Böck 🗣 | Shankar Karuppayah | Max Mühlhäuser | Emmanouil Vasilomanolakis
Abstract (click to view)
Conducting botnet research is oftentimes limited to the anal-ysis of active botnets. This prevents researchers from testing detectionand tracking mechanisms on potential future threats. Specifically in thedomain of P2P botnets, the configuration parameters, network churnand anti-tracking mechanisms greatly impact the success of monitoringoperations. As developing and deploying botnets for testing is not pos-sible at scale, this paper attempts to address this issue by introducinga simulation framework for P2P botnets. The capabilities of this frame-work include the simulation of P2P botnets with more than 10,000 bots,realistic churn behaviors and implementation of common P2P botnetmonitoring mechanisms. Furthermore, BSF allows the possibility of thesimulated traffic to be injected into arbitrary network files (i.e. PCAP)using the Intrusion Detection Dataset Toolkit (ID2T).
Maciej Kotowicz 🗣
Abstract (click to view)
In order to make a successful espionage campaign we need a couple things, one of them is infrastructure for both infection and exfiltration. Nowadays everyone was, is or will be moving their infra to the cloud so why not APTs?. Why set up a costly dedicated server when we can use free PaaS hosting? Why not use a cloud-storage service for exfiltration with all of it unlimited quota and backups?Want to host some malware? Guess who gets you covered?
There are quite a few threat actors that went that way, some of them were never talked about publicly and for some their operations that used cloud services somehow slipped through cracks, and those ones we would like to present to you.
While usage of such services is a great pain for defenders, it also creates some great opportunities – and we will show them!
Rustam Mirkasymov 🗣
Abstract (click to view)
During my researches at Group-IB on hacking groups activity I noticed that some trojan families use templates in communication processes and infrastructure used in attacks. The idea is to identify such templates and use them to predict attacks on the initial stage when Threat Actors set up their infrastructure. The following information should be processed to do such things:
- Opened ports
- Available services on ports (fingerprints)
- Answers on opened ports
- SSL certificates on opened ports
Using this information you can predict attacks on preparation stage (sometimes before the attack conducted). This type of intelligence more useful than intel collected after the attack happened.
Wednesday 2nd December 2020
Max ‘Libra’ Kersten 🗣
Abstract (click to view)
Unsuspecting online shoppers risk credit card fraud by shopping on legitimate websites due to online credit card skimming. The COVID-19 pandemic forced many to shop online, unwillingly helping the criminals behind the online credit card skimmer operations. Aside from covering different skimmers and the accompanying modus operandi, this talk will focus on the hunt for live skimmers, as well as the results of such a hunt. Additionally, it goes into the research methodology and the economic implications of a digital skimmer infection. The latter two aspects are often left out of reports and investigations, whilst they are equally important.
Shusei Tomonaga 🗣 | Tomoaki Tani 🗣 | Kota Kino 🗣
Abstract (click to view)
QuasarRAT is the most famous open source RAT project among many. Since xRAT (the predecessor of Quasar RAT) was released in 2014, many attackers have deployed this RAT in many attack campaigns. Particularly, they take advantage of the open source attack tool which enables conducting attacks in a generic way in order to avoid being attributed. This trend is commonly seen in recent years, and open source tools including QuasarRAT have been used in many cases.
Our investigation has identified many RAT projects related to QuasarRAT. In these projects, QuasarRAT has been upgraded with new functions or transformed into an entirely new type of malware. The Quasar family malware has been used in many attack cases. It is important to understand the details of the Quasar RAT and its family, particularly how each project develops from the QuasarRAT and is being used for new types of attacks.
Ophir Harpaz 🗣
Abstract (click to view)
Botnets, as Botconf’s participants know very well, vary significantly. Their goals differ, as well as their TTPs and implementations. Nonetheless, most of them usually share the property of connecting to a remote attack server. In fact, great knowledge of the botnet can be obtained by looking at the command-and-control communication. Once a C2 server is found, a researcher can learn where the attack infrastructure is hosted, what malware is downloaded onto infected machines, and with enough luck, track down the threat actor.
When we first discovered Fritzfrog in our sensors network, we thought it was yet another cryptomining botnet. As part of our research routines, we kept looking for the C2 servers. It took us quite some time to understand that we were not going to find those servers, simply because they did not exist; Fritzfrog was a peer-to-peer (P2P) botnet.
In a P2P botnet, there is no centralized attack server. Control is distributed among the infected machines, or “nodes”, and each node has peers with which it can communicate. Peers can exchange targets, deploy binary files on each other, run scripts remotely, push and get logs from each other, etc.
The concept of P2P botnets is not new; however, it requires strong skills in design and implementation, which is why it’s been mostly used by state-sponsored and APT groups. Fritzfrog demonstrates that this is no longer the case, as P2P botnets are now used by common criminals to get the cryptomining power and access they are used to pursue.
Łukasz Siewierski 🗣
Abstract (click to view)
Android is an open-source operating system which allows OEMs and their subcontractors certain flexibility in adding components to the system. These add-ons may contain new and exciting features, but sometimes they also hide complex malware. This talk will deal with a malware family called ‘Domino’.
Domino was discovered preinstalled on certain Android devices and distributed as a new operating system component on a small fraction of different phone brands, all of them low-cost devices running Android 7 or lower. On these devices, the malware author added additional code to many Android components – such as the default browser, the Settings app and the Android framework – which allows Domino to use system privileges to download additional applications later on and prevent their uninstallation by the user.
Different versions of Domino implement different behaviour, from displaying advertisements to overwriting visited URLs in order to change the default search engine or advertisement campaign referral IDs. The changes introduced by Domino also made it possible to ensure that Domino’s browser was exclusively used to display all links clicked by the user.
Rather unusually, we were able to obtain a compressed archive with Domino’s source code, including code comments and notes for manufacturers on how to embed Domino on their devices. Additionally, this archive includes SELinux policies crafted to allow Domino to persist and run with elevated privileges. We also obtained a test application which tried to interact with the Google Play store in order to test referral substitution and seems to be written by the Domino author to test some coding ideas.
Matthieu Faou 🗣
Abstract (click to view)
Our research team at ESET has tracked the infamous Turla espionage group for many years. By leveraging unique telemetry data, forensic analysis of infected machines and in-depth malware reverse-engineering, we gained a quite comprehensive knowledge of their operations. Since our last talk in 2018, Turla procedures have evolved and we would like to share fresh information about the group Tools, Techniques and Procedures.
This presentation will first introduce the Turla group. We will present the main attacks publicly attributed to the group, which is mainly interested in high-profile targets such as government bodies and defense companies. We will also share what the attackers are looking for on compromise machines and try to reveal their motives.
Then, we will go more technical and showcase Turla’s implementation of the three classic steps of an APT campaign: infection, lateral movement and long-term persistence in order to reach their espionage objectives.
Thursday 3rd December 2020
Andreas Klopsch 🗣 | Chris Dietrich 🗣 | Raphael Springer 🗣
Abstract (click to view)
Since December 2019, we have reverse engineered and tracked the activity and infection population of a botnet family referred to as Mozi that infects Linux-based Internet-of-Things (IoT) devices. Mozi implements a peer-to-peer (P2P) command-and-control (C2) channel based on the BitTorrent protocol. This makes Mozi an interesting target for analysis as it allows to gather intelligence on the infection population across IoT devices. In addition, we’d like to highlight in particular how this makes it difficult for takedowns.
The steady growth of the IoT sector results in an evolving malware landscape targeting those devices. Since Mirai was used in large-scale DDoS attacks in 2016, affecting services as well known as Dyn and the Krebs on Security blog, the potential of IoT botnets has become obvious. Nearly four years later, several further botnet families have originated and infect Linux-based IoT devices. We intend to present an overview of the IoT botnet landscape and its development while highlighting a few key botnets that deserve particular attention, such as Hajime, Torii, VPNFilter and Mozi.
Iain Nash 🗣
Abstract (click to view)
This paper proposes a legal methodology aimed at disrupting Botnets, whose nodes are mostly comprised of Smart Devices. The methodology allows for the attachment of civil liability to both the manufactures and users of Smart Devices which have become part of a Botnet due to either the failure to develop a patch for a known vulnerability or who have failed to apply the patch after it has been developed. The paper also outlines a role for a regulator but does not propose that a regulator or State body should be required for a civil action to be initiated. The only requirement for a civil action to be brought is that that damage has occurred following a cyberattack conducted by a Botnet, and the vulnerability which was exploited by the Botnet to ensnare a given device was one which was known to software industry.
Mathieu Tartare 🗣
Abstract (click to view)
The Winnti Group, active since at least 2012, is responsible for high-profile supply-chain attacks against the video game and software industries, as well as the healthcare and education sector. Some of their most notorious attacks were against CCleaner (2018) and Asus LiveUpdate (2019), two events that led to the distribution of trojanized software that got millions of computers infected. In 2018, several individuals suspected of being part of the Winnti Group were indicted by the US Department of Justice for conspiring to hack and steal intellectual property and confidential data from US and European companies.
Despite the increased scrutiny towards the group’s activities, Winnti is still highly active. During the last year, we discovered two campaigns of the Winnti Group against several Hong Kong universities, which occurred during the same period that widespread civic protests were sweeping Hong Kong. We also discovered various new campaigns targeting the videogame industry (developers and distributors) in South Korea, Taiwan and Russia.
During this presentation, we will show that not only is the Winnti Group still actively using and maintaining its flagship backdoor ShadowPad along with the Winnti malware family, but also that they extended their arsenal with new tools such as PipeMon (a modular backdoor) and some new and undocumented implants.
Video upon request to the author.
Masarah Paquet-Clouston 🗣 | Vit Šembera 🗣 | Maria Jose Erquiaga | Sebastián García
Abstract (click to view)
Hide away! A well-obfuscated malicious application can run on a device for a long time without detection, avoiding the-cat-and-mouse race between attackers and defenders. Still, how easy is it to protect an application from antivirus detection? Are attackers winning the race? We encountered a specialized service that offered protection of Android applications when investigating malicious actors involved in a Russian Android botnet. We seized this unique opportunity and plunged into a deep technical investigation that shed light into the automatic operations of malware protection services and the revenues and capabilities of the people managing them.
Michael Brengel 🗣 | Christian Rossow 🗣
Abstract (click to view)
We present an automated approach to extract code signatures that serve as the forensic fingerprint of a given malware program. Our high-level idea is to compare the memory contents of a sandbox before and after infection by a malware. To pinpoint the actual memory changes caused by the malware, and ignore all others, we use a novel concept called Cross OS Execution. That is, we execute a malware program on multiple different but compatible operating systems (OSes) to identify its memory commonalities, while neglecting OS-specific noise. The commonalities of the dumps therefore contain patterns whose presence is the consequence of executing the malware, i.e., the forensic fingerprint of the malware. We show that we can use two different versions Windows to accurately extract fingerprints of all 17 popular Windows malware families in our test set. These signatures serve to re-identify malware infections in memory dumps with a TPR of 93% and an FPR of 0.15%.
Friday 4th December 2020
Guangyuan Zhao 🗣 | Tiejun Wu 🗣
Abstract (click to view)
When the COVID-19 virus is spreading in China, people take the initiative to isolate themselves at home to fight the virus. Internet application traffic has soared, and most people pass their time through apps such as Tiktok. The attackers targeted the home gateway, used 0day to attack more than 3 million home gateway IoT devices, and used HTTP hijacking to insert advertising pages when users browsed the web. This topic will briefly introduce the principle of the vulnerability, focus on the malware used by the attackers and their functions, and reproduce the techniques used by the attackers to insert advertisements in web pages.
Takashi Matsumoto 🗣 | Yu Tsuda 🗣 | Nobuyuki Kanaya 🗣 | Masaki Kubo | Daisuke Inoue
Abstract (click to view)
NanoCore RAT, which first appeared in 2013, is still actively used in 2020 for its highly functional and user-friendly interace. Around Feburary to March in 2020, NanoCore RAT was used in the malspam campaign on COVID-19. We managed to sinkhole the NanoCore C&C domain and have monitored the liveliness of NanoCore C&C servers. We also experimented luring NanoCore operators into our mimetic enterprise network and succeeded in monitoring the actual behavior of live NanoCore operators.
Liv Rowley 🗣 | Mathieu Gaucheler 🗣
Abstract (click to view)
No distribute antivirus scanners (NDSs) provide cybercriminals with the ability to test the stealthiness of their malware before ever using it. As NDSs do not distribute hashes, they’re the ideal cybercriminal testing ground, and threat actors have taken note. Together we will explore these malware laboratories, examining how they work and their larger impact on the malware landscape.
Axelle Apvrille 🗣
Abstract (click to view)
As confinement against COVID-19 began, I decided to do my part and help secure medical devices. I built a honeypot for medical devices, both to lure attackers off real equipment and to learn how they intended to attack them.
Scanning through known vulnerabilities, I decided to fake a Medfusion 4000 wireless synringe, because (1) it is a critical medical equipment, and (2) it combines vulnerabilities on FTP and telnet.
Although many honeypots exist, they seem less trendy lately and I parsed through dozen of unsupported or unfinished projects, before I decided to:
(1) Use and *customize* the Cowrie honeypot, for Telnet attacks
(2) Implement my own FTP honeypot, named “meltingpot”
Ali Fakeri-Tabrizi 🗣 | Hongliang Liu 🗣 | Anastasia Poliakova | Yohai Einav
Abstract (click to view)
You must see thousands of new threats hitting your honeypot, what would you do next? Buying more coffee for the security research team so they can keep analyzing more? At Alibaba Cloud, we have the same flood of emerging new threats in our honeypot and we want to present our work to scale up the new threat analysis, with our honeypot system, the graph learning algorithm and the reasoning framework, surely, the most important, human in the loop!
The real-life problem comes after having a large honeypot system. We see new bots in the honeypot every hour, and they also try their best to fool our honeypot. Alibaba Cloud security team’s honeypot supports ssh, telnet, and HTTP protocols, that allows us to catch attacks on different levels. However, with new attacks vectors, it might be difficult to track existing malicious comparing. An attacker can easily change the hash value of binaries, structure of a payload, or adopt new vulnerabilities to attack with the same set of TTP (Tactics, Techniques, and Procedures). To make it worse, such changes are happening every hour.