Botconf 2015 Wrap-Up Day #3

And here is my wrap-up for the third day of the conference. Again a bunch of interesting talks. The first to join the floor was Yonathan Klijnsma who presented a nice history of the famous ransomware: Cryptowall. This ransomware has already multiple versions and involved after each of them. It started to spread in November 2013 and implemented a unique ID, HTTP based communication with the C&C.

Yonathan reviewed the communication protocol. The ransomware used proxies and Tor to connect to C&C’s.  As seen yesterday, it is possible to identify the malware based on its communications. It provides also a lot of options for the  victim to pay the ransom. If, in a first version, it supported 143 file types, this numbers crowed up to 312 with the version 3.0! During the review of all the versions, differences were explained like the change in encryption methods, protocols (for some versions, I2P was used instead of Tor but it was less reliable). An interesting remark from Jonathan: take care when you disclose information about malware, the developers are also presents in forums, social networks and monitor us! Don’t use TLP:WHITE to communicate such information. Some interesting discoveries:

• The malware uses nice logo, icons (leaked from simiographics.com :))
• It has funny messages in its code
• It keeps track of new techniques

If you’re interesting in this malware, Yonathan released some tools to play.

Then, Renaud Bidou came to talk about Javascript (“Powered by Javascript”). Why do we find Javascript in botnets? For multiple purposes!

• Injection
• C&C
• Persistency and agility
• Propagate, evade,
• Operates

To achieve those tasks, Renaud demonstrated that “all you need is in JS“. Injection of course is based on XSS vulnerabilities. As he said “XSS can be considered as the buffer overflow of the decade“.

After XSS, he reviewed one by one how Javascript can be used for malicious purposes! To have persistence, the browser must be compromized (the Javascript code reloads itself and loads code from an external URL) via load.js. He also demonstrated how to compromize with art using PNG images containing code. To implement the C&C, Twitter can be used to get commands. Who will block Twitter today? Also for operations, Javascript is magic:

• We can implement keylogger in an iframe
• Create screenshots from the browser
• WebRTC
• Browser details can be leaked, local IP addresses.
• Get clipboard details

You can also have a look at Sniffly, an interesting attack! Renaud’s conclusion was: 100% Javascript malware is possible!

The next speaker, Jeremy du Bruyn, talked about DarkComet (“Inside DarkComet: a wild case-study”). He started with some nice stats about his research: 83K DarkComet samples, 40K configuration extracted, 25K C&C, 751 infiltrated… He knows a lot about this malware 🙂

DarkComet is a RAT which looks legitimate. What are its capabilities: just a full hands-on keyboard! To take control of the remote host, execute commands, log keyboard, etc). It has two components: the C&C and the bot itself.  Jeremy demonstrated and commented an example of configuration (decrypted). Darkcomet uses static keys which change with the version. Then Jeremy reviewed the initial configuration with the C&C to infect the victim. Every 20”, keep-alives are sent. The design is efficient: stealth, scalable, anti-debugging features, protocol support, sample collection , botnet grammar (can’t look suspicious to the botmaster). After a review of the malware, he spoke about the analyze of a lot (40K!) samples. Most of them use dynamic DNS (~40%) to reach the C&C. Interesting, the biggest discovered bot (8000 victimes) was… in France! With the C&C running behind a residential ADSL connection. He also explained how he was able to compromize some C&C with the help of the QUICKUP vulnerability.

Then,we had the change to have a talk of the ANSSI! Not usual at Botconf… The title was: “Air-gap limitations and bypass techniques: command and control using smart electromagnetic interferences” (Chaouki Kasmi, José Lopes Estves).

First, what is an air-gap? Different IT systems may have different security level and different levels of trust (Internet , intranet and critical services). It is a physical isolation removing all communication channels between the systems.  But an air-gap has drawbacks:

• Cost! (duplicate all)
• Work process, organisational constraints

But: “Where they are gaps, they are bridges”, how to bypass this?

• Use disabled interfaces (software disable is not enough, have to be physically removed)
• Use shared peripherals (micro controllers, usb devices, display devices)
• Use mechanical waves… sounds/vibrations Google Tone, Ultrasound, Cross-device tracking.
• Use lights (Shamir, BHUSA keynote 2014)
• Use temperature (BitWhisper) – ex: use the CPU activity)

or… RF of course! They demonstrated how it is possible to alter a properly working computer by using ”Intentional Electromagnetic Interference”. Their experiment was based on a device in a faraday cage. The effects on the computer were multiple: from PS/2 link errors, USB link errors or Ethernet errors to a complete reboot of the device! Their recommendations to avoid or mitigate this?

• Remove unused analog or digital interfaces
• Monitor the remaining ones
• Isolate critical systems (co-lo or not? dedicated room? faraday cages?
• Educate users

The next talk was “Inside traffic exchange networks” by Elie Bursztein and Jean-Michel Picod from Google. Nothing related with IX “Internet exchange points” in this presentation but a way to exchange web traffic (SEO). Google cares about this because there are many issues… The speakers asked to not communicate about the content so… no more info! But you can find an interesting paper here (from IMC 2015)

After the lunch, Peter Kleissner presented “Sality”. It emerged in 2003 from Russia and infect files. Multi-purpose botnet. stealing, DDOS, spam, features a P2P algorithm for botnets

With 2M+ infected hosts, 4M total estimated worldwide, this botnet is not in front of stage but still active today! Author of Sality seems to be know based nick names and email addresses found in samples (?). Why victims are infected? Simply because the system is not patched and not protected by an AV (fail!). The botnet was used to conduct DDoS attacks against VirusTracker: four times from 1Gbps to 120Gbps. Peter explained how the P2P algorithm used by the botnet works and more insight features.

The next talk was “Cyberhacking de l’Internet des Choses” by Olivier Bilodeau (“A moose once bit my honeypot”). It covered Moose, an embedded Linux botnet.

All those IoT devices (Smart TV’s, IP cams, fridges, routers, etc…) have the same characteristics:

• Low amount of mem/storage
• Non X86 arch
• Wide variety of libc implementations
• Support ELF binaries
• Often only console

Why a botnet like Moose is a threat? It is hard to detect, hard to remediate and hard to fix. Such devices are also a low hanging fruits for bad guys! Olivier reviewed how the malware works and the good and bad things implemented by developers. More info available here.

Last slot was assigned to Thomas Barabosch: “Behaviour-driven development in malware analysis”. An academic research about reversing malicious code. Thomas’s motivations? Malware analysis is boring! It’s a daily tasks, repetitive, time consuming. The code is just translated from asm to higher language but how to ensure the reliability? Solution: improve this process!

He presented two approaches: TDD – Test Driven Development and BDD – Behaviour Driven Development. To briefly resume: the goal is to use development techniques and procedures and apply them to reverse engineering to improve it. Interesting but, like many academic researches, it’s not easy to implement them immediately…

This was the last day! The board closed the event with a wrap-up and some stats:

• 250 seats
• 265 participants
• 15 beer kegs
• Gazillion liters of champagne
• +10K lines of chat between organizers

Block already your agenda for the next edition which will be held in Lyon from 30/11 to 02/12.