Botconf 2014 Wrap-Up Day #1

Botconf 2014Botconf is back for a second edition! If the first one was held last year in Nantes, botnet fighters from many countries are back in Nancy to discuss again about… botnets! As the name says, Botconf is a security conference which focus only on botnets. This is a very interesting topic because everybody was/is/will be infected and take part of a botnets. The one who never found an infected device on his network, throw the first hard drive! About the attendees, 200 people joined Nancy from many countries (South-Africa, Israel, South-America, Korean, Japan, and most European countries). There is  25 talks on the schedule prepared by more than 30 top speakers.

The first day started slowly around 9AM with a cool breakfast and some coffee. After a short introduction by Eric Freyssinet from the board of organizers, the first keynote was presented by the United Kingdom’s National Crime Agency (NCA) about botnets takedown. Benedict Addis & Stewart Garrick: “Our GameOver Zeus experience”. They very first message to the audience was:  “We need each others (security researchers & law enforcement)“.

Eric and keynotes speakers

Stewart explained what is the average knowledge of botnets by law enforcement agencies? It is completely confusing! Stewart’s job is to make thinks clear for his colleagues. He has an interesting view: Cybercrime is working in two dimensions compared to a classic murder which is working in three dimensions. The Zeus takedown was a long process: It started in October 2011 when it was clearly d identified by abuse.ch and was completed in June 2014 with a public announcement. During this timeline, several operations were organised like “Tovar”, “Cleanslate” or “Gonogo”. The name of the last one was chosen because the operation against the botnet was postponed several times. Communication was a key and, first the very first time, all UK policemen received a small note about the botnet which briefly explained what it was. There was also a huge presence in the newspapers and others media included TV channels. Another initiative was the creation of the getsafeonline.org website. Even English tabloids broadcasted messages like “Two weeks to save your computer”. And it was successful: People was receptive and there was a 2/3 reduction in UK IP part of the botnet and  massive a uptake of AV tools. A few words about Cryptolocker. This is a visible threat: people know they are infected. Then the speakers explained the DGA (“Domain Generation Algorithm) used by Crypto locker DGA. The key fact was that the generated domains were predictable. It was possible to register “future” domains to build a sinkhole. Was was the learning? We have to understand how the business model behing botnets is working, to map the infrastructure, share and coordinate. We have also to learn from mistakes and use media to up-skill users. A nice idea was presented during the keynote: The creation of a “last resort registrar” to put domains in it and keep control of them.

The first regular talk was “Semantic Binary Exploration” by Laura Guevara and Daniel Plohmann. The goal was to explain how to speed up malware analysis. Their motivations are what is this malicious code doing? Different samples share the same features and evolve within the same “family”. Malware developers are also developers and they also copy/paste some code found on the Internet. That’s why we can find common pieces of code is some malwares.

Laura & Daniel on stage

Static analysis is decoupling analysis from the malware’s execution time and, using automated tools, to explore the control flow graph. The approach presented by Laura was to examine sequences of calls to API and try to infer the user-level function attached to them. Checking calls to API is a common way to analyse the behaviour. Semantics is assigning the meaning to the set of common malware operations (ex: copy/del files for hidden persistence), communications with C&C. All those tasks are performed by calling specific APIs. Example was given with process injection:

CreateToolHelp32Snapshot 
  -> Process32First 
    -> Process32Next 
      -> OpenProcess 
        -> WriteProcessMemory 
          -> CreateRemoteThread

The methodology is the following: collect malware behaviour, define semantics and explore! The next step was to explain how to analyse the arguments passed to the functions and then how to reduce the amount of data by just keeping the useful API calls using N-Gram queries. The presentation ended with a demo performed by Daniel: semanticExplorer @ IDAscope (this is an IDA extension to help in malware analysis).

IDAscope Demo

The tool is based on “helpers” which allows to perform regular (boring) tasks like analysing the communication with C&C servers, understanding the crypto routines or automating the search for YARA signatures. Daniel’s IDAscope repository is available online.

After the (excellent) lunch, the afternoon started with a presentation about the Havex RAT. Giovanni RattaroPaul Rascagnères and Renaud Leroy. They started with an introduction about this remote access tool. The first IOC’s were published on Pastebin by Giovanni in March 2014. The complete analyse was a long process: from January 2014 until today. When SCADA systems were targeted, it was a new storm.

Presenting the Havex RAT

The next part was presented by Paul who explained more technical insights of the malware. The malware is present via a DLL called TMPprovider0xx.dll (xx = the version number). The features are classic: file upload/download, command execution but other modules are very interesting like the OPC scanner, info gathering, network scanner or passwords stealer. Note that the XOR key is always the same and is story in base64. The next part was based on an analyse of the C&C logs and code. The log file is called testlog.php. All requests are logged in base64 and contains many fields (include an “in” and “out” bytes counter). Interesting feature: once a logfile has been downloaded from the C&C, it is immediately deleted. The last part was an analyse of the log files (the first one was generated in February 2011! Some key numbers:

  • 263 C&C servers
  • 92 countries impacted
  • 201M web requests
  • 23M unique IP’s
  • More that 4500 unique infected users
  • 56 C&C still running today

At the end of the presentation, an idea was proposed: The creation of CERT “2.0” with  new ways of working to improve botnet fighting capabilities.

Then, “The many faces of Mevade” was presented by Martijn Grooten and Joao Gouveia. The first message from Martijn was: Fighting a botnet does not always start by reverse engineering a sample. If we compare Mevade vs Regin, from a technical point of view, Regin is much bigger than Mevade but from an infection point of view, that’s the opposite!

Maartijn & Joao on stage

This malware appeared in January 2012 and was called Win32/Sefnit by Microsoft. In September 2013,  Tor reported a sharp increase in connections from all countries. Joao presented the tool they used to gather intelligence: Cyberfeed. It takes data from multiple security feeds (URLs, trojans, spam traps, etc), analyse them and produce some data for subscribers (via dashboards or API). The presentation went deeper on Mevade with information about the domain names used and communications with the C&C. Martijn & Joao’s conclusions are that chasing botnets does not rely only on reverse engineering. Google can also be a good tool in research. Some botnets can be very big and not well known.

And we continued with “Splicing and dicing 2014: Examining this year’s botnets attacks trends” by Nick Sullivan from Cloudflare. This presentation did not focus on botnets from an analyse point of view but from a network perspective. Cloudflare being a big player in cloud services (DNS & reverse proxy), they handle a huge amount of data which contain interesting stuff. They have a great position to capture traffic.

Nick on stage

Nick reviewed some techniques used in DoS attacks. Today, most of them are based on reflection/amplification attacks. Interesting fact: 25% of networks allow IP spoofing! Common protocols are DNS, NTP & SNMP. But attacks can also be performed at the 7th layer, example with HTTP.  Some examples were also reviewed like HTTP b brute-force Nick finished with some new trends:

  • Larger botnets!
  • UNIX botnets (mainly based on compromised cloud services)
  • Referer headers and User-Agent strings (to better mimic browsers)

But they are also potential trends:

  • IPv6 (Today 0.05% of the traffic in attacks is IPv6)
  • HTTPS with specific cyphers choices (using expensive cyphers like 3DES)

Based on the data collected by Cloudflare, attacks start immediately after a vulnerability is disclosed (ex: WordPress or Drupal). Conclusions: patch always as sonn as possible!

After a coffee break, another tool was presented by Peter Kleissner: VirusTracker: This is a bot monitoring tool. Peter explained what are the multiple challenges of running a large scale sinkhole operation. Since September 2012, they started the largest bot monitoring system. The goals are to generate statistics as size, geographic distribution on long term, detect changes/ movements and alert infected organisations. To give an idea of the system today:

  • 3.3M unique infected machines / day (1B infection records in the database)
  • 7000+ sinkhole domains.

Peter on stage

So, what are the challenges to operate such platform?

  • Technical (takedown of the domains)
  • Legal Complaints (false report as C&C)
  • Financial: Cost of domains (avg 7.3 USD per domain)

To reduce costs, the solution is the automation! The following process are fully automated: the registration of new domains, the classification of data and their distribution. Key elements are the creation of a distribution network with CERT’s to warn of infections but also to detect false positives (generated by web crawlers, domain tools, applications like websense, etc). Peter explained the challenges to monitor P2P communications between infected systems and their C&C. Some malwares even implement anti-sinkholing techniques. Finally, mobile botnets are coming and must also be monitored.

The last talk was presented by Karine e Silva which is a lawyer and doing some researches on the legal aspects of botnets fighting: “How to dismantle a botnet: the legal behind the scene”. This was a non-technical talk but very interesting. We are facing laws all the time and they don’t always go in the direction of the security researchers.

Karine on stage

Her presentation was directly followed by a round-table debate about the same topic. Several interesting questions came from the audience. Basically, there is a clear lack of international laws. A very interesting was about the potential creation of “botnets paradise” like fiscal paradise that we have today. What if a country does not apply international laws?

Finally, the day ended with a first set of lightning talks. The principle is easy: you come on stage and receive 3 minutes (no more no less) to present your tool, research, idea, … The following topic were presented:

  • Jumping over the air-gap with fancy bear (Win32/USBStealer). “Fancy Bear” group looks to be using this tool for a while to exfiltrate data from air-gaped computers.
  • 3-mins incident handling: presentation of Malcolm by @tomshop_
  • Coordinated malware eradication by Microsoft: access to their data for the community!
  • Qaqbot by Martijn and C@C v8 protocol details
  • Automating banking trojans, config/webinject extracts
  • Macaroni: Bringing the penguin to your browser.  Integrated virustotal.com in the browser
  • Data at Scale : some interesting ideas to manage lot of data

After the talks, the social networking was back, some food, some drinks with old and new friends and a walk in the city of Nancy. The first day was very good. Excellent organisation with very nice ideas like providing free tickets for public transport and a welcome booth at the train station! Stay tuned for more stuff tomorrow.

23 comments

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.