Botconf Author Listing

Botnets, as Botconf’s participants know very well, vary significantly. Their goals differ, as well as their TTPs and implementations. Nonetheless, most of them usually share the property of connecting to a remote attack server. In fact, great knowledge of the botnet can be obtained by looking at the command-and-control communication. Once a C2 server is found, a researcher can learn where the attack infrastructure is hosted, what malware is downloaded onto infected machines, and with enough luck, track down the threat actor.

When we first discovered Fritzfrog in our sensors network, we thought it was yet another cryptomining botnet. As part of our research routines, we kept looking for the C2 servers. It took us quite some time to understand that we were not going to find those servers, simply because they did not exist; Fritzfrog was a peer-to-peer (P2P) botnet.

In a P2P botnet, there is no centralized attack server. Control is distributed among the infected machines, or “nodes”, and each node has peers with which it can communicate. Peers can exchange targets, deploy binary files on each other, run scripts remotely, push and get logs from each other, etc.

The concept of P2P botnets is not new; however, it requires strong skills in design and implementation, which is why it’s been mostly used by state-sponsored and APT groups. Fritzfrog demonstrates that this is no longer the case, as P2P botnets are now used by common criminals to get the cryptomining power and access they are used to pursue.

We deployed a large collection of high-interaction deception servers deployed in multiple cloud environments worldwide. Each such deception machine is capable of capturing and recording attacks on various services. This infrastructure provides us with a tremendous amount of data; With this infrastructure, we get to see where attacks originate from, what machines they connect-back to, the ports and services attackers attempt to breach, the processes they initiate – and many more. Using this unique and comprehensive dataset, we explore attack patterns and model the behavior of the attackers.

In this talk, we will guide the audience through our analysis and present some interesting findings. For example, do attackers really change behavior after new vulnerabilities are disclosed? What is the lifetime of an attack machine or a command-and-control server? Do attackers bother staying persistent on victim machines? Using our results, we will provide a clearer picture of today’s data-center-oriented Cyber attacks.