I’m back in Belgium after driving a few hours back to Belgium and it’s time to give you my wrap-up of the second day. After a short night, we were back at the Chamber of Commerce in Nantes. The venue was located closed to the “Maillé-Brézé“, an old French military boat converted into a museum. For some of the attendees, the night was very short, the social event was a big success! The first talks were followed with a lack of caffeine, let’s go for a resume…
The first speaker (difficult task!) was Julien Lavesque, CTO of ITrust, with a presentation called “Perdix: a framework for realtime behavioural evaluation of security threats in cloud computing environment”. Julien started with two facts:
- The actual context shows that malwares became smarter and smarter to bypass classic security measures.
- More and more companies decide to send applications and data in the cloud (mainly for economical reasons).
If you are the lucky owner of a SIEM solution, it could be possible to track them but classic solutions are not relevant in cloud environments. To perform a behavioral analysis in the cloud, data have to be collected by external sources.
That’s is the goal of the tool that Julien’s team is developping. Perdix is a framework based on two modules: a data collector and an engine. The data collector is based on IKare to discover and identify services running in the cloud and vulnerabilities. It also implements a QoS evaluation and a cloud API for bandwidth usage. Once data have been collected, the engine is responsible for data processing, analysis and visualisation. To demonstrate how the framework works, a practical example was presented with a real malware. Its behavior was classic (run malicious commands, contacts with C&C, exfiltration of data, etc). It was based on a phpBB remote code execution vulnerability. Perdix was able to find the following relevant informations:
- A phpbb vulnerability detected by the vulnerability scanner
- Communications with C&C detected and identification of the service (IRC in this example). Unusual traffic can be detected based on the server profile learned by Perdix (difference with the baseline).
- QoS analysis: scan of internal network, the detection is based on predictive analysis.
- Bandwidth analysis: data exfiltrattion is flagged as suspicious
On detected, an alerting module can report deviant behaviours with enough data to be investigated. And sufficient flags are raised to trigger an alert. This framework is still in R&D process but looks promising. The combination of statistics and learning algorithms provide an efficient way to detect malicious activities. A final version should be available mid-2014 as it is included in a french government call for project called “Secured Virtual Cloud”. Good talk to start the day, not too deep and with relevant information.
The next speaker was Pasquale Stirparo, from the EU Joint Research Center, about “Participatory honeypots: A paradigm shift in the fight against mobile botnets“. As an introduction, Pasquale presented some statistics about mobile botnets/malwares. Just two numbers to give you a good picture of the situation: 1K new malware samples are detected per day and 79% of them are targeting the Android platform. The situation reached a point that we have to care about this issue. Then some critical differences between classic and mobile botnets were discussed like the different infection vectors and topologies.
For Pasquale, mobile botnets are difficult to fight for multiple reasons:
- SMS messages remain a major infection vector, should we block SMS? Not possible…
- What about the traffic monitoring?
- Mobile devices store a log of PI (“Personal Information“). Data privacy is main concern when you need to investigate a mobile device (IMEI numbers, SMS, contacts, pictures, GPS tracking)
A good remark from the speaker: the fact that our mobile devices are running 24 hours a day (not many people switch their phone off in the audience), they are available all the time to perform tasks like: DDoS, fraud, SMS Spam, etc… What will be the next threat?
Botnet vs mobile botnets? what about the infection vector and topology? Question to mitigate this: should we block SMS? What about monitoring and traffic? Mobiles contents lot of personal information (data privacy), this is a problem. Good point from the speaker; our mobile phones are often up 24×7! What they do: DDoS? Fraudstar, SMS spam, what’s next? What about building a honeypot with mobile devices? Pasquale mentioned the project “Nomadic” but it’s not easy to implement. So, came the idea of the EU JRC: build a participative honeypot. The goal is to allow people to join the honeypot by sharing interesting information found in a specific VM running on their devices. In this way, the data privacy is respected by design. Pasquale’s conclusions are: mobile botnets are a growing concern and due to its nature, the classic approach is not relevant. The idea looks interesting but discussions followed the talk about: How to make people click or open malicious content to be infected? Does this mean that only regular (non-IT) users should join? I think this is the most problem. To collect good informations, you need to build a reliable honeypot which will collect good data.
The next talk was given by Tom Ueltschi from Swizterland. The word “talk” is not correct in this case, I should say “show“. When you read the schedule of a conference, you always try to make your selection and they are talks that attract immetiately your attention, like this one. The subject was “My name is hunter, Ponmocup Hunter”.
The presentation started with a quote: “We find Ponmocup on almost every customer engagement we do” (Feb 2013). Tom explained how he started to fight against this giant botnet. All started with one AV event a few year ago. Based on this event, a classic incident hanlding procedure was triggered and Tom discovered the malware infection path and initial C&C traffic with two large binary downloads. By looking at the logs generated by firewalls and proxies, malicious domains and IP addresses were discovered as well as two fake User-Agents. Once the analysis completed, the remediation process was to setup blacklist at proxy level (UA, IP and domains) then analyse the infected hosts (memory dumps + filesystem copy). The analysis go further and an IOC was found in the registry of infected computers (persistence by running a malicious DLL: mssitlby.dll). After the incident, Tom continued to investigate abut this botnet. The rest of the talk was how he learned the architecture, behavior of the bot with one goal: Kill it! How to protect yourself? an IOC was created and published. Tom also wrote a tool called Ponmocup Finder to track the botnet. During all his research, he published a lot of information on his blog. I suggest you to read the numerous articles to learn more about this botnet. Technical information about Ponmocup are available here. Finally a “Ponmocup Botnet working group” has been created to help fighting against this botnet and new volunteers are always wanted!
After the first (and welcome!) coffee break, the next speaker was David Décary-Hétu about “Reputation-based life-course trajectories of illicit forum members”.
His presentation was not based on technical stuff like infection vectors, payloads etc, It focused more on bot owners and how they operate. Everybody is aware of the black markets. They have a social organisation which can have a huge size and impacts. They are generating a lot of business. The benefits of online black markets are multiple:
- Basic protection and means of resolving conflcts
- Social networking
- Information gathering
- Product assessment
But they also have threats:
- Law enforcement agencies have a centralisation of information with archives and double agents.
- Other threats are administrators and the other participants.
Being a defender on those forums is not easy. The big issue is how to trust someone in the community? To refet to the real life: Does somebody with tattoo’s can be considered immediately as a criminal? They also have automated reputation systems. We have to explore the importance of time in reputation systems and assess the relationship between the position of offenders and their reputation score. The study is based on a black market where botnet services are sold with 4K+ profiles active at least 12 months. David demonstrated with a lot of formulas and graphics how the reputation of forum members evolves in time. Based on the statistics, it’s difficult to get an online reputation. Reputation is linked to criminal achievement and can be used to identify the key players. But, do all participants want a high reputation score? Not sure. Conclusions: the automated reputation systems as tools to understand the social organisation of markets. Reputation must be open and accessible by all. This wasn’t my prefered talk but the research is very interesting if you are diving into such black markets to get data.
Then, another star presented his research! Paul Rascagneres talked about “APT1: Technical backstage”. This talk has already been presented by Paul all around the world in many conference. Simply because it is awesome! But when you present the same talk multiple times, it’s a good idea to add some new slides or extra. For Botconf, he went further. To thank the MalwareMustDie team, he simply presented his talk dressed as a knight templar:
The idea of this presentation is based on Mao Zedong famous quote: “The only real defense is offensive defense“. Is criminals are able to infect our computers, it should be same with them. That’s what did Paul. The famous group called APT1, used the RAT Poison Ivy (“Remote Access Tool“). The first step was to find the servers used by criminals to control the botnet. Once done, the bad news for Paul was that servers were running only when the bad guys were working on them. The rest of the time, all servers were brought off-line. No problem, with the help of some Python code and an Arduino board, Paul build a monitoring system which helped him to turn a revolving light on when a servers came online! (nice video). Criminals use software and this software can also have vulnerabilities. That was the case for Poisin Ivy and a Metasploit module was available (exploits/windows/misc/poinivy_bof) but it did not work properly for Paul and he found another way to pwn the bad guys. During the research, he also found another tool called “Terminator“. This one has a strange behavior, HTML traffic is sent to the C&C (usually, it’s the other way around). Example of code:
If you see this pattern going out of your network, you better have to check your environment! Paul found other vulnerabilites which were exploited to pwn the servers. A very good research with a lot of funny splide, very pleasant to follow!
The next slot was assigned to an invited speaker, Jaap van Oss: “Law enforcement action against botnets”. Jaap works for EC3 – Europol. We reached the point where cyber criminality is present and must be properly addressed (a trending topic today is Cryptolocker). A lot of work is done to bring botnets down but criminals remains on streets.
The European directive 2013/40/EU address this issue and covers attacks against computer systems. For a while, the EU targets are major organised criminal groups doing large criminal profits such as online fraud. But today, there is a new one: Cyber attacks against critical infrastructures. For Jaap, attacking a bank is also considered as a critical infrastructure. The EC3 job is to be an information hub on cybercrime. Cybercrime has a business model with different phases and actors. all of them having defined jobs. An idea is to build a cross-border information position on active groups (their roles, modus-operandi, events, etc). But infrastructure is the key! Good visibility via researchers, intelligence, experts, law inforcement, hackers, bloggers and multiple providers. We need to share but we are facing a lot of challenges:
- Multiple juridictions
- Cross-border coordination
- Information vs evidence
- Action vs investigation
- Protocol of information exchange (read: how?)
After the lunch break, Thomas Barabosch came to speak about “a general purpose laboratory for large scan bonnet experiments”. How can we analyse bonnet traffic? Using one of the following methodologies:
- Mathematical modelling
- Stochastic simulation
- Real world data analysis
- In-laboratory simulations
Thomas and his colleagues decided to use the latest technique. Why? A previous work already exists (SecSI/LHS labs). A closed environment was required for confidentiality requirements and it was a complementary process to the in-house reverse engineering process and finally a long process to reach the state-of-the-art. What about the design criteria? It was mandatory to have: security, scalability, realism, flexibility and sterilizability. The architectural key aspects were
- Realistic simulation of the selected part of Internet
- Total isolation
Virtualization to the rescue to create the network nodes with 1500 XP machines at the same time! Thomas reviewed the topology deployed to ensure the requirement seen above. What about the sensors? (we have to collect data). An agent was installed on the network nodes. Plugins are available to process certain types of data. They send information to a data extraction server reachable via only one IP and one port. Some VM templates are ready (latest 4 versions of Windows, servers version etc). Network based sensors can be defined (using BPF filters). As a case study, Thomas used the Citadel. Thomas demonstrated how to introduce a sinkhole, etc. This is really a great infrastructure to test malicious code. In the future, they will add support for bare-metal machines and automatic provisioning.
And the day continued with Ronan Monchoux who talked about “DNS resolution traffic analysis applied to bonnet detection”.
Everything started from an incident in a French company which was infected by Mariposa. No security staff on site and a tool was developed to track the malware and eradicate it. This tool was later upgraded with more features and called “MalwareTrap”. Its goals are:
- Detect and alert
- DNS updates
The solution is based on a mix of scripts running on a single server with interaction with external black lists and log management tools to inject the findings. Great tool but the second one was really interesting. DomainTrap is a personal development by Ronan. The goal was to code an algorithm to detect domains not based on words (to fight against generated domain names like fherhxjxhszbnxjhs.biz (called DGA). Using well-known mathematical researches with mix of letters, Ronin explained how he improved the tool to reduce the level of false-positives. A very nice presentation with lot of ideas. Don’t forget, if DNS can be a pain, it can also be very useful to detect suspicious traffic on your network. Liked the quote at the end: “Votre adversaries nest pas le malware mais la person qui est derrière” (Your enemy is not the malware but the person who is behind).
Next, Sébastien Larinier & Guillaume Arcas spoke about their tool: “Exploit Krawler: new weapon against exploit kits”. They presented their framework to detect exploit kits and their behavior. It was already presented at hack.lu in October, see my previous wrap-up.
The next one was “Blade Runner: Adventure in tracking botnets” by Jason Jones from Arbor Networks. And more precisaly the ASERT (“Arbor Security Engineering and Response Team“). The goal of this research was to replicate a botnet client to simulate communications with the C&C servers.
To achieve this, three components are used:
- Data model
- Replicants (fake bots)
The replicated malware was based on 14 separate families re-implemented:
- 9 HTTP based
- 1 plain-text binary protocol
- 4 binary protocol with encryption
- No IRC bots
Some examples covered by demos: DirtJamper, Athena HTTP, Madness, SolarBot. The goal is this research was to understand how botnets work or if you prefer: “Know your enemy”.
And the last slot was assigned to Thomas Chopitea with “The hunter becomes the hunted: analysing network traffic to track down botnets”. Thomas is an incident handler working for a private CERT and he has common problems with all incident handlers:
- Problem 1: kill the malwares – Alert the owner of stolen info and send takedown requests, build threat intelligence (“Ho we already seen this”) and start incident remediation.
- Problem 2: “WTF is this?” What mean “Troj/Gen Suspicious”, reverse engineer it (too many samples), run it in a sandbox and wait results
- Problem 3: Do it fast
To address those problems and optimize his time, Thomas developed his tool called “Malcolm”. It contains three modules:
- An analytics engine
- A feeding engine
- A nice web interface
From an operational point of view, the goal is to find actionable intelligence, optimise time and have a good visualisation tool. To achive this, Malcom makes also use of OSINT (“Open Source Intelligence“) to search for artefacts (domains, IPs) and build some kind of knowledge database with them. Thomas’s tool is freely available on github.com. Have a look at it, it’s very nice!
And the first edition of this new conference is already over! Good job from the team for organizing such event in Nantes (not so easy to reach when you are traveling from the other side of the globe): 160 people coming from 23 different countries to speak about a very interesting topic: botnets and malware! Some bullet points to resume the conference and close this blogpost:
- This community is awesome! People are doing very good researches during their free time without any profit
- It remains gray zones when security researchers have to collect information about botnets (laws, data privacy, etc)
- Time is a big problem to face the huge amount of new samples: we need tools and automation
- Mobile malwares is on the rise
- Criminals are also humans and do mistakes (that can be reused by good guys)
It seems that the 2nd edition is already on its way but in another city in France, see you next year in December!