Botconf 2014 Conference – Day 2

Intrinsec was present at the second edition of Botconf, which took place from December 3rd to 5th in Nancy. Videos and slides are available at the following address: https://www.botconf.eu/botconf-2014/documents-and-videos/

This report concerns the second day of December 4, 2014.

Feedback on WinDBG usage – Paul Rascagnères (G-Data)

Slides: https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.1-Workshop-Feedback-on-Windbg-Usage.pdf

During this workshop (which turned out to be more of a presentation), Paul Rascagnères presented the WinDBG tool, which is a debugger developed by Microsoft.

This tool can be used to debug both software (user level) and the Windows kernel. However, according to the author, its main advantage lies in the fact that it is the only tool capable of debugging the Windows kernel.

Paul Rascagnères then points out that it is possible to adopt two approaches:

• Live debugging: dynamic, can be used to debug a remote machine. However, the process is very slow; certain tools or configurations can speed it up.
• Debugging a Windows image (crash dump): static, only a snapshot of the system at a given moment t is available.

Next, the main commands were presented.

Finally, the use of this tool is illustrated on the Uroboros malware which uses a fake driver to conceal its activities.

A timeline of mobile botnets – Ruchna Nigam (Malware Analyst, Fortiguard Labs) – @_r04ch_

The speaker begins by outlining a timeline of malware targeting mobile devices:

• 2009: appearance of the first bots for Symbian and iOS; ;
• 2010: Symbian version of ZeuS, it complements the PC version of banker To bypass the protection mechanisms put in place by banks, the system intercepted the SMS confirmation codes used to protect transactions. Blackberry, Windows CE, and Android versions were developed in the following two years.
• 2012-13: years marked by numerous type of malware banker; ;
• 2014: the ransomware arrive on mobile devices with Pletor.

Today, 93% of mobile malware targets Android. This figure is likely related to the ease of development and the market share that this platform represents.

Regarding C&C attacks, the majority of bots communicate via HTTP, with a small percentage using HTTPS. The rest rely on SMS, and a small number of malware programs combine HTTP and SMS.

Various types of malware typically include spying capabilities (geolocation tracking, SMS collection, call monitoring) or financial features (sending SMS messages to premium-rate numbers, intercepting bank verification SMS messages). They also frequently exhibit features that allow them to spread to other devices.

Some bots have special features:

• Tascudap is used to launch DDoS attacks; ;
• Twikabot uses Twitter notifications as C&C; ;
• NotCompatible acts as a proxy and redirects all terminal communications to the C&C servers; ;
• Claco is a PC malware that deploys its mobile version when a device is connected via USB.

Bots generally demonstrate a low level of maturity in their use of cryptography. They often employ easily broken, homemade encryption algorithms, or simple symmetric algorithms (XOR, DES) with hard-coded keys.

As for distribution methods, malware can take the form of seemingly harmless applications distributed via websites or app stores. Some also spread when a device is connected to an infected PC.

In some cases, targeted distribution methods were used. Two examples are presented:

• Participants in a conference of the World Uyghur Congress received an email claiming to provide them with the official application to follow the conference as an attachment; ;
• Protesters during the autumn 2014 events in Hong Kong received seemingly legitimate WhatsApp messages that contained the AndroRAT spyware.

In conclusion, the speaker indicated that mobile botnets are a reality, not simply a subject of academic research. Furthermore, they exhibit greater resilience potential than their "fixed" counterparts due to the larger number of channels available for command and control (C&C).

It also outlines possible developments. We can expect a rise in cross-platform attacks (such as the USB device infections mentioned earlier) paralleling that of connected objects.

Analysts will need to turn to new methods, for example, studying the possibilities of detecting malicious behavior at the mobile network level.

Ad Fraud Botnets – Oleksandr Tsvyaschenko & Sebastian Millius (Google)

At the beginning of this presentation, the ZeroAccess malware (from the clickfraud family) is introduced. It has infected more computers than the Zeus malware and is estimated to be responsible for approximately 150 million requests per day, generating 14,000 to 50,000 in revenue daily for its creators. The money obtained from these campaigns is then reinvested in underground markets, hence the importance of limiting this type of fraud.

Next, the functioning of the advertising ecosystem is presented. Initially, it was simple and based on an "advertiser" and a "publisher", but in order to facilitate the management of publications, entities called "network" were added as intermediaries.

Several payment systems exist: CPC (Cost per click), CPM (Cost per 1000 impressions, meaning that the display of 1000 advertisements is paid for) and finally CPE (Cost per engagement).

Within this ecosystem, each entity tries to make money, thus developing the need for fraud for some.

In the second part of the presentation, the emphasis is placed on the difficulty of filtering this type of fraud; indeed, malware randomly modifies its user-agent, uses browser functions, and also simulates mouse movement (according to increasingly complex algorithms).

Finally, the authors explain the takedown of ZeroAccess in December 2013 but note that it has been back in service since March 21, 2014. Emphasis is then placed on the difficulties in finding those responsible given the ecosystem.

Once again, the presentation ends with a request for more collaboration within the community and with law enforcement.

CONDENSE: a graph based approach for detecting botnets

Pedro Camelo – Specialized Master's degree from the University of Lisbon – AnubisNetworks R&D Team

João Moura – PhD student in artificial intelligence at the University of Lisbon – AnubisNetworks R&D Team

Professor Ludwig Krippahl – Doctor of Biochemistry – Specialized Master's degree in Applied Artificial Intelligence from the University of Lisbon

The speakers present their work on new methods for detecting botnets. Leveraging the infrastructure of sinkholing From AnubisNetworks, they develop the following aspects:

• Analysis and classification of intercepted communications according to recurring patterns detected; ;
• Statistical studies on domain names used to identify those used by bots; ;
• Organizing collected data into graphs to extract new information from specific queries.

The analysis methods use principles from artificial intelligence research, such as neural networks to learn patterns in traffic analysis.

These methods are not infallible; they are hampered by malware evasion techniques and the fact that botnet topologies can vary radically from one botnet to another. They also generate a very large amount of data. These issues are addressed by complementary approaches: correlation of relevant information (chronological evolution of botnet behavior), consideration of malware analysis work from the community, and development of new machine learning methods.

APT investigation backstage – Ivan Fontarensky & Ronan Mouchoux (Airbus Defense and Space)

The aim of this conference was to present the various questions that may arise during the investigation of an APT-type threat.

First, the authors outlined how an investigation might begin: by encountering suspicious data, such as an IP address, an executable file, or login credentials. These suspects can then be identified through a knowledge base (reputation, skills, motivation) or even through behavioral analysis; indeed, the use of anonymous servers or encryption indicates suspicious behavior. Similarly, someone offering services paid for in bitcoins generally raises red flags.

Once a lead has been identified, it's time to choose your team. The authors then explained how important this step is. Indeed, the larger the team and the greater the range of skills, the more difficult it is to communicate and share knowledge within a large team. Hence the importance of sharing progress as often as possible and using the same tools to facilitate the assembly and consolidation of results.

Finally, once the investigation is complete and the reports are finalized, it's important to consider data anonymization. This includes the attacker's data; after all, they also have a right to privacy. Furthermore, regarding attribution, when is it necessary to attribute a campaign to a specific entity? For what purpose? And finally, when can campaign information be published without jeopardizing the work already completed?

 

Middle Income Malware Actors in Poland – VBKlip and Beyond

Łukasz Siewierski – CERT-PL – @maldr0id – maldr0id.blogspot.com

The speaker demonstrates that not all malware is created equal. He compares FinFisher and Citadel, highly advanced but difficult-to-access malware, to VBKlip and Aux Logger, which have much more basic functionalities but are more visible.

The principle behind VBKlip is simple: it monitors the clipboard contents of the infected machine and, when it detects a pattern matching a bank account, replaces the string with the identifier of an account controlled by the attacker. Even though its malicious capabilities are rudimentary, the malware was developed cleanly: it uses a dropper, It can spread and has an SMTP notification system for the botnet controller. The infection vectors are also simple, generally involving spam targeting Polish users.

The speaker illustrates the simplicity of such malware by showing the source code of a .NET derivative of VBKlip, the entirety of which fits on about ten lines. He then presents other malware from the same family:

• Banatrix, which attaches itself to the processes of web browsers and searches for patterns corresponding to account numbers directly in memory; ;
• Bitcurex, which searches for and replaces Bitcoin wallet identifiers; ;
• To Logger and Carbon Grabber, which focus on recording keystrokes and capturing screenshots.

 

Bypassing sandboxes for fun – Paul Jung (Excellium)

The speaker begins by reiterating the main advantage of using sandboxes: saving time. Malware is almost always obfuscated by one or more layers of packing, Analyzing everything manually is very time-consuming. Malware authors, for their part, seek to detect sandboxes so they only execute on desired targets, slowing down analysts and gaining time to propagate their payload.

How to detect a sandbox? It involves detecting the characteristics of virtualized environments: specific services, files or tools (e.g., VMware Tools), registry entries, MAC addresses specific to certain manufacturers, serial numbers (hard drives, operating system), browsing history, running applications, membership in a Windows domain, user interactions, etc.

Checking these elements using APIs is generally doomed to failure. Sandboxes position hooks on certain functions and detect this behavior. The idea is therefore to use indirect means to identify or disrupt the sandboxes, including:

• Use undocumented features of certain hypervisors;
• Analyze the results of the x86 CPUID instruction (attribute value) hypervisor, (inconsistent cache memory values, etc.); ;
• Read the Process Environment Block (PEB) to extract the number of cores and processors; ;
• Browse the PEB's LDR structure which contains information on the loaded DLLs to detect the modules present specific to the sandboxes; ;
• Exploiting the behavior of functions hooked, for example run a long sleep in parallel with a shorter one (e.g., resolving a domain name). If the sleep ends first, it is obviously hooked.

For analysts, it is therefore necessary to emulate as much as possible a non-virtualized environment to fool malware: configure several processors, check the consistency of CPUID results, never install tools on guest systems, make an image of a real workstation, etc.

In conclusion, the speaker points out that sandboxes are not magic and should be trusted no more than antivirus software. He directs the audience to numerous resources that can be used to harden sandbox configurations:

• A suite of tests for detecting virtualized environments, developed by the speaker: https://github.com/Th4nat0s/No_Sandboxes
• Bible for CPUID: etallen.com/cpuid.html
• VirtualBox setup guide: http://kernelmode.info/forum/viewtopic.php?f=11&t=3478
• Virtual machine generation for Cuckoo: https://github.com/jbremer/vmcloak
• Paper presenting sandbox escape test results: https://blog.mrg-effitas.com/wp-content/uploads/2014/11/Crysys_MRG_APT_detection_test_2014.pdf

 

Learning attribution techniques by researching a Bitcoin stealing cybercriminal – Mark Arena (INTEL471)

The conference presented by Mark Arena also addressed the topic of attribution, which involves examining an incident and trying to discover who was responsible and why. Knowing only the identity or email address of an attacker is not enough; it is also necessary to know their motive and the methodologies used. Sometimes, the reuse of an email address, password, or username can reveal that multiple attacks were carried out by the same entity.

Later in the presentation, the author illustrated the attribution process with the story of a Bitcoin thief distributing malware that steals Bitcoin wallets (wallet.dat) as well as other cryptocurrencies. Based solely on a victim's comment on a forum containing a username and wallet credentials, Mark Arena was able (using tools like Google, Domains Tools, etc.) to find other victims, VirusTotal scans, additional usernames, and even comments in French presumably posted by the attacker on Bitcoin forums.

However, even knowing about the malware and an infection method (binaries placed on sharing servers), the author still does not know who is behind the keyboard, even though their nationality seems to have been discovered.

 

The Russian DDoS One: Booters to Botnet – Dennis Schwartz (Arbor Networks)

The presentation focused on DDoS services available on the internet (primarily in Russia). Indeed, with the right knowledge, it's possible to find platforms offering paid DDoS attacks. It was interesting to learn that a one-hour DDoS attack against a target can cost between $5 and $15. Like any business, these platforms vary their prices and services (ICMP flood, HTTP flood, DDoS duration, etc.).

Naturally, the administrators of such platforms are wary, as communications are mainly conducted via ICQ, Jabber or Skype protocols which are not easy to trace.

Next, the author presented various platforms offering this type of service, such as Stelios, Ayabot, and Copyleft. Most of these services rely on the use of botnets. The structures of copy and copy services and the operation of botnets were explained for each platform.

 

Chinese Chicken: Multiplatform DDoS Botnets – Peter Kalnai & Jaromir Horejsi (Avast)

Slides: https://www.botconf.eu/wp-content/uploads/2014/12/2014-2.10-Chinese-Chicken-Multiplatform-DDoS-Botnets.pdf

We remain in the realm of DDoS attacks with this presentation. However, we are dealing with botnets based on Unix systems.

First, the authors present the different means of infection:

• Vulnerability exploits such as Shellshock, Apache Struts, Apache Tomcat, Elastic Search, etc.
• Bruteforce SSH

Next, different tools are presented for performing port scans (ScanPort or WinEggDrop) and SSH brute-force attacks (SSH2.1, DUBrute). Then, the various payloads and their characteristics are presented:

• Elknot
• Bill Gates
• Mr Black
• IptabLes/IptabLex
• DDoS
• gh0st RAT

Finally, the presentation concludes with the targets of these botnets, which are mainly online gaming sites, casinos, e-commerce sites, or forums.

Ponmocup Hunter 2.0 — The Sequel – Tom Ueltschi

The author, having already presented the Ponmocup botnet at the previous Botconf, focused this year on the infection procedure and the network structure of the botnet.

To compromise new clients, the botnet uses compromised websites. These websites host a file .htaccess This tool filters clients based on their User Agent and redirects them to an exploit kit. Using an .htaccess file to redirect clients allows for the infection of even clients coming from search engines. The exploit kit used in this case is Zuponcic. When a user visits a website, this tool tests a large number of different exploits to execute code on the client machine and thus infect it.

Next, the author presented a technique used by Ponmocup's C&C servers to limit Sinkhole capabilities. When the malware makes a request to the C&C server, an encrypted resource is placed in a cookie. This resource is then decrypted using DNS resolution and the C&C server's IP address.

Finally, the presentation ends with statistics measured by Passive DNS which indicate that millions of computers are still infected by this malware today.

Lightning talks – second session

The second lightning talk session covers the following topics:

Hidden C&C by Peter Wälti : presentation of a sample of obfuscated PHP malware whose operation the speaker did not understand, even after code transformations… until he understood that the communications were «encrypted» in whitespace.

Unusal Android malware by Łukasz Siewierski This presentation presents a preliminary analysis of a sample obtained from VirusTotal. It is an Android malware, but its functionalities utilize Lua processed by .NET using the Mono library for Android. The speaker is struggling with the analysis of this layer and asks analysts who have previously encountered this type of malware to contact him.

Grading Intelligence in the UK system by Stewart Garrick: Presentation of the intelligence evaluation model between British agencies. The evaluation is done according to a 5x5x5 "grid":

• Source quality (AE): from "reliable" to "unknown"«
• Quality of information (1-5): from "certainly true" to "appears false"«
• Sharing protocol (1-5): "information can be shared with other agencies" up to "specific procedure to be followed"«

This protocol is compatible with the Traffic Light Protocol (TLP). The speaker also encourages those interested to examine the Admiralty and NATO codes.

Stop using MD5 by Nick Sullivan: A practical demonstration of the benefits of abandoning MD5: the Hashclash website, which offers to generate collisions for two arbitrary input files.

Radare2 by Maxime Morin: Presentation of the radare2 tool and new features, call for contributions from motivated individuals.

Water torture by Pierre-Edouard Fabre: presentation of a type of denial-of-service attack used by botnets, namely DNS saturation, presented earlier by CloudFlare.