Introduction

The fifth edition of Botconf took place in Montpellier from December 6th to 8th. A look back at this defensively oriented event, which focused on malware analysis and the fight against cybercrime.

Links to the reports for each day:

• Botconf 2017 – Day Two
• Botconf 2017 – Day Three

Malware clustering at scale

Sébastien Larinier • @Sebdraven
Robert Erra • LSE, EPITA

The speakers presented a clustering and classification project addressing the challenge of handling a dataset containing hundreds of millions of malware samples. The idea was to leverage the machine learning to identify similarities between samples. The algorithms to be used for processing the dataset were chosen empirically, by observing the most satisfactory results.

The processing is performed on the metadata of the files: classic and "fuzzy" cryptographic hashes (ssdeep), import hashes, executable headers, import tables, certificates, etc.

By leveraging a moderately powerful laboratory infrastructure, the existing architecture can process the initial dataset in a few hours. From there, newly added samples will be analyzed almost instantly.

Get rich or die trying

Or Eshed • @EshedOr • Checkpoint
Mark Lechtik • @_marklech_ • Checkpoint

While browsing a list of spam emails, the presenters' interest was piqued by a subject line mentioning the company ARMACO (a petrochemical company), at a time when the news was rife with stories involving this company and Saudi Arabia. Given this particular context, the presenters suspected it might be a somewhat sophisticated attack.

Upon beginning to analyze the infrastructure linked to this spam, analysts discovered that it was distributing relatively common RAT (Remote Access Trojan) malware: NetWire and ISR Stealer. They also identified the distribution of Hawkeye, a keylogger. Analysis of this malware allowed them to discover the credentials of an SMTP server to which the recorded data was sent.

Access to the server allowed them to trace the attacker. It turned out that he was infected with his own malware; the analysts were then able to obtain numerous screenshots of the attacker's system and report the operation to the local authorities.

Ultimately, the campaign was the work of a single individual, far from sophisticated… But it still allowed him to reach many victims.

Presentation support

Exploring a P2P transient botnet

Raimir Holanda • Morphus Lab
Renato Marinho • @renato_marinho • Morphus Lab

The speakers' initial research involved analyzing Mirai's behavior by installing a honeypot on a Raspberry Pi with default credentials. They quickly observed communications attempting to download and execute malware different from the expected type. Since communications to the C&C servers were conducted over HTTPS and relied on a client certificate, they had to implement a system using a local proxy (in this case, Burp) to decrypt the traffic and alter the commands.

This analysis allowed researchers to register machines in the botnet as C&C, in order to analyze the scope of the infections.

RetDec: an open-source machine-code decompiler

Jakub Křoustek • @JakubKroustek • Avast
Peter Matula • Avast

The speakers highlighted the benefits of automating decompilation in the context of daily malware analysis: obtaining easily understandable code without needing to be familiar with the machine instructions of the multitude of architectures currently in use (Intel, ARM, 32 and 64-bit platforms, etc.).

Products already exist, such as Hex-Rays, Hopper, Snowman, and BinaryNinja. The speakers' ambitious goal was to create a generic decompiler capable of handling both executables and raw code from various architectures. The task was far from trivial, requiring consideration of different architectures, binary formats, compiler processing, and the obfuscation and packing techniques frequently encountered in malware analysis.

The project is now available online at the following address: https://retdec.com.

The source code has been published on GitHub: https://github.com/avast-tl/retdec

Presentation support.

BotLeg project

Karine e Silva • @karunekks • Tilburg University

The speaker presents a research project concerning information sharing between private actors and law enforcement. The central question is: how can information acquired at the edge of legality be shared? It doesn't take much searching to find presentations or publications where security researchers "gain access" to systems controlled by cybercriminals. Strictly speaking, under the laws of some countries, this type of action is illegal and can raise legitimacy issues.

The aim of the project will therefore be to consider a method of sharing and communicating information that guarantees fair treatment of the different parties.

Furthermore, frameworks are emerging to protect researchers. For example, in Europe, Article 6.1.e of the GDPR states that the processing of personal data will be considered lawful if it is carried out in the context of a "task carried out in the public interest".

Use your Enemies: tracking botnets with bots

Jarosław Jedynak • @msmcode • CERT-PL
Paweł Srokosz • @_psrok1 • CERT PL

The speakers have set up an infrastructure dedicated to botnet analysis. It incorporates an iterative process based on two fundamental steps: the first (called "ripper") consists of extracting indicators of competence (IoCs), classifying malware, and defining relationships with other samples. The second (called "mtracker") is a modular platform relying on dynamic analyses to identify characteristics specific to the botnet (webinjects, email spam, etc.).

An interesting feature of "mtracker" is its integrated passive DNS infrastructure, allowing it to study the behavior of malware whose domains have been seized or are no longer active. The architecture also includes features to mitigate the potential overhead inherent in dynamic malware analysis.

• The output throughput is limited to reduce the potential for a DDoS bot; ;
• An emulation mechanism allows the use of certain commands (e.g., sending emails) to be recorded without actually executing them.

SOCKS as a Service, botnet discovery

Christopher Baker • Dyn

The speaker presents the results of his team's research on black markets for web proxies, widely used by cybercriminals to circumvent blacklists, geoblocks and generally conceal their activities.

By studying proxy sales platforms and their individual characteristics (geographic distribution, ASNs or IP address ranges used, etc.), they were able to classify and identify the platforms according to their usage. The speaker highlighted, for example, the sale of exit points located within mobile operators' address ranges. In this case, vendors emphasize that these addresses are rarely blacklisted, given that operators have a limited number of addresses and use NAT to provide access to their customers.

Automation of IoT botnets takedown by an ISP

Sébastien Mériot • @smeriot • OVH

The speaker explains that DDoS attacks are very frequent and a major concern for hosting providers and ISPs, given that each attack directly impacts the company's operations. He then discusses IoT botnets and HTTP flood attacks – which, while not particularly sophisticated, are very effective in undermining the overall security of connected devices.

Companies like OVH are also in a privileged position to limit the damage caused by these threats. The speaker presents the steps implemented to quickly identify bots and C&C attacks linked to their infrastructure:

• Open-source searches (e.g., via Shodan) provide results but are not exhaustive; ;
• An automated analysis of received samples, focused on the discovery of artifacts such as IP addresses or domain names.

The new era of Android banking botnets

Pedro Drimel Neto • InTELL, FoxIT

The speaker presents the various Android malware observed over the past few years and compares them with more recent examples. Historically, families like Perkele, iBanking, and BankBot were poorly obfuscated, if at all. Their operation relied primarily on intercepting SMS messages to obtain and divert the use of tokens provided by banks for transaction validation.

New malware is more sophisticated. It frequently employs anti-analysis techniques (obfuscation, activation only under specific conditions, etc.), and its functionality relies more on pop-ups displayed in front of legitimate applications, or on code injections directly into web pages displayed by a browser or application.

Hunting down Gooligan

Elie Bursztein • @elie • Google
Oren Koriat • Check Point

The speakers present feedback on the hunt for an Android malware that steals OAuth tokens.

The initial infection systematically occurs through the installation of an infected APK. This is followed by the decoding of the payload, the downloading of an exploit to root the device, the implementation of persistence mechanisms (which even infect the factory reset script!), and finally the installation of the Gooligan malware itself.

The malware injects itself into the Google Play application and uses the user's OAuth token to artificially inflate the popularity of specific applications by rating them and simulating their installation… It is these families of malware that bring malicious clones of popular applications like WhatsApp to the top of search results.

Once the malware was fully analyzed, the botnet could be dismantled. The technical aspect of taking control of the command and control servers was one thing… But it was also necessary to manage the revocation and renewal of the compromised OAuth tokens, a complex step when the user base is spread across multiple continents and speaks a multitude of languages.