DAY 3

Title: Nymaim Origins, Revival and Reversing Tales

Alberto Ortega of Fox-IT presents Nyamaim, a family of viruses discovered in 2013. The primary goal of this family is to lock down computers and install ransomware. In 2015, Nyamaim began downloading Gozi IFSB, which was then obfuscated using the same mechanisms as Nyamaim.

Nyamaim has attracted the attention of researchers because it is highly obfuscated and uses numerous anti-analysis techniques. Alberto Ortega presents these techniques, such as the anti-sandboxing used, the encryption of communications, etc.

Finally, Alberto Ortega explains how this virus sets up a MITB (Man-In-The-Browser) type attack to carry out fraudulent banking transactions.

Slide: https://www.botconf.eu/wp-content/uploads/2016/11/PR18-Nymaim-ORTEGA.pdf

 

Title: ISFB, Still Live and Kicking

IFSB is one of the most popular financial fraud viruses. Maciej Kotowicz presents the characteristics of this virus in this lecture.

Emerging in 2014, IFSB employs anti-analysis techniques, including well-known anti-virtualization methods and string encryption, with the aim of injecting itself into the browser of the infected machine. In addition to exploiting Domain Generation Algorithms (DGAs), IFSB uses the Tor network to "hide" its command and control servers.

In conclusion, Maciej Kotowicz points out that IFSB is one of the oldest financial viruses that is still under development and uses complex communication methods.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR20-ISFB-Kotowicz-.pdf

 

Title: Challenges for a cross-jurisdictional botnet takedown

At 12:20 PM, Margaritta Louca presented the various challenges Europol encountered during its investigation into the Avalanche botnet. Indeed, the lack of a universal legal framework makes investigations difficult and necessitates compliance with the laws and jurisdictions of different countries. In some cases, the laws do not impose any obligation to retain data, thus leading to the loss of potential evidence.

The espionage techniques used in the past, particularly wiretapping, have proven ineffective due to the technological tools available today (encryption of communications, use of anonymizing networks, cryptocurrencies, etc.).

After 5 years of investigation, the botnet was finally shut down and 5 people linked to the botnet activity were arrested.

More information is available on the Europol website: https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-dismantled-in-international-cyber-operation

 

Title: Preventing File-Based Botnet Persistence and Growth

After the lunch break, Kurtis Armour (eSentire) presented some best practices for securing a Windows environment to protect against malware and ransomware, starting with restricting user rights on their workstations. Regarding network administration, Kurtis reminded users of LAPS (Local Administration Password Solution), a Microsoft tool that allows for the secure management of local administration accounts.https://technet.microsoft.com/en-us/mt227395.aspx).

Since most infections occur through the opening of an email attachment (Excel, Word, JavaScript, VB, HTA, etc.), Kurtis' approach consists of blocking the execution of these scripts and macros via Group Policy. Two methods are proposed:

• Completely disable the scripting language (via a registry key)
• Modification of the program responsible for executing scripts (double-clicking on a script received as an attachment will then open it with Notepad)

Regarding PowerShell, it is recommended to disable the language entirely, as it is difficult to block only certain features. Furthermore, older versions of PowerShell (prior to version 5) contain few security features. It is recommended to remove any older versions installed on the machines.

Using Applocker and Device Guard also helps restrict the execution of unknown programs on the computer, and protects against illegitimate use of specific tools such as MSBuild.exe.

Slides: https://www.botconf.eu/wp-content/uploads/2016/11/PR21-Preventing-File-Based-Botnet-Growth-and-Persistence-ARMOUR.pdf

 

Title: Dridex Gone Phishing

Magal Baz and Gal Meiri of IBM Security's Trusteer discovered in January 2016 a new modus operandi implemented by the team behind Dridex. By using the Andromeda platform, this modus operandi no longer injects itself directly into the browser (MITB).

Since January 2016, Dridex has been using malicious redirects to a fake website that replicates the original site while offering the correct certificate. The main focus of this conference is a demonstration of Dridex's new modus operandi.

 

Closing

In conclusion to these three days of conferences, we will remember the involvement of the organizing team who, this year again, carried out the organization of the event very well, but also the sponsors for their help, and of course the quality of the speakers who were able to offer varied and interesting content.

The next Botconf will be held in Montpellier from December 5th to 8th, 2017.

 

(Links to reports from other days:) Day 1 & Day 2)