From December 1st to December 3rd was the third edition of the Botconf, it was my first time, and it was incredible. I met a lot of highly interesting people, masters in their fields and was lucky enough to assist to all the talks and hear about visions and projects regarding Botnets.
What is the Botconf?
Botconf is a security conference centered on Botnets; speakers were security professionals, security researchers and academics.
A botnet is a network of compromised computers controlled by an attacker. Compromised computers can be used for a multitude of purposes, from sending Spam to performing Distributed Denial of service against a website.
The conference was hosted by Google France in their Paris headquarters this year, with the support of numerous sponsors, including SEKOIA.
The social event was at the top of the national library with a breathtaking view of Paris at night.
I’ll definitely do my best to go back to the Botconf in 2016.
This was the third time that Ponmocup was presented at the Botconf. The previous two times, Ponmocup was presented by Maartin van Dantzig, this time Yonathan Klijnsma presented the research he has done based on Maartin’s work.
Ponmocup is a botnet that has been in operation since 2009, the total victim count is over 15 million, and there are currently around half a million active bots.
The bot is built with a multipurpose framework; there are around 25 modules available (with approximately 4000 versions of these plugins).
Among the different functionalities offered by the multiples plugins, we can find: ftp credentials stealer, antivirus killer, bitcoin wallet grabber and more …
The first objective of this botnet is a financial one, with a strong part of it being exploited for advertisement fraud.
You can find the full report of the investigation here:
This talk was done by Franck Denis, who works for OVH.
The key point of this talk evolves around the blocking of IPs that is used for malicious purposes (either directly by the attacker, or legit site / IP / domains compromised and used by attackers).
Today most feeds of information do not allow the creation of a timeline; Franck presented his solution, DIP.
DIP can be used by an Internet Service Provider to affect a status to an incident on an IP / domain / URL, and allocate a unique ID which will provide a complete timeline of the incident. In other words, an incident handler using DIP could know if the owner of the site / URL / domain is informed of the status of the incident (for example, that the traffic is suspended, that the IP has changed owner, the incident is over and the IP / domain / URL is now clean.
A prototype is available on GitHub for testing.
github.com/dip-prot/eris: prototype to run queries on dip
Slides for the presentation available here: https://www.botconf.eu/wp-content/uploads/2015/12/OK-P03-Frank-Denis-The-missing-piece-in-threat-intelligence.pdf
Daniel Plohman from Fraunhofer FKIE presented his research on DGA (Domain Generation Algorithm) and the tool he develops and maintains: DGArchive.
His starting point is that looking at the domain is not enough to determine if the domain is created by a DGA.
He presented the different types of DGA, a short history on malware using DGA (like Sality in 2006, Torpig in 2007 until today).
And then presented DGArchive more thoroughly, today there are 43 families of malware, 280 seeds and 20+ millions of domains in the database.
It’s important to note that DGarchive is not publicly available. Daniel is filtering who can access it.
DGarchive can be used to query if the domain is from a DGA or not, the response also contains the period of validity.
Some interesting facts on DGA:
- Most DGA families appeared after 2013 (25 of the 40 families).
- Conficker generated over 125 million domains.
- Only 0.62% of the domains generated by DGA are registered.
Part of the presentation also covered the collision of domain name registrations between DGA.
The highest number of collisions is from Conficker with only 15, the second collision presented was between Nymaim and Pyksa, with only one domain.
This is why domains can be used to identify the family of the malware.
Link to the slides: https://www.botconf.eu/wp-content/uploads/2015/12/OK-P06-Plohmann-DGArchive.pdf
Presentation of the Botnet Andromeda by Jose Miguel Esparza from Fox-IT.
During this presentation Jose went back shortly on the history of Andromeda, which was created in 2011 (and possibly 2010).
Andromeda is a modular and versatile bot that includes multiple additional plugins:
- embedded dlls
The business model presented is based on the bot (500 $), and the addition of modules
- rebuild 10$
- sock5 free
- form grabber 500$
- key logger 200$
- TeamViewer 500$
Jose also presented a couple of attacks were Andromeda was used, such as Anunak, as reported by Fox-IT in 2014.
The targets were Russian Banks and Point of Sales, first Gozi or Cridex was used to drop Andromeda, which in turn dropped Anunak.
Malicious Office document were using specially crafted macro to drop Andromeda.
The conclusion from Jose is that this botnet is still active despite its age, the developers are still supporting it, and criminal groups actively use it.
This talk by Tal Darsan from IBM presented a view on the current threat landscape in Brazil.
The current malware families used in Brazil, according to Tal, are mostly developed in Delphi, VB and C#.
The underground community is comprised of individuals and small non organized groups. These individuals and small groups are able to bypass smart card protection using chrome extension and image based phishing.
Two types of attacks were presented, one targeting the Boleto (specific Brazilian payment system) and one presenting the use of fake browsers.
The Boleto fraud is based around forcing the user to change the account information when using a Boleto, in order to change the recipient of the transfer to the attacker bank account.
The fake browsers are imitating the real browsers, with the same look and feel while stealing credentials, a fake browser can be sold on the black market for 700 Brazilian reals (around 150 euros).
In this talk Yonathan Klijnsma from Fox-IT presented a history and analysis of the ransomware Cryptowall (from being a cryptolocker clone to the current version that we now).
During his presentation he came back on the evolution of malware. From the beginning of Cryptowall as a “clone” of cryptolocker to the current version, Yonathan walked us through the different evolutions developed by the author of the malware. The developer learned from the flaws and vulnerabilities that were found and publicly disclosed to improve the malware in each version.
He also went back on the evolution of the infrastructure behind the malware, including description of the different layer of proxies, the use of Tor to hide the services, and the existence of multiple back-end servers.
He finished his talks with some interesting discoveries he made on the malware, including hidden messages he found in the code of the malware, and a word of caution, insisting that the developer behind Cryptowall improved the malware each time an analysis of the malware flaws / vulnerabilities were shared with the public.
He is also sharing some of his tools for Cryptowall analysis on his GitHub:
Link to the slides: https://www.botconf.eu/wp-content/uploads/2015/12/OK-P14-Yonathan-Klijnsma-The-Story-of-CryptoWall-a-historical-analysis-of-a-large-scale-cryptographic-ransomware-threat.pdf
There were a lot of lighting talks (a presentation of 3 minutes on any subject); the one that got all my attention was the one presenting Cymon.io. This is an aggregator of feeds, and provides timeline of events for an IP or a domain
- Aggregate around 2K sources
- API available as anonymous, works better if logged in
Here is an example of the results for an IP:
Here is a partial view of the timeline:
It compiles many useful pieces of information all in one place with a great addition of timeline. I believe this will help incident handlers in their daily tasks.
A big thanks to all the members of the staff and the speakers for their hard work on preparing the third edition, you can already note that the fourth edition will be in Lyon on the (29/11), 30/11, 01/12 and 02/12 2016, I hope to be there for more great talks and nice people again next year.
Incident handler & Cert member