Botconf 2014 Conference – Day 1
Intrinsec was present at the second edition of Botconf, which took place from December 3rd to 5th in Nancy. Videos and slides are available at the following address: https://www.botconf.eu/botconf-2014/documents-and-videos/
This report concerns the first day, December 3, 2014.
Botnet Takedowns – Our GameOver Zeus Experience – Benedict Addis (ShadowServer) & Stewart Garrick (UK National Crime Agency – Cybercrime Unit)
The speakers present the perspective of law enforcement in operations against the GameOver ZeuS botnet, which appeared in 2011 and was dismantled in 2014.
They revisit the difficulties in understanding this type of threat. Cybercrime does not conform to a traditional pyramidal hierarchy. A botnet is made up of a multitude of machines and operators. Targeting individual elements does not work; they are quickly replaced.
Two aspects are highlighted during the conference: raising awareness among the hierarchy of law enforcement agencies as well as the general public, and the need for international cooperation between government agencies and private security actors; a theme that will be recurrent in the conference.
In order to capture the public's attention, communication in the United Kingdom relied on visible threats. It focused on Cryptolocker, a ransomware deployed on machines previously infected by ZeuS. Even though the threat posed by ZeuS is greater (theft of credentials and bank details), it is easier to refer to it as a ransom demand, easily visible to infected users.
In addition, various channels were used to disseminate information: appearances on television news programs, internal briefings for police officers, and the website "GetSafeOnline" (https://www.getsafeonline.org/). The messages remained simple: "Do not open emails from unknown senders," "Use antivirus software," "Update your software," and "Back up your data.".
The campaign results were generally positive: two-thirds of the UK's IP addresses stopped communicating with the sinkholes (fake DNS servers resolving domain names used by bots with unreachable IP addresses) and the use of antivirus software has increased significantly.
From a technical standpoint, computers infected with Cryptolocker communicated with control and control (C&C) servers bearing domain names ending in .com, .net, .biz, .ru, .org, .co.uk, and .info. The GameOver ZeuS botnet used communications peer to peer.
Several jurisdictions were therefore involved, and a coordinated effort was required to carry out the dismantling operations:
- Private actors intervened to block communications peer to peer ;
- In the United States, the courts have mandated its Internet registry and about twenty internet service providers to implement sinkholes and block the domains used by the botnet;
- Police forces from eleven countries have seized servers.
The operation of "« takedown »The operation was carried out in one go to prevent any undismantled parts from being exposed and thus unable to be directly neutralized. During this operation, and to guarantee its effectiveness, all actors shared information continuously.
The main lesson learned is the need for cooperation and trust between international actors, both governmental and private. The speakers cited the example of mandates imposing domain blocking: what will happen when they expire? They addressed this by suggesting the development of an "Internet registry of last resort," an organization that would allow domains used for malicious purposes to be blocked permanently and free of charge.
See also: Analysis of GameOver ZeuS's communication model: http://www.syssec-project.eu/m/page-media/3/zeus_malware13.pdf
Semantic Binary Exploration – Speeding up malware analysis – Laura Guevara & Daniel Plohmann (Fraunhofer)
Slides: https://www.botconf.eu/wp-content/uploads/2014/12/2014-1.3-Semantic-Exploration-of-Binaries.pdf
IDAScope: https://bitbucket.org/daniel_plohmann/simplifire.idascope/overview
The aim of the presentation was to highlight the similar characteristics that can be found during malware analysis, particularly through the use of the Windows API.
Indeed, it is possible to infer the behavior of malware by studying its imports. For example, an executable importing the VirtualAlloc, CreateProcessMemory, and CreateRemoteThread functions has a high probability of performing DLL injection and thus injecting malicious code into other processes.
Obviously, such an analysis is only possible if the malware is not "packed" or if it has been previously "unpacked".
After detecting the likely behavior of malware, its analysis can be accelerated by simplifying the execution flow graph through tracking the possible values assigned to different registers and the values of the strings present in the executable. Furthermore, the acceleration is further enhanced by removing branches from the graph that do not correspond to the inferred behavior.
Finally, the presentation concluded with a demonstration of the IDAScope tool, which integrates this research as well as other tools designed to improve and facilitate binary analysis with IDA:
- YARA signature search;
- identification of cryptographic algorithms;
- Semantic Explorer (the tool presented above);
- function inspector (allowing you to see the calls with their associated parameters);
- integration of MSDN documentation directly into the tool.
HAVEX RAT – The Full Story – Giovanni Rattaro & Renaud Leroy (OpenMinded), Paul Rascagnères (G-Data)
The speakers presented the HAVEX RAT (Remote Access Tool), which was first detected in January 2014. Two months later, the first IOCs (Indicators of Compromise) were published by Giovanni Rattaro (http://pastebin.com/2x1JinJd).
The infection by this malware is believed to have occurred via "« water holing » (use of websites as an intermediary to compromise their regular visitors) on energy-related websites.
A technical analysis outlines the main expected features of HAVEX: file upload and download, command execution, etc. However, this RAT also includes modules for interacting with ICS/SCADA systems. Specifically, an OPC scanner has been identified: this is a process control system that bridges software and industrial systems. This module enables the identification of various PLC controllers on a given network.
The discovery of this module sparked a buzz and some even went so far as to consider it a new Stuxnet.
The rest of the presentation focuses on the content of the C&C files, and more specifically on the testlog.php file, which contains information about the bots (IP address, user-agent, etc.). The data used by the script is automatically deleted once retrieved. However, information in these files indicates that machines have been infected since 2011.
The presentation concludes with a few figures:
- 92 countries concerned;
- 263 C&C servers identified, of which 56 are still in operation;
- 22,548 bot IP addresses identified.
In conclusion, the concept of a CERT 2.0 is presented. The idea is to improve collaboration and coordination among different communities in order to act more effectively against this type of threat.
The Many Faces of Mevade – Martijn Grooten (Virus Bulletin) & João Gouveia (AnubisNetworks)
Slides: https://www.botconf.eu/wp-content/uploads/2014/12/2014-1.5-The-Many-Faces-of-Mevade.pdf
The speakers presented an analysis of Mevade and its variants. The malware's primary activity is generating fake search results on Bing, Yahoo!, and Google. It is unique in that it uses Tor for its communications with the command and control network.
The analysis relied on a network of probes controlled by AnubisNetworks, located in several countries. These probes primarily sample the DNS and HTTP traffic passing through them. The next step is to analyze this data to detect patterns specific to botnet behavior: domain generation algorithms, geographic distribution of requests, etc.
Other elements of the infrastructure then allow it to act as sinkhole and to access the data streams destined for the C&C servers.
In the case of Mevade, the initial detection came from DNS queries to .su domains originating from a domain generation algorithm (DGA). THE sinkholes The measures put in place made it possible to obtain samples of communications with the C&C in the form of HTTP requests with a unique identifier and binary data.
An initial analysis of these communications established that the protocol used was not that of other known botnets (Citadel, Sality, ZeroAccess). Apparently at a dead end, the speakers turned to… Google. By searching for elements within the collected data, they were able to discover information leading to a new domain in no-ip.biz, distributing a adware and other domains used by the botnet.
Finally, the replay of requests intercepted by the infrastructure of sinkhole generated error messages related to a bitcoin mining protocol.
In conclusion, botnet hunting doesn't necessarily begin with analyzing a malware sample, and can even do without it entirely… as long as the appropriate infrastructure is in place. Public sources of information shouldn't be overlooked, and it's important to keep in mind that adware may contain other malicious payloads besides their advertisements.
Splicing and Dicing 2014: Examining this Year's Botnet Attack Trends – Nick Sullivan (CloudFlare)
During this presentation, Nick Sullivan reviewed the 2013-2014 trends in attacks involving botnets.
Four types of attacks are presented:
- DDoS;
- DNS flood;
- HTTP flood;
- sophisticated attacks (weaponized attacks).
The DDoS attacks identified by Cloudflare primarily use amplification and reflection techniques. Originally, these techniques targeted the DNS protocol, but other UDP-based protocols can also be exploited. Since 2013, the NTP protocol has also been used (the Spamhaus attack in March 2013, where traffic reached 400 Gbps). The question remains: which protocol will be exploited next (SNMP?).
DNS attacks (DNS flood) consist of a request from a non-existent subdomain (traditionally randomly generated) to force the server to request a resolution from its authority servers and thus slow down the chain.
On the HTTP protocol, DDoS attacks are also carried out using random URI requests. It is therefore possible to implement filtering on the user-agent or based on recurring patterns identified during the attack. However, this type of attack remains dangerous when large botnets are involved. Cloudflare has observed attacks involving between 1,000 and 50,000 bots.
Regarding threats from IPv6, and according to CloudFlare, these constitute only 0.05% of malicious traffic.
Finally, more complex attacks are also used. These rely primarily on web vulnerabilities from the OWASP Top 10, such as Shellshock or Heartbleed. Studies show that scans can begin as early as one hour after a vulnerability is published.
Virus Tracker – Peter Kleissner (Kleissner & Associates)
Slides: https://www.botconf.eu/wp-content/uploads/2014/12/2014-1.7-Virus-Tracker.pdf
The speaker presents his company, which specializes in botnet monitoring, looks back on its creation in 2012 and gives feedback on the difficulties encountered.
The principle is to create and maintain a database of botnets in order to then attribute samples of suspicious traffic to a specific malware or botnet. The objectives are then to enable the monitoring of botnet evolution, the sharing of data with clients and the general public, and the prevention of attacks against potentially affected organizations.
For a small organization with limited resources in terms of time, money, and equipment, the following problems arose:
- We must take into account the different operating methods of botnets: HTTP, peer to peer, IRC, raw TCP, etc.; ;
- An initial entry point must be discovered for each botnet: analyzing the domain name generation algorithm (DGA), find the initial peers for the bots peer to peer, etc. ;
- THE sinkholingIt comes at a cost: approximately €6 per year per domain name. This amount becomes significant when thousands of names need to be registered; ;
- Botnets sometimes implement protections: authentication against the crawling for botnets peer to peer, blocking traffic to specific domains against the sinkholing, etc.; ;
- It is necessary to take into account scalability for information storage; ;
- Legal aspects may come into play: handling of complaints if areas are seized in dismantling operations or added to blacklists.
The solution offered by the speaker: automate as much as possible, using tools developed specifically in-house: crawlers to browse botnets peer to peer, domain registrars, filters for data collection to store only relevant information…
To extract information from the collected data, a correlation and visualization tool was implemented. In the future, the speaker also plans to make the information available to the general public via an API.
Discussions following the conference also highlighted a domain name indexing service used for the sinkholing to avoid their being added to blacklists: https://sinkdb.abuse.ch
How to dismantle a botnet: legal aspects behind the scenes – Karine e Silva (PhD student at Tilburg University (Netherlands) – @kar1nekks)
The speaker presents the legal aspects of dismantling operations, what makes them possible, and the differences in approach between Europe and the United States. She draws on two case studies: GameOver ZeuS and Bredolab.
The United States has been heavily involved in actions against GameOver ZeuS. Government agencies have pursued three main lines of action:
- Legitimizing their jurisdiction: as long as American citizens are infected, American law allows for prosecution of the perpetrator, even if they reside in a foreign country; ;
- Launching destabilization actions: the FBI has issued an arrest warrant against the alleged creator of the botnet;
- Cooperating with agencies from other countries: joint actions have been launched with several European countries.
The actions against Bredolab were primarily carried out by the Netherlands:
- The cybercrime branch of the Dutch police launched an operation resulting in the takeover of the botnet.
- The authorities then directly used the C&C interface to inform affected users.
In both cases, the operations were "intrusive" for end users from a privacy standpoint. While feedback on the operation in the United States was generally positive, the Dutch authorities were criticized for their intrusion into victims' systems, even if their intention was benevolent.
These results illustrate the differences in perceptions across cultures, and highlight the difficulty for authorities to protect citizens without infringing on their right to privacy.
See also: A publication by the speaker on the European approach to cybersecurity: http://policyreview.info/articles/analysis/europes-fragmented-approach-towards-cyber-security
Lightning talks – first session
Similar to SSTIC, the lightning talks allow you to present a topic in three minutes.
Jumping over the airgap with Fancy Bear : presentation of the Fancy Bear malware which is capable of infecting a computer not connected to the Internet via USB key and sending and receiving commands via this medium.
3-Minute Incident Handling : a tool for representing network communications via a graph system by comparing them with known malware sources: Malcom (https://github.com/tomchop/malcom).
Coordinated Malware Eradication Microsoft has launched a project to provide assistance and exchange in the fight against cybercrime (http://www.microsoft.com/security/Portal/mmpc/cme/malware_eradication.aspx).
Qakbot : presentation of the evolution of data storage in the Qakbot malware, which in its latest version uses an encryption system based on RC4.
Auto decryption of malware samples : presentation of a tool allowing the unpacking, decryption and recovery of configuration files as well as webinjects from malware of the type banker.
Macaroni : presentation of a browser extension compatible with VirusTotal and allowing searches based on tags.
Data at scale Discussion about migrating simple data to standard data types «"Big data"» by adding a layer of abstraction on top of the raw data.
