Botconf Author Listing

Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practice and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (ipython, mitmproxy, pandas, matplotlib). During the workshop, participants will do practical technical labs with datasets from our recent botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet’s data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data-analysis environment at home and reproduce similar analysis with their own traffic data.
Workshop Outline

• Introduction to the workshop
  • Overview of the Linux/Moose botnet
  • The datasets available: Pcaps and mitmproxy logs
  • Overview of the tools we will use
• Network traffic and C&C protocol analysis
  • Lab 1: Find the potential victims that have been targeted by the botnet’s scanner
  • Lab 2: Find and extract the C&C traffic in the Pcaps
  • Lab 3: Find the list of proxy clients IPs and evaluate if the list changes through time
• Decrypted HTTPS traffic data analysis
  • Lab 4: Find the list of websites targeted by the botnet and graph them based on the proxy client IP
  • Lab 5: Graph the total number of requests made per proxy client through time
  • Lab 6: Find whether proxy clients are re-using their fake social media accounts

Want to give your blog a push or your “gun show” more views? Then why not buy 50,000 fake followers for $1,000! Click farms from down South or botnets such as Game over Zeus will be more than happy to supply them for you.

For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet familiar to Botconf 2015’s attendees: Linux/Moose. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spreads and is operated. To do so, we performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bot’s proxy traffic. This gave us an impressive amount of information on the botnet’s activities: the name of the fake accounts it uses, its modus operandi to create fake follows and the identification of its consumers, companies and individuals.

Embedded Linux platforms, labeled “Internet of Things” devices these days, have been increasingly targeted by malware authors in the last few years, with most infections resulting in the compromised system taking part in a botnet. While many of these botnets have been used to perform distributed denial of service (DDoS) or DNS hijacking attacks, we took the opportunity to thoroughly investigate a slightly different take on the Embedded Linux Botnet landscape.
Targeting Linux-based consumer routers, Linux/Moose is used by its operators to perform fraud on social networking sites like Facebook, Instagram, Twitter and YouTube. With this intent, it is built with SOCKS and HTTP proxying capabilities and a generic packet sniffer and exfiltration mechanism. To increase the size of its botnet, Linux/Moose uses several scanner threads that find and infect hosts, with the assistance of a C&C server to provide a binary specific to the victim’s architecture. Additionally, the malware has code to enable it to spread past firewalls and performs NAT traversal to allow the operator inside firewalled networks.