Botconf 2016

Want to give your blog a push or your “gun show” more views? Then why not buy 50,000 fake followers for $1,000! Click farms from down South or botnets such as Game over Zeus will be more than happy to supply them for you.

For this talk, a criminologist and a security researcher teamed up to hunt a large-scale botnet familiar to Botconf 2015’s attendees: Linux/Moose. The hunt was fastidious since Linux/Moose 2.0 has stealth features and runs only on embedded systems such as consumer routers or Internet of Things (IoT) devices. Using honeypots set up across the world, we managed to get virtual routers infected to learn how this botnet spreads and is operated. To do so, we performed a large-scale HTTPS man-in-the-middle attack on several honeypots over the course of several months decrypting the bot’s proxy traffic. This gave us an impressive amount of information on the botnet’s activities: the name of the fake accounts it uses, its modus operandi to create fake follows and the identification of its consumers, companies and individuals.

Despite the ever growing number of malware families, botnets and criminal campaigns; there is only a defined few means by which malware can find its victims. This talk will be a deep dive into tracking exploit kits and the infrastructure behind them. Starting with using our own telemetry and Microsoft’s Malicious URL feed from their Bing crawler, a global visibility has been established into exploit kit activity and using this starting point, we will cover how to track and differentiate exploit kits, their payloads and campaigns and uncovering their backend infrastructure.

DDoS botnet tracking can be used to watch botnet assisted attacks in real time together with the details including the botnet families, C&C servers, attack types, and attack parameters. Such information helps us to learn current DDoS attacks and improve existing detection and mitigation solutions. To achieve better tracking, we need to figure out: 1) what coverages the tracked attacks have among the real ones; 2) how many active DDoS bot families are still out of our telescope.
To answer those 2 questions, both the real attacks and a method to correlate them with the used botnet families (or attacking tools) are necessary. Our studies show that DDoS bots differ from each other not only in their C&C protocols, but also, in most cases, in their packet generating algorithms (PGA for short) which are used by the bots to generate the enormous number of attacking packets according to the received commands. Therefore, it’s possible to boil the observed attacks down to the bot families by analyzing their PGA’s.
In this presentation, I would talk about how to use honeypots to collect the real DDoS attacks with spoofed source IP’s. The method to break down PGA, as well as the techniques to profile PGA from the collected attacking packets, would be introduced. In the final part, I would present some real examples we have found.

Reverse Engineering benign or malicious samples can take a considerable amount of time and new samples are created daily. Leveraging disassemblers, like IDA Pro, a reverse engineer can analyze the same routines across several samples over the lifetime of their career. Their knowledge is not easily transferred to similar samples or functions for themselves or others. In particular we can consider the problem code reuse has on reversing efforts, whether it is via statically-linked libraries or integrating existing software. In this presentation we want to provide a solution for transferring knowledge to similar functions by introducing a new reverse engineering tool, named FIRST (Function Identification and Recovery Signature Tool), to reduce analysis time and enable information sharing.

Enterprises and organizations of all sizes are struggling to prevent and detect all malware attacks and advanced adversary actions inside their networks in a timely manner. Prevention focused technology hasn’t been good enough to prevent breaches for years and detection has been lacking in many ways.
This presentation will give an overview and detailed examples on how to use the free Sysinternals tool SYSMON to greatly improve host-based incident detection and enable threat hunting approaches.
Splunk is just an example of a SIEM to centralize Sysmon log data and be able to search and correlate large amounts of data to create high-quality alerts with low false-positive rates. The same could likely be done using another free or commercial SIEM.
The main goal is to share an approach, a methodology how to greatly improve host-based detection by using Sysmon and Splunk to create alerts.
One main topic throughout the presentation will be how to find suspicious or malicious behaviors, how to implement search queries and how to reduce or eliminate false-positives. Examples will cover different crimeware malware families as well as tools and TTPs used by Red Teams and advanced adversaries.
For the latter, a commercial tool (Cobalt Strike) was used to test different privilege escalation and lateral movement techniques and develop queries for detection. Sysinternals Process Monitor and Sysmon tools were used to analyze behaviors on the endpoints involved.
Any Blue Team member should be able to take away some ideas and approaches to improve detection and incident response readiness in their organization.

During an incident, CERT Sekoia investigated fraudulent money transfers. These transfers were made from a French firm account to other bank accounts based in different places in Europe. The fraud has been valued at 800 000 euros.
Initially, the bank of the French firm indicted an accountant officer of this firm for making these transfers. The transaction were made with 2FA authentication process.
CERT Sekoia has demonstrated that the accountant officer’s computer was compromised and his computer was certainly used to perform these transfers.
The compromising occurred in two stages:

• First, when Dridex arrived on the computer
• Secondly, Dridex was used to download another malware (RAT).

The expansion and specifically the sophistication of botnets has brought with it an increased use of cryptography for safe-guarding communication channels between bots and their command-and-control instances. Asymmetric encryption (or public-key cryptography) currently poses a major challenge for malware analysts. In this regard, understanding the communication protocol is a critical requirement in the analysis of botnets.
The goal of this short-talk is to present a generic, fully automated method for tracking botnet communication protocols and a prototype implementation for recovering obfuscated network traffic. Our method arises from the need of constantly analyzing highly active botnet families while sparing significant reverse engineering effort. The results show that our approach successfully obtains changes in message structures by circumventing encryption and interacting directly with the bots.

Botnet is currently a existing threat to Internet users around the world. Users can lose money, personal information if infected. Bonet takedown has been a pressing need of many organizations in the world: the FBI, the national governments, the Internet service provider (ISP). For ISPs, this is actually a legitimate need to protect their consumers, their networks and meet the requirements of law enforcement agencies.
Basically, there are two types of botnet network models: Client-Server and Peer-to-Peer. In particular, ISPs can play a significant role in client-server botnet shutdown based on their inherent advantages.
Normally, in order to demolish a client-server botnet network, organizations must cooperate with service providers (domain name registrars, hosting/server providers) to acquire the malicious domain or server, then monitor the connections to shutdown. However, this method is quite passive when having to wait for the coordination of service providers. In particular, this method is not feasible for the bullet-proof server.
However, ISPs have a lot of advantages to takedown client-server botnets: own the user’s Internet infrastructure, capable of monitoring/processing/routing traffic on their network, own the technology allow deep analysis of packets.

In this presentation, we will discuss methods which an ISP can use to takedown a client-server botnet on its network based on the ability to redirect malicious connections from C&C server to ISP analysis server using ISP DNS infrastructure, IP routing, that can easily track and shutdown botnet.

A normal computer infected with malware is difficult to detect. There have been several approaches in the last years which analyze the behavior of malware and obtain good results. The malware traffic may be detected, but it is very common to miss-detect normal traffic as malicious and generate false positives. This is specially the case when the methods are tested in real and large networks. The detection errors are generated due to the malware changing and rapidly adapting its domains and patterns to mimic normal connections. To better detect malware infections and separate them from normal traffic we propose to detect the behavior of the group of connections generated by the malware. It is known that malware usually generates various related connections simultaneously and therefore it shows a group pattern. Based on previous experiments, this paper suggests that the behavior of a group of connections can be modelled as a directed cyclic graph with special properties, such as its internal patterns, relationships, frequencies and sequences of connections. By training the group models on known traffic it may be possible to better distinguish between a malware connection and a normal connection.

Cybercriminals employ websites to infect victims with malware using techniques such as drive-by-download or social engineering. On the other hand, several approaches (e.g. client honeypots) exist to detect malicious websites. Nonetheless, this is a time-consuming task, and thus, computational resources should be spent on targets that are more prone to be malicious than others.
For economic reasons, websites that offer free entertainment content like movies and series are frequently visited by web users. Based on this empirical observation, we hypothesized that users visiting Free Movies and Series (FMS) websites are more exposed to malware than when visiting other type of web content.
To prove this hypothesis, we set up an infrastructure composed of a web crawler, to obtain URLs related to the FMS category and other categories extracted from Google Trends, and an analysis component based on VirusTotal. In total, 52,531 URLs were scanned, of which 17,738 correspond to FMS.
The analysis classified 11.2 % of these URLs as malicious, compared to only 1.27 % of the URLs corresponding to the Google Trends categories.