New release : CTI Report - Pharmaceutical and drug manufacturing 

                 Download now

Botconf 2014 Conference – Day 3

January 6, 2015

Botconf 2014 Conference – Day 3

Intrinsec was present at the second edition of Botconf, which took place from December 3rd to 5th in Nancy. Videos and slides are available at the following address: https://www.botconf.eu/botconf-2014/documents-and-videos/

This report concerns the last day, December 5, 2014.

A New Look at Fast Flux Proxy Network – Dhia Mahjoub (OpenDNS, MalwareMustDie!)

The objective of this conference was to present the use of Fast Flux Proxy networks by botnets such as Kelihos or Zbot and the advantage provided by this type of infrastructure.

Fast Flux networks resolve a single domain name to multiple IP addresses with very short records that change frequently. Therefore, when a client accesses a URL, they can be redirected to any machine within the botnet. These machines then proxy the commands and data to the command and control (C&C) server. Because of this type of infrastructure, a URL found during the analysis of a component cannot be traced directly back to the C&C server, but only to a compromised machine acting as a proxy.

The authors present a technique for enumerating Zbots components from a small initial list of domains. The domains in this list are resolved, yielding a list of IP addresses which are then resolved (in reverse). The domains thus retrieved are then reintroduced into the procedure.

On the one hand, this technique allows us to assess the size of the Fast Flux network. In the context of Zbot, the IPs used come from approximately 651 ASes, with roughly 7,600 IPs still active (for Kelihos, it's 221 ASes, with 2,600 IPs identified). On the other hand, the listed domains can be compared with DNS logs to get an idea of the number of infected machines. In a 24-hour search, 10,000 unique IPs were identified as infected, primarily located in the US.

Finally, it is explained that the Zbot Fast Flux network is also used by other malware such as ZeuS, Citadel, Asprox, etc.

 

Botnets of *NIX Web Servers – Evgeny Sidorov and Andrew Kovalev (Yandex security team)

The speakers presented the advantages for bot herders of targeting UNIX servers, largely represented by Linux and FreeBSD. The potential is considerable: millions of unsecured web servers are accessible on the internet. They are generally more powerful than personal PCs and are always on. A botnet of servers also offers new monetization opportunities: "black hat" SEO, selling remote access (shells), sending spam… Several malware encountered by the speakers are presented: Mayhem, Darkleech, Trololo_mod, Effusio, ebury and cdorked.

Machines are generally compromised by automated tools: searching for trivial credentials, attacking misconfigured CMSs, exploiting system vulnerabilities (e.g., Shellshock)... Often, a webshell is filed (WSO, C57, or other custom scripts).

Since web server processes generally run with limited privileges, malware includes privilege escalation functions: brute-force passwords, reuse of credentials obtained by other bots, kernel vulnerabilities…

Often, the C&C channel takes the form of a web application, and we can then observe that the creators of the malicious code are better C developers than PHP developers: the interfaces are mostly vulnerable to classic web vulnerabilities, which facilitate dismantling operations: authentication bypass, Cross-Site Scripting, file inclusion, directory listing…

In conclusion, web server botnets are a reality and are very lucrative for their controllers.

For more information: a publication concerning the ebury rootkit https://www.cert-bund.de/ebury-faq

 

DNS Analytics, Case Study – Osama Kamal (Q-CERT)

Slides: https://www.botconf.eu/wp-content/uploads/2014/12/2014-3.3-DNS-Analytics-Case-Study.pdf

The conference presented a system that can detect infections within a company solely through DNS log analysis. The presenter reminded us that domain names are widely used for contact between malware and command and control (C&C) systems, as well as for malware distribution, highlighting the importance of monitoring these types of events.

This system is illustrated by a concrete example: a collection of 72 million DNS logs is performed, retaining only domain names. The domain names are then sorted to keep only unique ones. In this specific case, this results in only 460,000 domains. Local domain names are then removed, bringing the total down to 270,000. Next, each domain name is compared against a whitelist. Any domain name on this list is removed from the total. This sorting process reduces the remaining domains to 14,000. Finally, automated checks are performed on domain name patterns and keyword searches within the domain. This last step reduces the total number of domains to 500. To further refine these domains, manual checks are performed using filters based on query times, searches on Google/VirusTotal, Domains Tools, etc.

Following manual verification, 70 domains were identified as malicious and were queried by 44 hosts, indicating the probable compromise of these hosts.

However, this system is not yet complete, the time spent on manual verification is not considered satisfactory, and research is underway to reduce this work.

 

Malware and botnet research at LORIA – Jean-Yves Marion (Director of LORIA)

The speaker presents an overview of the malware analysis methods applied within LORIA as well as the current research topics.

One of the challenges is the difficulty posed by anti-analysis techniques: code obfuscation, cryptography, self-modifying code, layered instructions, etc. The example of Telock is cited, which has 18 layers of encryption between the initial binary and the malicious payload. To counter these techniques, a dynamic approach is applied. The malware's execution is tracked in a sandbox. At each iteration, the binary is saved for later analysis, and heuristics are applied to differentiate the code from the data.

To deal with the specific case of overlapping instructions, a project is being developed at LORIA: Codisasm.

Another topic addressed was the identification of specific features in malware through morphological analysis. Simply put, the method involves constructing signatures (abstract execution graphs) and identifying subgraphs within these signatures. For example, by constructing signatures of known encryption functions (extracted from OpenSSL), it was possible to find matches in Waledac, which is known to use cryptographic primitives.

 

Operation Emmental – David Sancho – @dsancho66 (Trend Micro FTR)

The conference presents a review of the experience gained from DNSChanger, which began to spread in 2007 and was dismantled in 2011.

The infection was spread via malicious .rtf files sent by email. The malicious payload performed only two simple actions before uninstalling itself: modifying the machine's DNS server addresses and installing a certificate as a trusted authority.

The attackers targeted specific banks. When a DNS query to these banks was received by the attackers' controlled servers, a pop-up window appeared on the user's screen. Under the guise of enhanced security measures, the pop-up asked the user to provide their username and password and to install an Android application to serve as a strong authentication mechanism. This was clearly a malicious application designed to grant botnet controllers access to the user's device. If a user is compromised, the attackers then control all aspects of the system to carry out fraudulent transactions.

The speaker focused on the credibility of the attack. The technical operations performed by the malware are relatively simple, and its transparent modus operandi can deceive even experienced users: the domain names seen by the user remain authentic, their browser indicates that the site is loaded via HTTPS with a trusted certificate…

Analyzing the attacks was challenging, as the campaigns launched by the attackers were short-lived. Initial progress was made when the servers hosting the malicious Android applications were identified, allowing researchers to trace the various servers by searching for domains registered by the same entity. Echoing the conference on web server botnets, the speaker indicated that the DNSChanger servers' control interfaces had vulnerabilities that enabled the identification of the controller connections.

 

ZeuS meets VM – Story so far – Maciej Ktowicz (CERT-PL)

Slides: https://www.botconf.eu/wp-content/uploads/2014/12/2014-3.6-ZeuS-Meets-VM-%E2%80%93-Story-so-Far.pdf

Botconf ended with a presentation on the ZeuS malware and more specifically on all its offspring that developed after the release of the ZeuSv2 source code in 2009-2010:

  • ZeuSv2
  • ICEX
  • Citadel
  • PowerZeus
  • KiNS
  • ZeuSVM (similar to KiNS)

All these malware programs are banking trojans designed to steal credentials generally related to bank accounts, but they tend to diversify the types of credentials they are capable of stealing.

Each version differs in the injection methods used, the code organization, and the cryptography employed. Indeed, while ZeuSv2 initially used only RC4, subsequent versions added other encryption systems such as AES.

Next, the author presents the recovery of configuration files used by malware and also introduces a Python library developed by the author containing all the tools he has developed to help in the analysis of banking malware: libzpy.

Libzpy: https://github.com/mak/libzpy

 

Summary of these three days of conferences: around thirty presentations, most of them very interesting, and a well-prepared organization that provided many opportunities to meet and discuss with the participants.
The day ended with a small closing ceremony hosted by Eric Freyssinet where he thanked his team, the speakers, and invited everyone to join him in Paris in 2015, where the 3rd edition of Botconf will take place from December 2nd to 4th, 2015.

Contact