Botconf Author Listing

Hide away! A well-obfuscated malicious application can run on a device for a long time without detection, avoiding the-cat-and-mouse race between attackers and defenders. Still, how easy is it to protect an application from antivirus detection? Are attackers winning the race? We encountered a specialized service that offered protection of Android applications when investigating malicious actors involved in a Russian Android botnet. We seized this unique opportunity and plunged into a deep technical investigation that shed light into the automatic operations of malware protection services and the revenues and capabilities of the people managing them.

Fully understanding a botnet often requires a researcher to go beyond standard reverse-engineering practice and explore the malware’s network traffic. The latter can provide meaningful information on the evolution of a malware’s activity. However, it is often disregarded in malware research due to time constraints and publication pressures.
The workshop is about overcoming such constraints by providing a powerful workflow to conduct quick analysis of malicious traffic. The data science approach presented capitalizes on open-source tools (Wireshark/Tshark, Bash with GNU parallel) and valuable python libraries (ipython, mitmproxy, pandas, matplotlib). During the workshop, participants will do practical technical labs with datasets from our recent botnet investigation. They will learn how to quickly find patterns, plot graphs and interpret data in a meaningful way. Although the exercises will focus on botnet’s data, the tools and skills learned will be useful to all sorts of context. Moreover, to ensure that participants take the most out of the workshop, it will be built in a way to allow them to easily replicate the data-analysis environment at home and reproduce similar analysis with their own traffic data.
Workshop Outline

• Introduction to the workshop
  • Overview of the Linux/Moose botnet
  • The datasets available: Pcaps and mitmproxy logs
  • Overview of the tools we will use
• Network traffic and C&C protocol analysis
  • Lab 1: Find the potential victims that have been targeted by the botnet’s scanner
  • Lab 2: Find and extract the C&C traffic in the Pcaps
  • Lab 3: Find the list of proxy clients IPs and evaluate if the list changes through time
• Decrypted HTTPS traffic data analysis
  • Lab 4: Find the list of websites targeted by the botnet and graph them based on the proxy client IP
  • Lab 5: Graph the total number of requests made per proxy client through time
  • Lab 6: Find whether proxy clients are re-using their fake social media accounts

Want to give your blog a push or your “gun show” more views? Then why not buy 50,000 fake followers for $1,000! Click farms from down South or botnets such as Game over Zeus will be more than happy to supply them for you.

For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet familiar to Botconf 2015’s attendees: Linux/Moose. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spreads and is operated. To do so, we performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bot’s proxy traffic. This gave us an impressive amount of information on the botnet’s activities: the name of the fake accounts it uses, its modus operandi to create fake follows and the identification of its consumers, companies and individuals.