I’m in Nantes (France) for two days to attend a new conference: Botconf. As the name says, this event is dedicated to botnets and malwares. The goal is to present talks about those malicious network of computers, how to detect them, how to fight them and, finally, eradicate them. I received a press pass (thank to the organizers), so here is the wrap-up of the first day!
First of all, a few words about the organization. Being also involved in the same kind of event, I really know the huge amount of work that must be accomplished to bring a security conference alive! Kudos to the team, nice venue, everything was running fine. They successfully brought 150 people from all over the world to a French city (some people came from Japan and South-Africa!). Event a live streaming was available for those who cannot travel to Nantes. The event stated with a word from the Chairman, Eric Fressinet. Classic introduction with big thanks to the sponsors, the speakers. Eric is working for the French Gendarmerie and is of course interested into botnets. The program of this first day was very intense with thirdteen slots!
The first speaker was invited from Belgium (yeah!). Ulrich Seldeslachts (from L-SEC.be) presented the preliminary results from the European antibotnet pilot action called ACDC. The goal of this project is to integrate the industry, research centers and operational networks together to improve the detection and mitigation of botnets. This was not a technical presentation but more a review of the current ACDC project status. After an introduction to LSEC, Ulrich’s first remark was about the low interest in botnets from the business… Most people are interested in data theft or APT’s. From an EU perpsective, cybersecurity is an important topic and further actions are required to improve citizens’ online safety. The power of EU is to make more people and organisations collaborate together. Then, he reviewed some examples of projects. What types of data are being collected: URLs, malware samples, IP addresses of spammers and suspected C&Cs. There are also nice initiatices like check-and-secure.com which performs basic checks against your browser to validate its security level. Other projects or initiatives mentioned by Ulrich:
The biggest message passed to the audience was: “We need your help!”
Thomas Siebert, from GData, was the first regular speaker and presented “Advanced techniques in modern banking trojans”. According to Thomas, why banking trojans are interesting? Because that’s where the money is! How do they operate? Thomas started with the details of a classic bank transaction.
Authentication processes occur at different levels: at login time (to connect to the bank) and then at transaction levek (example, using a TAN – “Transaction Authorisation Number“). The goal of the trojan is to play MitM: A webinject changes the page look and feel. This is transparent for the user (the URL and SSL certificate are ok – no warning for the user). Then Thomas explained what is a silent transfer (bank patch). The malware changes the receiver of a transaction. Maybe you think that a 3D authentication (using SMS code) is better? Not sure! He spoke about Feodo and SmsSpy: They inject a page and asks for a mobile number to install a trojan on the phone to intercept SMS authentication during transfer. Another type of attack is the “Retour Attack“, a web injection adds a fake amount of money added to your bank account with a “return money” button. Imagine what the end user will do? He’ll click of course! The next part of the talk was an overview of the techniques used to hijack browsers. Internet Explorer or Firefox can be hijacked using classic hooks (ex: wininet.dll). He explained how they are implemented. Chrome has others ways to get compromised. They was also explained. During his talk, Thomas gave an interesting statistic: 50% of banking trojans are ZeuS variants! Finally he explained how modern C&C structures are working today with new ways of communications:
- BankPatch is using Jabber (in 3 phases) Note: something they are vicious vulnerabilities: botherders are working outside business hours (yes, security experts also have to sleep()
- GameOver outline (via P2P)
- Tor trojans (TOR-ified trojans) ZeuZ-clone, Torrost or i2Ninja
Nice talk with deep information about techniques used to compromise read steal people! A nice remark about criminals: Botherders are working outside business hours (yes, security experts also need to sleep sometimes), to increase the chances to not be detected!
Jessa deal Torre, from TrendMicro, was the next speaker with a topic called “Spam and all things salty: Spambot v2013”. Her job is to perform research on spam, APT and new techniques used by criminals. Most spam is delivered with p0rn or pharmacy messages and often sites behind the messages (links) are malicious. She explained how infected hosts (bots) are used to generate messages and send more spam to compromise end-users.
Two years ago, the main source for malwares was eMule (where people were looking for keygen, crackers, etc). But today, things evolved and complex infrastructures are deployed to generate spam and compromize more and more computers. Jessa reviewed the process in place. It has based on multiple components:
- SmManager : downloads spam from the spam server and sends that date to the compromised website (Linux version).
- DirectSender: downloads the spam from the server but sends out the spam directly to the victims.
- MulePlus: downloads the main binary, packages at a crack.exe and uploads to eMule servers.
- ShComponent: downloads and updates PHP/HTML from the server and send them to the compromise websites.
What are compromised websites? Most of them are running CMS. The top-3 contains: Joomla, WordPress & Drupal. Nothing new! Those compromised websites propose a control panel (WSO 2.5 or C99 shell). Some are hidden in existing plugins, others looks like a regular one but aren’t. As example, Jessa gave the “/plugins/tv1“. If your host has such directory, it is a good IOC (“Indicator of Compromise“) and you better have to check for more suspicious activity! Since April 2013, she performed intermittent monitoring (this is a manual job) and she detected 240K compromised servers and 7M addresses in rotation. What is the avergage website content? Based on data found on three compromised website: 1M unique IP (end-users) that send spam data on a single date. Another tip: check your logs for suspicious increase in traffic. Another good IOC.
The next speakers were Brad Porter & Nick Summerlin with “Distributed Malware Proxy Networks”. The topics don’t covered the open proxies that we can find on the Internet but the open reverse proxies that are used by criminals to protect their C&C infrastructures (and their ass at the same time). A classic flow is: dns resoluton -> network of proxies -> content server -> C&C server. This is mandatory because maintaining their C&C became more and more difficult.
They reviewed some known networks (how they are working):
- Kol (first seen in 2008, known as Avalanche)
- Mango (2011)
- Fluxxy (2011)
To grab statistics and build some knowledge they used a mistake from a botnet owner who forgot to register the domain name used as backup for C&C communication. By shutting down the primary domain, they forced the botnet to use the backup C&C. Win! They collected all the data using a sinkhole and wrote a tool to search into the collected data. A demo was performed. Nice tool but they developed it withint their company time and it has not been released yet (no idea if it will be in the future). Note that the proxies used to protect the C&C are running completely in memory and have logginf features disabled (or logs are dropped).
After a lunch break, the second half-day started with a serie of short talks (read: 20 minutes instead of 40). Oguz Kaan Pehlivan presented “Legal limits of proactive actions: Coreflood botnet example”. Based on the story of the Coreflood botnet takedown operation, Oguz explained the issues that security researchers can face when fighting against botnets. If criminals, by default, perform things against the law, it’s the opposite for the researchers. They have to respect data privacy and multiple laws depending on the country where they reside. Often they perform border line operations. There is clearly some grey zones.
Vasilejos Friligkos talked about “Back to life, back to correlation”. They are different types of botnets but they use some common behavioral characteristics like infection, propagation, C&C communication. Vasilejos explained how to use them to help in malwares detection. First, you must centralise as much data as possible (from AV, firewalls, spams, …) and then aggregate to minimise the data volume and finely apply correlation. This can be:
- Rule based statistical.
As examples, some scenarios were reviewed like detecting a brand new malware without existing AV or IDS signature but which already infected the network (without any conventional mean of detection). We can still detect deviation from normal behaviour like unusual traffic, unusual resource overload, same kind of outgoing traffic. A very interesting topic (which could be presented in a 40-minutes slot) but a good “security maturity” is required to implement this. During the Q&A session after the talks some interesting points were pinpointed: What about baselining? You must assume that you are not infected. And what about “below the radar” behaviours (what most malware try to do)? Based on the number of questions it was an interesting talk.
And Enrico Branca presented “Using cyber-intelligence to detect and localize botnets”. The idea behind this talk was to create a cyber-intelligence system able to analyse lot of stuff but at a low price. The target is to find why I could not find without this system.
Three problems to solve:
- Find information
- This requires time!
- No easy way to do it
Add to those points a lot of technical problems. According to Enrico, you can’t trust no one and the existing tools did not take security into account. They rely of protocols (HTTP, FTP, SMTP, etc) which must respect the RFC. What will happen if it’s not the case? So Enrico and a team of developers wrote they own tool. The goal was to collect standard internet traffic and compared the AV rate detection from raw pcap files (monthly operation). The main question which popped in my mind after the talk was: how did Enrico collect data not send to him? I discussed with him during the evening and it simply added his IP address in multiple locations like open-proxises lists, P2P networks, etc. Immediately, packets started to hit his infrastructure.
- Abuse HTML5 (web sockets, web workers, localStorage)
- Send desktop notifications (via HTML5: “Please visit this site” or “log on to…”)
- Frame rewriting for profit (replace existing frames with whatever content like ads)
Nothing brand new in this talk but some nice demos. Just keep in mind: don’t use browser extensions without proper security checks!
Then, Etienne Stalmans, from SensePost, talked about “Spatial statistics as a metric for detecting bonnet C2 servers”. The goal of the research was to accurately detect bonnet traffic with early detection. DNS is the key protocol amongst other protocols. Everybody uses DNS (no DNS, no Internet). Etienne explained in details (with mathematical formulas, etc) how a model can be build to build a spacial autocorrelation of the C&C IP addresses (based on IP addresses returned by the Fast-Flux servers).
The study is very accurate but was way to complex for me to follow. If you’re interested, have a look at the slides!
Then CDorked was reviewed. It’s a modified HTP server on Linux systems with blackhole and also do monetisation via affiliate programs. During the research, arround 300 servers and hosting thousands of websites were discovered (50 of them are in Alexa top 100.000!). A tool was released to detect the presence of the Linux/CDorked.A and extract the config from memory. This tool was sent to admins and asked to send the configuration back. Then how subdomains were formed was explained deeply. Some information is stored in the subdomain (like the IP address) in base64. This is done via a rogue bind daemon which generate the subdomain for 6 hours, everything in memory (zero footprint!). Some stats from a CDorked server: running nginx with 9 backend servers, 30GB of data collected over 2 days, 1.1M IP addresses, 30K infected computers and 2.5% success rate. As conclusion to this talk: driving to exploit kits is the key job, multiple chains of proxies are used, nice methods to make mitigation and below the radar, cooperation of affected parties is useful but very time consuming.
Then followed a new series of short talks: “Malware calling” by Tomasz Bukowski, from CERT.pl. Tomasz reviewed the two components that are part of the Zitmo malware (“ZeuS in the mobile“). I didn’t follow this one completely but the tool that CERT.pl developed looked interesting like aluGetCfg.py or aluCommunicate.py.
Ivan Fontarensky presented his tool called “Disass“. Working for Cassidian CyberSecurity which is part of the ACDC project, Ivan and his team receive lot of malware to be analysed and for efficient incident response, they build a framework. The fist goal is automation! Disss is a framework wroten in Python + Distrom3 and pefile. It is NOT a dissasembler, debugger or emulator. It make human readable automation script with interactive shell. It can evaluate a particular register value or follow branches in case of conditional jump, etc. I’m not a reverse engineer and the demo looks very interesting to me. So easy to extract useful information from a binary! The tool is available here.
The next talk was “Efficient program exploration by input fuzzing” presented by Thanh Ding Ta. The goal was to use fuzzing techniques against a malware to detect all the hidden features that can be implemented (as protections against reverse engineers by example). It the topic looked interesting, the presentation quickly switched to a suite of slides full of assembly code. Impossible for me to follow this, I was lost!
And last but not least for today, the MalwareMustDie team came on stage. Hendrik Adrian & Dhia Mahjoub presented “The power of a team work – management of dissecting a Fast Flux bonnet, OP-Kelihos unleashed”.
The first part focused on the technical aspects of the Kelihos botnet. They analized lot of traffic and were able to extract a sample of 913(!) domains in the past six months. Interesting statistic: 85% of the infected hosts were using Windows XP or Viste. Most domains & IP addresses have a very short lifetime (to avoid detection). The second part was very interesting. Hendrik & Dhia demonstracted how they successfully tracked the botnet owner based on information collected from multiple sources then correltion and cross-checked. Starting from some gmail.com addresses, they found references in other sources like MySQL dumps of compromised servers. They found how the domains were registered, etc. At the end of the investigations, they successfully spotted the bad guy, a Russion guy, with all his personal details. It was a full-disclosure and of course not recorded. Honestly, I don’t know if I would disclose this kind of information during a conference. But a great team job!
As usual, the day ended with a very cool social event with champagne, fois gras, etc and the whole Botconf crew:
With 150 researchers, infosec guys, analysts and other profiles on a boat, you can imagine that we had a lot of interesting chats! See you tomorrow for the next day!