Botconf is back forÂ a second edition! If the first one was held last year in Nantes, botnet fighters from manyÂ countries are back in Nancy to discuss again aboutâ€¦ botnets! As the name says, Botconf is a security conference which focus only on botnets. This is a very interesting topic because everybody was/is/will be infected and takeÂ part of a botnets. The one who never found an infected device on his network, throw the first hard drive! About the attendees, 200 people joined Nancy from many countries (South-Africa, Israel, South-America, Korean, Japan, and most European countries). There is Â 25 talks on the schedule preparedÂ by more than 30 top speakers.
The first day started slowly around 9AM withÂ a cool breakfast and some coffee. After a short introduction by Eric FreyssinetÂ from the board of organizers, the first keynote was presented by the United Kingdomâ€™s National Crime Agency (NCA) about botnets takedown. Benedict Addis & Stewart Garrick: â€œOur GameOver Zeus experienceâ€. They very first message to the audience was: Â â€œWe need each others (security researchers & law enforcement)“.
StewartÂ explained what is the average knowledge of botnets by law enforcement agencies? It is completely confusing! Stewartâ€™s job is to make thinks clear for his colleagues. He has an interesting view: Cybercrime is working in two dimensions compared to a classic murder which is working in three dimensions. The Zeus takedown was a long process: It started in October 2011 when it was clearly dÂ identifiedÂ by abuse.chÂ and was completed in JuneÂ 2014 with a public announcement. During this timeline, several operations wereÂ organisedÂ like â€œTovarâ€, â€œCleanslateâ€ or â€œGonogoâ€. The name of the last one was chosen because the operation against the botnet was postponed several times. Communication was a key and, first the very first time, all UK policemen received a small note about the botnet which briefly explained what it was. There was also a huge presence in the newspapers and others media included TV channels. Another initiative was the creation of the getsafeonline.org website. Even English tabloids broadcasted messages like â€œTwo weeks to save your computerâ€. And it was successful: People was receptive and there was a 2/3 reduction in UK IP part of the botnet and Â massive a uptake of AV tools. A few words about Cryptolocker. This is a visible threat: people know they are infected. Then the speakers explained the DGA (“Domain Generation Algorithm) used by Crypto locker DGA. The key fact was that the generated domains were predictable. It was possible to register “future” domains to build a sinkhole. Was was the learning? We have to understand how the business model behing botnets is working, to map the infrastructure, share and coordinate. We have also to learn from mistakes and use media toÂ up-skillÂ users. A nice idea was presented during the keynote: The creation of a “last resortÂ registrar” to put domains in it and keep control of them.
The first regular talk was “Semantic Binary Exploration” by Laura Guevara and Daniel Plohmann. The goal wasÂ to explain how to speed up malware analysis. Their motivations are what is this malicious code doing? Different samples share the same features and evolve within the same â€œfamilyâ€. Malware developers are also developers and they also copy/paste some code found on the Internet. That’s why we can find common pieces of code is some malwares.
Static analysis is decoupling analysis from the malwareâ€™s execution time and, using automated tools, to explore the control flow graph. The approach presented by Laura was to examine sequences of calls to API and try to infer the user-level function attached to them. Checking calls to API is a common way toÂ analyseÂ theÂ behaviour. Semantics is assigning the meaning to the set of common malware operations (ex: copy/del files for hidden persistence), communications with C&C. All those tasks are performed by calling specific APIs. Example was given with process injection:
CreateToolHelp32Snapshot -> Process32First -> Process32Next -> OpenProcess -> WriteProcessMemory -> CreateRemoteThread
The methodology is the following: collect malware behaviour, define semantics and explore! The next step was to explain how toÂ analyseÂ the arguments passed to theÂ functions and then how to reduce the amount of data by just keeping the useful API calls using N-Gram queries. The presentation ended with a demo performed by Daniel: semanticExplorer @ IDAscope (this is an IDA extension to help in malware analysis).
The tool is based on “helpers” which allows to perform regular (boring) tasks like analysing the communication with C&C servers, understanding the crypto routines or automating the search for YARA signatures. Daniel’s IDAscope repository is available online.
After the (excellent) lunch, the afternoon started with a presentation about the Havex RAT. Giovanni Rattaro,Â Paul RascagnÃ¨resÂ and Renaud Leroy. They started with an introduction about this remote access tool. The first IOC’s were published on Pastebin by Giovanni in March 2014. The completeÂ analyseÂ was a longÂ process: from JanuaryÂ 2014 until today. When SCADA systems were targeted, it was a new storm.
The next part was presented by Paul who explained more technical insights of the malware. The malware is present via a DLL called TMPprovider0xx.dll (xx = the version number). The features are classic: file upload/download, command execution but other modules are very interesting like the OPC scanner, info gathering, network scanner or passwords stealer. Note that the XOR key is always the same and is story in base64. The next part was based on anÂ analyseÂ of the C&CÂ logs and code. The log file is called testlog.php. All requests are logged in base64 and contains many fields (include an “in” and “out” bytes counter). Interesting feature: once a logfile has been downloaded from the C&C, it is immediately deleted. The last part was anÂ analyseÂ of the log files (the first one wasÂ generated in February 2011! Some key numbers:
- 263 C&C servers
- 92 countriesÂ impacted
- 201M web requests
- 23M unique IPâ€™s
- More that 4500 unique infected users
- 56 C&C still running today
At the end of the presentation, an idea was proposed: The creation of CERT “2.0”Â withÂ new ways of working to improve botnet fighting capabilities.
Then, â€œThe many faces of Mevadeâ€ was presented by Martijn Grooten and Joao Gouveia. The first message from Martijn was: Fighting a botnet does not always start by reverse engineering a sample. If we compare Mevade vs Regin, from a technical point of view, Regin is much bigger than Mevade but from an infection point of view, that’s the opposite!
This malware appeared in January 2012 and was called Win32/Sefnit by Microsoft. In September 2013, Â Tor reported a sharp increase in connections from all countries. Joao presented the tool they used to gather intelligence: Cyberfeed. It takes data from multiple security feeds (URLs, trojans, spam traps, etc),Â analyseÂ themÂ and produce some data for subscribers (via dashboards or API). The presentation went deeper on Mevade with information about the domain names used and communications with the C&C. Martijn & Joao’s conclusions are that chasing botnets does not rely only on reverse engineering. Google can also be a good tool in research. Some botnets can be very big and not well known.
And we continued with â€œSplicing and dicing 2014: Examining this yearâ€™s botnets attacks trendsâ€ by Nick SullivanÂ from Cloudflare. This presentation did not focus on botnets from anÂ analyseÂ point of view but from a network perspective. Cloudflare being a big player in cloud services (DNS & reverse proxy), they handle aÂ huge amount of data which contain interesting stuff. They have a great position to capture traffic.
Nick reviewed some techniques used in DoS attacks. Today, most of them are based on reflection/amplification attacks. Interesting fact: 25% of networks allow IP spoofing! Common protocols are DNS, NTP & SNMP. But attacks can also be performed at the 7th layer, example with HTTP. Â Some examples were also reviewed like HTTP bÂ brute-forceÂ Nick finished with some new trends:
- Larger botnets!
- UNIX botnets (mainly based onÂ compromisedÂ cloud services)
- Referer headers and User-Agent strings (to better mimic browsers)
But they are also potential trends:
- IPv6 (Today 0.05% of the traffic in attacks is IPv6)
- HTTPS with specific cyphers choices (using expensive cyphers like 3DES)
Based on the data collected by Cloudflare, attacks start immediately after a vulnerability is disclosed (ex: WordPress or Drupal). Conclusions: patch always as sonn as possible!
After a coffee break, another tool was presented by Peter Kleissner: VirusTracker: This is a botÂ monitoringÂ tool. Peter explained what are the multiple challenges of runningÂ a large scale sinkhole operation. Since September 2012, they started the largest bot monitoring system. The goals are to generate statistics as size, geographic distribution on long term, detect changes/ movements and alert infected organisations. To give an idea of the system today:
- 3.3M unique infected machines / day (1B infection records in the database)
- 7000+ sinkhole domains.
So, what are the challenges to operate such platform?
- Technical (takedown of the domains)
- Legal Complaints (false report as C&C)
- Financial: Cost of domains (avg 7.3 USD per domain)
To reduce costs, the solution is the automation! The following process are fully automated: the registration of new domains, the classification of data and their distribution. Key elements are the creation of a distribution network with CERT’s to warn of infections but also to detect false positives (generated by web crawlers, domain tools, applications like websense, etc). Peter explained the challenges to monitor P2P communications between infected systems and their C&C. Some malwares even implement anti-sinkholing techniques. Finally, mobile botnets are coming and must also be monitored.
The last talk was presented by Karine e Silva which is a lawyer and doing some researches on the legal aspects of botnets fighting: â€œHow to dismantle a botnet: the legalÂ behindÂ the sceneâ€. This was a non-technical talk but very interesting. We are facing laws all the time and they don’t always go in the direction of the security researchers.
Her presentation was directly followed by a round-table debate about the same topic. Several interesting questions came from the audience. Basically, there is a clear lack of international laws. A very interesting was about the potential creation of “botnets paradise” like fiscal paradise that we have today. What if a country does not apply international laws?
Finally, the day ended with a first set of lightning talks. The principle is easy: you come on stage and receive 3 minutes (no more no less) to present your tool, research, idea, … The following topic were presented:
- Jumping over the air-gap with fancy bear (Win32/USBStealer). â€œFancy Bearâ€ group looks to be using this tool for a while to exfiltrate data from air-gaped computers.
- 3-mins incident handling: presentation of Malcolm by @tomshop_
- Coordinated malware eradication by Microsoft: access to their data for the community!
- Qaqbot by Martijn and C@C v8 protocol details
- Automating banking trojans, config/webinject extracts
- Macaroni: Bringing the penguin to your browser. Â Integrated virustotal.com in the browser
- Data at Scale : some interesting ideas to manage lot of data
After the talks, the social networking was back, some food, some drinks with old and new friends and a walk in the city of Nancy. The first day was very good. ExcellentÂ organisationÂ with very nice ideas like providing free tickets for public transport and a welcome booth at the train station! Stay tuned for more stuff tomorrow.