Botconf 2014 Wrap-Up Day #3

I’m just back from Nancy and it’s time to publish the wrap-up for the last day! The last night was very short for most of the attendees: 30 minutes before the first talk, the coffee room was almost empty! This third started with “A new look at Fast Flux proxy networks” by Dhia Mahjoub from OpenDNS. Hendrik Adrian was also involved in this research but he can’t be present for personal reasons. OpenDNS provides DNS services and, as we all know, DNS is critical in botnets infrastructure. They have access to a very big source of information! It was already said multiple times, the crimeware scene is an eco-system. Modern malware communicate with their C&C through proxies. That was the topic of Dhia’s presentation: Fast-Flux proxy networks.

The concept of Fast-Flux proxy networks is simple but efficient. It’s a botnet used by another botnet to interconnect victimes and their C&C’s. Their specifications are:

• They provide redundancy using DNS
• FDQN are resolved to many IP addresses with a very low TTL
• Domains have a lot of new entries and are switched very quickly (example: 100-1000 times per hour)

1. Initial list of ZeuS Fast Flux domains
2. Get IP, TTL via direct lookup into a DNS DB
3. Extract IP with TTL = 150
4. Get domains from IP’s via reverse lookups
5. Add domains to the initial list
6. Extract IP with TTL=150
7. Add the new IP’s to the list of proxies

Based on this exercice, they got some statistics about the Zbot proxy network geographic distribution: 18K IP addresses detected from 691 ASN’s in 71 countries and 7600+ are live! They also reviewed some stats from the Kelihos botnet: >2600 IP addresses in 221 ASN’s from 44 countries. For information, to generate nice graphs, they used a tool developed by OpenDNS: OpenGraphiti. Dhia’s conclusions are: such botnets are very versatile and provided multi-purpose services based on the client’s need. They use mainly the .ru and .su TLD’s (Russia seems to be the main source) but victims are mainly located in Western countries. If you are interesting in DNS & Botnets, have a look at OpenDNS labs.

The next talk was presented by Evgeny Sidorov and Andrew Kovalev from Yandex: “Botnets of *NIX web servers”. Usually, system administrators think that they are safe because they are using Linux (or any other UNIX flavour). This is clearly a false sense of security. Today, *NIX servers are also interesting targets! Why? They have specifications that are very interesting for criminals: they are not patched, they are facing the Internet and don’t use NAT, no need to use P2P protocols. It also generates a new business: renting shells, spam bots, BlackHat SEO. Mainly Linux systems are targeted but the speakers already found some samples which work on FreeBSD! The attacks are based on weak CMS, brute-forcing passwords. As already mentioned yesterday, some site have a nice Alexa rank!

But the question is: once infected, is there a life beyond webshells? PHP suxx, for criminals too! Some webshells have bugs and the PHP 30” script execution limit is a real pain. Attackers search to evade this. They made a nice review of Mayhem, the best-known UNIX botnet. It is very portable and uses ShellShock, Heartbleed and much more to infect other computers. It has a proper architecture and is based on plugins. New plugins can be developed and added later.

Then, Evgeny and Andrew reviewed other discovered trojans like Darkleech and Trololo_mod which infect Apache webserver via malicious modules. Effusion is another one which targets nginx. Others reviewed where: Ebury, Cdorked. The operating Windigo is still ongoing to try to kill them (25K servers infected, 500K+ web redirections / day and 35M spam sent / day! A specific mention for Bury which used most of the times the libkeyutil.so but the latest version uses libns2.so. What to conclude? Infection of *NIX servers are real! There is a new monetisation and criminals use all the advantages of the server (ex: a very good uptime and a direct access to Internet).

After the coffee break, “DNS analytics, case study” by Osama Kamal. The first (and recurrent) message is: “Check your DNS logs!“. The approach to do this is simple and has a zero foot-print in customer’s infrastructure. Osama and his colleagues from the Q-CERT created a toolbox to analyse DNS logs. Amongst 20 organisations that they checked, all of them were infected! (100%).

They a analysed 600M DNS events and found 250 infections with a rate of 25% of false positives. They used a classic approach to analyse the logs:

1. Collect
2. Parse
3. Index
4. Store
5. Enrich
6. Analyse

The toolbox was based on cloud-instances and JSON files. Osama gave the results of a sample case: They started with 72M of DNS events (14 days). They extracted 460K unique domains. The list was reduced to 270K without the local domains and 14K after whitelisting. They execute 35 checks to extract 500 domains and, after a manual review, found finally 70 domains. 44 hosts were infected. Very interesting talk! But the toolbox is not yet ready and must be improved: They need to minimise the manual operations and to scale it for but enterprise.

Just before the lunch, Jean-Yves Marion from LORIA, the hoster of the conference this year, presented his keynote: “Malware and botnet research at LORIA”. This laboratory has many experiences in the security field and is busy on topics like: malwares, network security, SCADA systems and even drones! But Jean-Yves focuses his keynote on x86 malwares.

When a sample must be a analysed we are facing three challenges: the identification, the classification and the detection. Jean-Yves started with a theoretical speech and asked the following questions (and gave answers):

• How to recover the comm protocol : without being part of the bot (not easy)
• How to identify a function inside a binary: crypto, localisation, other
• How to classify: which family? shared code?
• How to detect? Signature database? new threat? behaviour?

A classic approach is to dump the memory, disassemble and generate a control flow graph. But quite all malwares today are self-modifying (93%) and they require multiple decryption waves in the packer to get the right code. Jean-Yves made a demo with tElock99 which requires 17 waves! The next part of the presentation was harder (read: with a lot of assembler in slides). I noted an interesting project developed by LORIA: CoDisasm : Concatic disassembly of self-modifying binaries with overlapping instructions.

The lunch break (very delicious as usual) was followed by David Sancho’s presentation: “Holes in banking 2FA”. Operation Emmental. The scheduled talk was cancelled due to a travel issue for the speaker. David started with two questions for the audience: “Who never helped a friend to clean his infected laptop?” and “Aren’t we are always thinking… What did he click on such link?”. Who do not remember the DnsChanger trojan in 2009?

David explained in details how attackers are abusing of their victims using a nice attack. It is based on the following components:

• A RTF file send via email (eh, this is only a text file, who cares?)
• Once opened, the malicious RTF runs a macro which installs a new certificate and changes your DNS
• Once the victim visits his bank website, he is redirected to the bad one (c controlled by the attackers)
• They ask you to install a phone app (malicious too, of course)
• Pwn3d! (control of the victim’s phone)

In this attack, an AV is usually not effective because there is no persistence. If the malicious code is not detected at the second, it will never be! (the trojan deletes itself). The infrastructure deployed by the attackers contains: DNS servers, hosting servers, SMS receivers and C&C servers. Usually, they run the campaign for a short time (10 days) then delete everything. Very nice analyse of an attack. Detailed information are available in David’s report here.

And the conference ended with the talk  “ZeuS meets VM – Story so far” by Maciej Kotowicz also from CERT.pl. Again, ZeuS was the topic of this talk. This trojan is in the news for a while, most security companies communicated about it but some are giving false information. That’s why Maciej decided to present this talk. It’s an happy family of different versions of Zeus. He reviewed many variants of ZeuS: ICEX, Citadel, PowerZeus, KiNS, VMZeuS, ZeuSVM and others. He also introduced libzpy, a Python library to play with Zbot and made some demos based on Cuckoo!

That’s over for this second edition which was, according to many attendees, a big success! Some numbers:

• 12 team members,
• 200 Participants
• 33 speakers,
• 27 countries
• … barrels of wine & beer (read: a lot of)
• 15 people caught on the sleepy cam 🙂

The next edition has already  been announced: It will be held in Paris, the 2-3-4 December 2015.

Botconf 2014 archives are also online: https://www.botconf.eu/botconf-2014/documents-and-videos/